Configure the Audit Group Membership Policy

We can configure the audit group membership policy using group policy, allowing us to record the group of a user in a login event log entry. This is used in addition to the Audit Logon policy to expand the information provided and include the group membership information of the user accessing the system.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


About Audit Group Membership Policy

The audit group membership policy can be used in addition to the Audit Logon policy to provide additional information, such as listing the local and domain group membership of users that login. This allows us to see the groups that have members logging in on a particular Windows system. For example we may configure only members within a certain group to have access to a server, this policy allows us to audit this.

Configure the Audit Group Membership Policy

To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy, or edit an existing policy. In this example we’ll create a new GPO called “Audit Group Membership”.

Audit Group Membership GPO

Edit the policy, and browse to Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

Logon / Logoff Audit Policies

From within here, either double click or right click then select properties on Audit Group Membership.

Audit Group Membership Properties

Select the check box to configure the following audit events, and select success, failure, or both event types to audit. As outlined in the explain tab, we also need to enable the “Audit Logon” policy in order for the Audit Group Membership policy to work, so do this too. It’s found just a few policy settings below it.

Audit Logon Properties

If we apply this policy to a computer and run a ‘gpupdate’ then log in, we can see the group membership details listed in the security event log.

Group Membership Events

Summary

We have demonstrated how to configure the audit group membership policy using Active Directory group policy in Windows Server 2016. This policy can be used in addition to the audit logon policy to log additional information regarding the group membership details of a user who logs in to a Windows system.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>