Solved: Re: How to display a modification on the active di...

episano · ‎10-09-2019

Hello, I want to display a table with the different modifications made on AD ( group add, user creation/removing, etc..) with the details of the operation but I cannot find the details in the logs.

I prefer to have a solution without using a ldapsearch because I need a real-time search.

gcusello · ‎10-09-2019

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

“Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

Event 4727 A Security-enabled Global Group was created
Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4728 A member was added to a security-enabled Global group
Event 4729 A member was removed from a security-enabled Global group
Event 4730 A Security-enabled Global Group was removed
Event 4754 A Security-enabled Universal Group was created
Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4756 A member was added to a security-enabled Universal group
Event 4757 A member was removed from a security-enabled Universal group
Event 4758 A Security-enabled Universal Group was removed
Event 4731 A Security-enabled Local Group was created
Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4732 A member was added to a security-enabled Domain Local group
Event 4733 A member was removed from a security-enabled Domain Local group
Event 4734 A Security-enabled Domain Local Group was removed
Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
Event 4764 Group Change Type

“Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

Event 4720 A user account was created
Event 4724 An attempt was made to reset an account Password
Event 4738 A User account was changed
Event 4725 A user account was disabled
Event 4722 A user account was enabled
Event 4726 A user account was deleted

“Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

View solution in original post

gcusello · ‎10-09-2019

Hi episano,
by default this information aren't in the AD logs, so you have to enable them in your Domain Controllers, so you have to enable in Default Domain Controller Policy :

“Audit Security Group Management” (Success) in: Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

Event 4727 A Security-enabled Global Group was created
Event 4737 A Security-enabled Global Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4728 A member was added to a security-enabled Global group
Event 4729 A member was removed from a security-enabled Global group
Event 4730 A Security-enabled Global Group was removed
Event 4754 A Security-enabled Universal Group was created
Event 4755 A Security-enabled Universal Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4756 A member was added to a security-enabled Universal group
Event 4757 A member was removed from a security-enabled Universal group
Event 4758 A Security-enabled Universal Group was removed
Event 4731 A Security-enabled Local Group was created
Event 4735 A Security-enabled Local Group was changed (generico precede ogni operazione che modifica le caratteristiche del gruppo)
Event 4732 A member was added to a security-enabled Domain Local group
Event 4733 A member was removed from a security-enabled Domain Local group
Event 4734 A Security-enabled Domain Local Group was removed
Event 4781 Group Rename (preceduto da 4735 Locale o 4737 Globale o 4755 Universale)
Event 4764 Group Change Type

“Audit User Account Management” (Success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account Management, so you'll have:

Event 4720 A user account was created
Event 4724 An attempt was made to reset an account Password
Event 4738 A User account was changed
Event 4725 A user account was disabled
Event 4722 A user account was enabled
Event 4726 A user account was deleted

“Audit Audit Policy change” (success) in:
Computer configuration – Policy – Windows Settings – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Policy Change, so you'll have a generic event 4719.

Bye.
Giuseppe

episano · ‎10-17-2019

Thanks for your clarity !

How to display a modification on the active directory?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation