How to check when a user is added to a security group using ADAudit Plus
In this article :
Objective
Prerequisites
Steps to follow
Validation and confirmation
Tips
Related topics and articles
Objective
This article explains how to track when a user was added to a security group using ManageEngine ADAudit Plus. It helps detect unauthorized additions, ensure compliance with access control policies, and maintain a clear audit trail of group membership changes.
Prerequisites
Ensure audit security group management and directory service changes auditing are enabled on the default domain controllers policy.
Object-level auditing for group objects must be configured to ensure that events are logged whenever any activity related to Active Directory objects occurs.
Steps to follow
Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to view Active Directory reports.
Navigate to Active Directory > Group Management > Recently Added Members to Security Groups.
Click Advanced Search above the reports.
Select Member Name as a variable.
Choose Contains as a condition.
Enter the username in the Enter Search Value text box.
Click Search to display relevant results.
The reports can further be filtered using the following:
Specific user or group name
Time range
Domain controller or OU
Event IDs to look for (If validating in Event Viewer)
Event ID | Description |
4728 | User added to a security-enabled global group. |
4732 | User added to a security-enabled local group. |
4756 | User added to a security-enabled universal group. |
5136/5137 | Group membership attribute modified (general object change logs). |
Validation and confirmation
Verify that the added user appears in the Recently Added Members to Security Groups report.
Tips
Regularly review group management reports for unauthorized changes.
Schedule the report to run daily or weekly and email it to security administrators.
Regularly review high-privilege group changes (e.g., domain admins and enterprise admins).
Consider setting up real-time alerts in ADAudit Plus for critical group membership changes.
Related topics and articles
How to check when a user was removed from a security group
How to create a custom report to track group membership changes in privileged groups
New to ADSelfService Plus?
Related Articles
How to check who modified permissions on a folder using ADAudit Plus
In this article : Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to track and identify who modified permissions on a folder using ManageEngine ADAudit Plus. It ...How to find out the User's Last Logon using ADAudit Plus
In this article: Objective Prerequisites Step to follow Validation and confirmation Best practices Related topics and articles Objective This article explains how to retrieve a user’s last logon details using ADAudit Plus. Prerequisites Ensure you ...How to check for dormant admin accounts using ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to use the Risk Assessment feature in ADAudit Plus to generate a report that identifies dormant ...How to check when a user was removed from a security group
In this article : Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to track when a user was removed from a security group using ManageEngine ADAudit Plus. It ...How to detect privilege escalations using ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to configure a real-time alert in ManageEngine ADAudit Plus to notify administrators whenever a ...