How to Track Permission Changes in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track Permission Changes in Active Directory

 

2. Step 1: Modify an existing or a new Group Policy Object

Perform the following steps to apply the policy:

  1. Go to “Control Panel” ➔ “Administrative Tools”, and double-click “Group Policy Management Console” to access its window.
  2. Navigate to “Forest” ➔ “Domains” ➔ “www.domain.com” in the left panel.
  3. Right-click “Default domain policy” or any customized domain-wide policy.
  4. Our experts recommended creating a new customized GPO, linking it to the domain and editing it from there. Click the “Edit” option in this menu to open the window of “Group Policy Management Editor”. 
  5. Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
  6. Click “Audit Policies” and all of the policies are displayed in right panel.
  1. Double-click “DS Access” to define the required settings.
  2. Right-click “Audit Directory Service Changes” policy and click “Properties” option to access policy properties.
  1. Click “Define these policy settings” option to select it.
  2. Click checkboxes of both “Success” and “Failure”.
  3. Click “Apply” and “OK”.
  4. Close “Group Policy Management Editor” window.

3. Step 2: Enable auditing using ADSI

Perform the following steps to apply policy:

  1. In the “Run” box or “Command Prompt”, type “ADSIEdit.msc” and press “Enter” key to open its console
  2. Right-click “ADSI Edit”, a top most node in the left panel.
  3. Select “Connect to” in the context menu to access “Connection Settings” window.
  4. To establish a connection with a naming context, click “Select a well known naming context”.
  5. Click “Default naming context” in the drop-down menu.
  1. Right-click “DC=www,DC=domain,DC=com” under “Default naming context” in the left panel.
  2. Click “Properties” in the context menu to access the properties of above node.
  3. In its window, switch to “Security” tab.
  1. Click “Advanced” to open “Advanced Security Settings” window.
  2. Switch to “Auditing” tab.
  1. To add an auditing entry, click “Add”.
  1. In “Auditing Entry” window, click “Select a principal” and add “Everyone” (any specific user, computer, group or service account can be added).
  2. Select “All” in “Types” drop-down menu.
  3. In “Applies to” drop-down menu, select “This object and all descendent objects”.
  4. In “Permissions” section, select only “Modify permissions” option. Uncheck all other permissions.
  5. Click “OK”.
  6. You can see auditing entry with this permission in “Auditing” tab of “Advanced Security Settings” window.
  7. Click “Apply” and “OK” to close “Advanced Security Settings” window. It takes you back to “Security” tab for object properties.
  8. Here also, click “Apply” and “OK” to close the properties window.
  9. Close “ADSIEdit” window.

4. Step 3: View the event in Event Viewer

Perform the below-mentioned steps:

  1. In the “Event Viewer” window, go to “Windows Logs” ➔ “Security” logs.
  2. Click on “Filter current log” under “Action” in the right panel.
  3. Search for Event ID 5136 that identifies permission changes in Active Directory.You can double-click on the searched event to view “Event Properties”.

You can also execute the below command in “Active Directory Module for Windows PowerShell”. It gives a list of security events with all details:

Get-EventLog Security –Newest 10 | Where-Object {$_.EventID –eq 5136} | Format-List