- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I capture when members are removed from domain admins group?
Ghanayem1974
Path Finder
02-06-2018
10:21 AM
I am trying to identify when a member has been removed from security enabled groups such as domain admins, using index=wineventlog eventt_id=4729
but i am not finding anything with Group Name=Domain Admins?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dw385
Explorer
02-06-2018
04:35 PM
Are you pulling in the logs in XML format?
For non XML the field is Group_Name for Event ID 4729 (at least in my setup which should be the standard Windows TA).
