Solved

Receive notification when user added to certain AD groups

Posted on 2013-12-10
11
714 Views
Last Modified: 2014-01-03
Hello,

I am looking for a way to get an alert via email if a user has been added to certain AD groups of my choice such as Domain Admins group.

What native ways are there to achieve this and what 3rd party tools are there to provide this ability ?
domain functional level: 2003

Thank you.
0
Comment
Question by:iNc0g
  • 6
  • 2
11 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
If you are running server 2003 then natively you are going to have to go through the Security logs on your DC. In later version of Windows 2008 and up you can somewhat use Powershell to accomplish this but if you are not familiar with powershell this is can be very difficult/frusterating.

I would recommend AD Audit PLus. I use this software in my current environment and it tracks basically everything that is happening in your AD domain. Anything from Password lockouts, group membership changes, GPO, OU created etc. You can then setup email notifications for all of a select group of tasks you would like to be able to monitor more closely. It also has a dashboard view which gives a high level overview of top offenders and also recent changes. You can also go grandualr reporting as well if needed.

The software is not free but it is not expensive either. They have a fully featured trial for 30 days. - http://www.manageengine.com/products/active-directory-audit/

Will
0
 

Author Comment

by:iNc0g
Comment Utility
Thanks for the reply, I am more interested in a free solution, I see that event ID 632 is logged on the DC server security log when a user becomes a member of a group on AD, now all I need is to filter this event ID for the wanted group which is Domain Admins.

The events can be forwarded to a free program on another server and send email notifications when this specific event with the domain admin group is logged.

Anyone has experience with this and can recommend on a solution?
0
 

Author Comment

by:iNc0g
Comment Utility
I came across "eventtriggers.exe" command line which is available on 2003 servers as well.
this can help triggering an action whenever a certain event ID is logged, I am looking for a way to get notified whenever event ID 632 is logged and in the description of the event there's "Domain Admins" in the "Target Account Name" field.

I think this is more of a scripting related question.
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 100 total points
Comment Utility
So for a free solution you can use the script GroupMonitor.wsf from http://www.lissware.net (Download the Volume 2 Script Kits from the homepage), this uses WMI event sinks to monitor the event log.  An you can configure an SMTP server + details at the beginning of the script.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:iNc0g
Comment Utility
Hi  JonLambert and thank you for your response!

How would I go about and modify the script according to my needs?
I see the obvious things like "cTargetRecipient", "cSourceRecipient", "cSMTPServer", "cSMTPPort".

Can you please assist with the rest of the details such as where do I define the event ID (632) and the name of the group (Domain Admins) to which a user has been added, also, how would I make this script to trigger an email each time the event ID + Domain Admins combination is logged in the event viewer?

Thanks a lot.
0
 

Author Comment

by:iNc0g
Comment Utility
I've edited the GroupMonitor.wsf and added the source and target recipient, SMTPserver and SMTPPort, I then opened CMD on the server and ran the following:

> GroupMonitor.wsf "Domain Admins" and pressed enter.

got the following popups at this order:

1
2
3
4
0
 
LVL 10

Expert Comment

by:JonLambert
Comment Utility
Hi,

Are you running the script from a 2008/2008R2 server?  If so you will need to start the CMD prompt as an administrator before running the script.

If the server is 2003, you may need to increase the amount of memory for WMI as per MS KB http://support.microsoft.com/kb/2404366

BTW  a quick google should show you some examples/info on using GroupMonitor.wsf

Cheers,

Jon
0
 

Accepted Solution

by:
iNc0g earned 0 total points
Comment Utility
Server is 2003.  I've already increased the amount of memory for WMI and it did not solve the problem.

I ended up installing SCOM2007 and configuring an email alert of what I wanted there.

Thanks anyway.
0
 

Author Closing Comment

by:iNc0g
Comment Utility
Using SCOM2007 helped me achieve what I was looking for.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Background Still having to process all these year-end "csv" files received from all these sources (including Government entities), sometimes we have the need to examine the contents due to data error, etc... As a "Unix" shop, our only readily …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now