A server administrator is conducting a routine quarterly audit and discovers that a user account belonging to a junior help desk technician has been added to the "Domain Admins" security group. This action violates the principle of least privilege and was not authorized. To trace the source of this unauthorized change, which of the following is the MOST effective first step?
Immediately remove the technician's account from the "Domain Admins" group.
Disable the junior help desk technician's user account.
Analyze the Security event logs on the domain controllers.
Review the server's backup success and failure logs.
The correct action is to review the Security event logs on the domain controllers. In an Active Directory environment, changes to security group memberships are recorded in the Security log. Event ID 4728 ("A member was added to a security-enabled global group") or Event ID 4732 ("A member was added to a security-enabled local group") will show exactly which account added the technician to Domain Admins and when it occurred. Examining these logs provides the necessary audit trail to identify the source of the unauthorized change. Removing or disabling the account addresses the symptom but does not reveal who performed the action, and backup logs do not record security group modifications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
Open an interactive chat with Bash
What are Event IDs 4728 and 4732, and why are they important?
Open an interactive chat with Bash
What is the purpose of analyzing Security event logs on domain controllers?