Windows Group Change Activity

Owned by Steve Challans
Last updated: Feb 09, 2024
2 min read

The Windows group change activity page covers the actions performed on the windows groups. Users added and removed to groups will have their permissions increased or removed. Some activity maybe part of normal business as usual activity however users that are added to privileged groups should have approval processes followed. By tracking unusual patterns of activity on systems either local groups or domain based groups can be monitored for each system along with the specific privileged groups. Some parts of the dashboard only show data for the last 4 hours as some Windows systems can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.

Some key aspects of the changes are:

  • Windows Group Member changes by system - allows tracking of the permission levels of the groups. Was the group access level changed to include other groups or was it added to another group like the local administrators group or domain admins group for higher level of access. 

  • Windows Accounts Added or removed by Group - track which changes are made to the group for each user in those groups

  • Windows Groups Added or Removed - track which groups were added or removed from the system and what permissions levels were they granted. 

  • Windows Group User Account Changes - track which groups had users added or removed. Of particular note privileged user group changes could be part of unauthorized activity, so groups like Administrators, domain administrators etc should be monitored closely. 

image-20240209-051958.png

Â