Monitor Domain Security Group Changes in Environment With Multiple Domain Controllers

I have a really large environment (many domain controllers). I currently have the SEM/ LEM agent installed on my two local domain controllers and I can see the changes made to the security groups as long as I am logged into one of those two local domain controllers that have the agent installed. If I, or someone else, were to make changes to the security groups from a different domain controller (that do not have the agent installed) the changes are not detected in the monitor.

I need to monitor changes to domain security groups without having to install the SEM/ LEM agent on every domain controller. Is that possible?