With Windows 2008 R2 how do I audit when an user is added and removed from a local group?

Question

I want to keep an audit when I remove or add users from local groups. Is it possible to filter out which groups? If not, all local groups is fine.

Answer 1

You're basically looking for two events in the Security eventlog.

• 4732 A member was added to a security-enabled local group.
• 4733 A member was removed from a security-enabled local group.

When using the following commandline you get a new instance of the eventviewer filtered on those two events.

eventvwr /f:"<QueryList><Query Id='0' Path='Security'><Select Path='Security'>*[System[(EventID=4732 or EventID=4733)]]</Select></Query></QueryList>"

An other option is to use the WMIC tool from the commandline (make sure you are using an elevated commandprompt)

wmic ntevent where "LogFile='security' and (EventIdentifier=4732 or EventIdentifier=4733)"

Do notice that this uses Win32_NTLogEvent internally and I had to use the /trace:on switch to figure out the correct syntax for the where clause.
Use the optional /record:filename.xml to store the results in an xml file or simply redirect the output to a csv file.

One other option you have is to use powershell:

get-eventlog -logname security | where {$_.InstanceId -eq 4732 -or $_.InstanceId -eq 4733} 

Last one I povide is by writing a small c# program that uses the EventLog class

var list = new EventLog { Log = "Security" }
            .Entries
            .Cast<EventLogEntry>()
            .Where(evl => evl.InstanceId == 4732 || evl.InstanceId == 4733)
            .Select(cv => cv.Message);
foreach (var msg in list)
{
     Console.WriteLine(msg);   
}

Take your pick