Applies to: Windows Server 2008, 2008 R2 and 2012
Requirement: You would like to investigate who has added or removed a specific Domain User in DnsAdmins group
Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)
A member was added to a security-enabled local group.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x50B79DA
Member:
Security ID: TESTLAB\Temp
Account Name: CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET
Group:
Security ID: TESTLAB\DnsAdmins
Group Name: DnsAdmins
Group Domain: TESTLAB
A member was removed from a security-enabled local group.
In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from DnsAdmins group.
Maheshkumar S Tiwari edited Original. Comment: Added tags and minor formatting