How to check when a user was removed from a security group
In this article :
Objective
Prerequisites
Steps to follow
Validation and confirmation
Tips
Related topics and articles
Objective
This article explains how to track when a user was removed from a security group using ManageEngine ADAudit Plus. It helps detect unauthorized additions, ensure compliance with access control policies, and maintain a clear audit trail of group membership changes.
Prerequisites
Ensure Audit Security Group Management is enabled on the Default Domain Controller Policy.
Ensure that Audit Directory Service Changes is enabled on the Default Domain Controller Policy to capture events related to event ID 5137.
Object-level auditing for group objects must be configured to ensure that events are logged whenever any activity related to Active Directory objects occurs.
Steps to follow
Log in to ADAudit Plus as an admin or with a technician account.
Navigate to Active Directory > Group Management > Recently Removed Members from Security Groups.
Click Advanced Search above the reports.
Select Member Name as a variable.
Choose Contains as a condition.
Enter the username in the Enter Search Value text box.
Click Search to display relevant results.
The reports can further be filtered using the following:
Specific user or group name
Time range
Domain controller or OU
Event IDs to look for (If validating in the Event Viewer)
Event ID | Description |
4729 | User removed from a security-enabled global group. |
4733 | User removed from a security-enabled local group. |
4757 | User removed from a security-enabled universal group. |
5136/5137 | Group membership attribute modified (general object change logs). |
Validation and confirmation
Verify that the removed user appears in the Recently Removed Members from Security Groups report.
Test by removing a user from a security group and checking if it appears in the report.
Tips
Regularly review group management reports for unauthorized changes.
Schedule the report to run daily or weekly and email it to security administrators.
Regularly review high-privilege group changes (e.g., domain admins or enterprise admins).
Consider setting up real-time alerts in ADAudit Plus for critical group membership changes.
Related Topics and Articles
How to configure a custom alert to receive alerts for group membership changes
New to ADSelfService Plus?
Related Articles
How to check when a user is added to a security group using ADAudit Plus
In this article : Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to track when a user was added to a security group using ManageEngine ADAudit Plus. It helps ...How to receive notifications when licenses are assigned or removed from user accounts
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To guide users in configuring an alert that notifies administrators whenever a license is assigned or removed from a user ...How to configure an alert to be received when a primary group of the Active Directory User is changed
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators when the primary ...How to configure an alert to notify admins when a security group is created in Microsoft Entra ID
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To provide step-by-step instructions for configuring an alert that notifies administrators whenever a new security group ...How to Configure an alert to notify when a Member is Removed from Any Role
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a user is ...