There's some 600 series events logged in the sec log of the DC where a group
add/drop is originated. It includes who did it, who was added/removed, and
some other useful information. I found the information as to all the
eventids in the MS Press Security Res kit which is on technet or your local
I collect all this information into a large sql database and produce sql
report services reports.
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
You might want to try netwrix active directory change reporter. It track
changes in all AD, and it's especially helpful because it show what changes
were made, who made those change and when.