Detect Permission Changes in Active Directory

This articles describes how to track permissions changes in Active Directory.


Let’s start an article, with a small example :

If some example organization works in three shifts, with different server administrators, and , in meantime permissions on some Active Directory objects, change, overnight, it is the good practice to know which admin ,and when changed it.

For that information, auditing for changes to permissions on Active Directory should be enabled, and in this article, we will explain how to do it successfully.

Enable auditing of Active Directory service changes

The first step is enabling auditing of Active Directory service changes. It has to be done on the domain controller, on a way to change Group policy object, Default Domain Controllers Policy.

The operation should be done from a server, or a workstation with Remote Server Administration Tools (RSAT)  installed.

By opening Group Policy Management, and expanding Active Directory Forest, Domains, and then the Domain Controllers Organizational Unit (OU), access to Default Domain Controllers Policy GPO is granted, and by right-clicking Edit from the menu, Group policy management editor will open.

When in Group Policy Management Editor, navigate to ( and expand policies )  Computer Configuration, then  Windows Settings then  Advanced Policy Configuration and click DS Access.

Among the other subcategories, there will be Audit Directory Service Changes.

In the properties of Audit Directory Service Changes policy, Configure the following audit events option, both checkboxes ( Success and Failure ) should be ticked.

Adding a system access control list (SACL)

Next step is adding a system access control list (SACL) to the domain to audit for modified permissions.

System access control lists ( SACLs) are used for establishing security policies across the system for actions like logging or auditing resource access.

SACL specifies :

  • Which security principals (users, groups, computers) should be audited when accessing the object.
  • Which access events should be audited for these principals
  • Which access events should be audited for these principals
  • Adding system access control list (SACL) is made from Active Directory Users and Computers ( ADUC), by opening View menu, and check Advanced Features ( it has to be activated).

Click Active Directory Domain ( on the left), and select Properties > Security > Advanced, then switch to Auditing tab, and click Add. It will open Auditing Entry tab.

In the Auditing Entry tab, click Select a Principal.

Enter the “everyone” in the object name in the Select User, Computer, Service Account, or Group dialog, and click Ok.

Auditing Entry has to be set to “Sucess” and Applies to option has to be set to “ This object and all descendant objects”.

Under “Permissions” option, only selected option has to be “Modify Permissions”.


And that is it. The only thing left to do is check the changes of permissions.

It can be done in PowerShell by usage of the command

Get-EventLog Security -Newest 10 | Where-Object {$_.EventID -eq 5136} | Format-List

The output should be the formatted list of information about changes ( who made changes on which object, and information about new security descriptor).

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *