An enterprise subject to SOX compliance requires that any addition or removal of users from security-enabled groups on its Windows Server 2019 domain controllers be traceable for at least 90 days. The Security log is already forwarded to a SIEM with sufficient retention. Which local Windows audit policy should the systems administrator verify is enabled for Success (and preferably Failure) events so that these group-membership changes are recorded?
Group-membership changes are written to the Security log only when the Audit Account Management policy (or its granular Advanced Audit sub-categories such as Security Group Management) is enabled. With this setting turned on, event IDs like 4728 (member added to a global group) and 4729 (member removed) are generated, allowing the SIEM to retain evidence for 90 days or longer.
Audit Logon Events records logon and logoff activity, not account or group modifications. Audit Process Tracking captures detailed process start and stop information, which is unrelated to group management. Audit Object Access logs access to files, registry keys, and other securable objects, but it does not capture the creation or modification of security groups. Therefore, enabling Audit Account Management is the correct way to meet the requirement.