We have AD DS security auditing enabled on a Windows Server 2008r2 functional level domain. We use a third party tool to alert us to changes to our administrative group memberships. We recently deleted several service accounts that were members of the Domain Admins security group, but no one was alerted by our third party tool.
I'm trying to determine if there's a fault in our auditing configuration, a fault in the third party tool, or if Windows simply does not log "Member removed" events for security groups when a user in a security group is deleted.
To be more specific, we are looking for a security log event for "A member was removed from a security-enabled [Universal|Global|Domain-Local] group." This is the event that initiates the alert in our application. In this case, the "member" user account was deleted without being explicitly removed from the security group. There is an event logged for "A user account was deleted."
In this case I suspect that Windows will not log the "A member was removed from a security enabled … group" event because the user account was deleted without being explicitly removed from the security group. I would like to confirm this hypothesis. If my hypothesis is true, then we need to adjust our processes. If my hypothesis is false, and Windows should log this event, then either our auditing is failing or misconfigured, or the application is failing.
Auditing "Account Management" is enabled by GPO. The Admin security groups have the "Success" auditing events added to their security properties. The security log size on our domain controllers is 128mb. I've searched the security event log on the DC for events 4733, 4729, and 4757 and found none, however the event log recycles after only a few hours with all of the activity on our domain.
These alerts have worked in the past for explicit member added and member removed events and no configurations have changed (that I'm aware of, and I'm the AD sys admin).
Maybe as an AD sys admin I should already know the answer to this question.. but nobody knows everything 🙂
I also asked this question on TechNet, but got no useful responses.
Best Answer
For security groups yes:
I do not believe management event logging will not log a removal event since that action did not take place in the case of account deletion.