In a previous tip, I described how to configure Windows Server 2008 R2 Group Policy to permit account auditing for user accounts.
You can perform a similar configuration for group objects. It can be very important to monitor group objects, mainly to prevent unplanned assignment of administrative or other group membership.
To locate this Group Policy setting, go to Computer Configuration | Windows Settings | Advanced Audit Policy Configuration | Account Management | Security Group Management. (See Figure A.)
Figure A
Click the image to enlarge. Once you configure Security Group auditing, events are sent to the Security log; these events include Group Creation, Group Membership Changes, or Type Changes. To test this configuration, I set up a test server and assigned the Guest User membership to the local Administrators group. Clearly, this is something that administrators would want to know about, and the log is there to prove it.
Figure B shows the Guest User being added to the group.
Figure B
Click the image to enlarge.
The log entry also shows who performed the task, which in the example above was the WIN-5E1BBEM4KP8\Administrator username (Local administrator on the server). You can place filtering on these events; you can also place forwarding on these events to aggregate the data for this type of audit event.