How to Detect Who Modified Permissions to an Organizational Unit

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit directory service access → Define → Success and Failures.
  2. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  3. Link the new GPO to OU: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  4. Force the group policy update: In "Group Policy Management" right-click the defined OU → Click "Group Policy Update".
  5. Open ADSI Edit → Connect to Default naming context → Right-click domainDNS object with your domain name → Properties → Security → Advanced → Auditing → Add Principal "Everyone" → Type "Success" → Applies to "This object and descendant objects" → Permissions → Select all checkboxes except the following and сlick "OK":
    • Full Control
    • List Contents
    • Read all properties
    • Read permissions.
  6. Open Event Viewer → Search security log for event ID 5136 (a directory service object was modified). 
    After that you will be able to see who has modified permissions to what OU with a list of security descriptors.
Sample Report - How to Detect Who Modified Permissions to an Organizational Unit
  1. Run Netwrix Auditor → Click "Reports" → Navigate to Active Directory → Active Directory Changes → Choose "Organizational Unit Changes" → Click "View".
  2. In order to save a report, click "Export button" → PDF → Save as → Choose a location to save it.
How to Detect Who Modified Permissions to an Organizational Unit

Continuously Monitor Changes to Security Permissions in AD to Protect Sensitive Data

Users can be assigned permissions to modify an OU; for example, a user might be allowed to delete objects, or to make changes to their names or security configurations. But granting wrong users permissions to change the security modifications of objects in an OU can lead to a security breach.  For example, a user with such modified permissions could reset the password to any account and use those credentials to access sensitive data. That’s why the right to configure the permission settings of objects in an OU should be carefully monitored and strictly validated. 

Netwrix Auditor for Active Directory delivers complete visibility into what’s going on in Active Directory, including all changes made to security permissions. The application provides easy-to-read predefined audit reports, including a comprehensive report on changes to your organizational units. It also offers an interactive Google-like search that enables IT admins to quickly determine what changes were made to permissions in a given OU and who modified permission settings. This actionable intelligence enables IT admins to be aware of OU modifications and strengthen permission security to minimize the risk of a security breach. 
 

Related How-tos