Auditing of activity on your Windows Server 2012 R2in production is very important, especially if there is more admins that have access to the server. You want to make sure that all changes are tracked and visible to you so you are up to date on any changes made on your server. It makes your life way easier when something happen and you know where to find answer to your problem and it makes easier to troubleshoot.
Here are step to setup native auditing on your Windows Server 2012 R2 to detect who and when added a new user into DOMAIN ADMIN group on the server:
- Configure Audit Policy Settings by running GPMC.msc → Edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Define → Success.
- Configure object-level Active Directory auditing settings by opening ADSI Edit → Connect to “Default naming context”→ Click “OK” → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and Descendant objects” → Permissions: → Select all check boxes except the following: “Full Control”, “List Contents”, “Read all properties”, “Read permissions” → Click “OK”.
- Enlarge security event log capacity by running GPMC.msc → Edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:
- Maximum security log size to 1Gb
- Retention method for security log to “Overwrite events as needed”.
Run “gpupdate /force” command.
- Run eventvwr.msc and filter security log for event id 4728 to detect when users are added to security-enabled global groups. The group name in our case is “Domain Admins”.