Track AD changes

Copper Contributor

We have 2016 Domain Controllers and Auditing is enabled.

We are trying to configure/deny read permission, for members of a group, over the Domain Admins group in Active Directory. But something is removing that change after some time. 


I can find changes, we make on the group in event ID 4662, by searching for the group name that is denied permission, but can't figure out what is reverting it.


How do we track, what is reverting or overwriting the change, back to original, what event ID should we look for. Also can Microsoft Defender for Identity be able to track the reverting event?

0 Replies