This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 69%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER7%3C/text%3E%3C/svg%3E)
We have 2016 Domain Controllers and Auditing is enabled. We are trying to configure/deny read permission, for members of a group, over the Domain Admins group in Active Directory. But something is removing that change after some time. I can find changes, we make on the group in event ID 4662, by searching for the group name that is denied permission, but can't figure out what is reverting it. We have Microsoft Defender for Identity solution implemented on all our DC's, can it help track what is reverting the changes? Thanks
MDI will alert on changes to sensitive groups. You should get alerts on changes to Domain Admins, it should be flagged sensitive by default. I don't think MDI can help specifically on what or who is reverting the change if that is not clear in the audit events. MDI can make you aware of other unusual activity or signs or persistence (if the concern is malicious activity).
I am not clear on what RBAC is needed to modify the DA group. Possibly a GPO. Consider looking at other events and audit options. Recreate the activity manually to help identify an indicator. Consider the timing as a possible clue. https://video2.skills-academy.com/en-us/defender-for-identity/alerts-overview