7

We have AD DS security auditing enabled on a Windows Server 2008r2 functional level domain. We use a third party tool to alert us to changes to our administrative group memberships. We recently deleted several service accounts that were members of the Domain Admins security group, but no one was alerted by our third party tool.

I'm trying to determine if there's a fault in our auditing configuration, a fault in the third party tool, or if Windows simply does not log "Member removed" events for security groups when a user in a security group is deleted.

To be more specific, we are looking for a security log event for "A member was removed from a security-enabled [Universal|Global|Domain-Local] group." This is the event that initiates the alert in our application. In this case, the "member" user account was deleted without being explicitly removed from the security group. There is an event logged for "A user account was deleted."

In this case I suspect that Windows will not log the "A member was removed from a security enabled ... group" event because the user account was deleted without being explicitly removed from the security group. I would like to confirm this hypothesis. If my hypothesis is true, then we need to adjust our processes. If my hypothesis is false, and Windows should log this event, then either our auditing is failing or misconfigured, or the application is failing.

Auditing "Account Management" is enabled by GPO. The Admin security groups have the "Success" auditing events added to their security properties. The security log size on our domain controllers is 128mb. I've searched the security event log on the DC for events 4733, 4729, and 4757 and found none, however the event log recycles after only a few hours with all of the activity on our domain.

These alerts have worked in the past for explicit member added and member removed events and no configurations have changed (that I'm aware of, and I'm the AD sys admin).

Maybe as an AD sys admin I should already know the answer to this question.. but nobody knows everything :)

I also asked this question on TechNet, but got no useful responses.

Thomas
  • 890
  • 4
  • 18
  • 37

1 Answers1

1

For security groups yes:

event ID   Legacy event     criticality  Summary
 4729     633           Low      A member was removed from a security-enabled global group.

I do not believe management event logging will not log a removal event since that action did not take place in the case of account deletion.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • 1
    I think OP is asking if this event is triggered if a user is deleted, but not explicitly removed from the group first. – jlehtinen Feb 03 '15 at 20:09
  • I was hoping someone could find a reference from MS that would answer this definitively. I've had no luck finding any references on my own. In any case, we've assumed that the logging does not occur and have adjusted our processes. – Thomas Feb 11 '15 at 23:50
  • 1
    I'm looking to see if the object change can be audited, rather than looking for management actions, and hoping the internal cleanup shows a management action. You could try looking at the memberof attribute of the deleted object, which I think should still contain the backlink to the group. – Jim B Feb 12 '15 at 04:25