I want to keep an audit when I remove or add users from local groups. Is it possible to filter out which groups? If not, all local groups is fine.
Asked
Active
Viewed 702 times
-1
-
Look into audit policies. – Ola Ekdahl Dec 22 '14 at 16:25
1 Answers
1
You're basically looking for two events in the Security eventlog.
4732
A member was added to a security-enabled local group.4733
A member was removed from a security-enabled local group.
When using the following commandline you get a new instance of the eventviewer filtered on those two events.
eventvwr /f:"<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID=4732 or EventID=4733)]]</Select></Query></QueryList>"
An other option is to use the WMIC tool from the commandline (make sure you are using an elevated commandprompt)
wmic ntevent where "LogFile='security' and (EventIdentifier=4732 or EventIdentifier=4733)"
Do notice that this uses Win32_NTLogEvent internally and I had to use the /trace:on
switch to figure out the correct syntax for the where clause.
Use the optional /record:filename.xml
to store the results in an xml file or simply redirect the output to a csv file.
One other option you have is to use powershell:
get-eventlog -logname security | where {$_.InstanceId -eq 4732 -or $_.InstanceId -eq 4733}
Last one I povide is by writing a small c# program that uses the EventLog class
var list = new EventLog { Log = "Security" }
.Entries
.Cast<EventLogEntry>()
.Where(evl => evl.InstanceId == 4732 || evl.InstanceId == 4733)
.Select(cv => cv.Message);
foreach (var msg in list)
{
Console.WriteLine(msg);
}
Take your pick

rene
- 41,474
- 78
- 114
- 152
-
If I decide to writeup the last option a c# program..how do I wire it up to trigger or run with windows server? Scheduler? – Chaka Dec 25 '14 at 15:43
-
Shedule a taks with SCHTASKS. You can use the /? switch to see the options or search on superuser.com for similar questions. – rene Dec 25 '14 at 16:08
-