Create a "Domain Auditor" role
With the new demands for more and more detailed auditing and compliance verifications, I would like a "Global Auditor" role to be created which would be similar in access to Enterprise or Domain Admins, but Read Only.
As a busy admin, I don't have time to go get screenshots of group after group and chase down nested rabbit holes. I want the auditors to go look for themselves. Go take whatever screenshots you want anywhere you want in the domain. Don't ask me who has little time and frankly, the most incentive to cover something up if something should not be in order. How many times has this scenario occurred: Admin gets request, goes and looks at group, sees someone that probably shouldn't be in there, removes them, takes the screenshot, and then adds them back.
Michael Finney commented
By the way, this should be included in on premises Windows domains as well. I brought this up years ago when I was a-mifinn @ microsoft.com but unfortunately it didn't go anywhere.