?
Solved

Receive notification when user added to certain AD groups

Posted on 2013-12-10
11
Medium Priority
?
989 Views
Last Modified: 2014-01-03
Hello,

I am looking for a way to get an alert via email if a user has been added to certain AD groups of my choice such as Domain Admins group.

What native ways are there to achieve this and what 3rd party tools are there to provide this ability ?
domain functional level: 2003

Thank you.
0
Comment
Question by:iNc0g
  • 6
  • 2
9 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39709094
If you are running server 2003 then natively you are going to have to go through the Security logs on your DC. In later version of Windows 2008 and up you can somewhat use Powershell to accomplish this but if you are not familiar with powershell this is can be very difficult/frusterating.

I would recommend AD Audit PLus. I use this software in my current environment and it tracks basically everything that is happening in your AD domain. Anything from Password lockouts, group membership changes, GPO, OU created etc. You can then setup email notifications for all of a select group of tasks you would like to be able to monitor more closely. It also has a dashboard view which gives a high level overview of top offenders and also recent changes. You can also go grandualr reporting as well if needed.

The software is not free but it is not expensive either. They have a fully featured trial for 30 days. - http://www.manageengine.com/products/active-directory-audit/

Will
0
 

Author Comment

by:iNc0g
ID: 39710707
Thanks for the reply, I am more interested in a free solution, I see that event ID 632 is logged on the DC server security log when a user becomes a member of a group on AD, now all I need is to filter this event ID for the wanted group which is Domain Admins.

The events can be forwarded to a free program on another server and send email notifications when this specific event with the domain admin group is logged.

Anyone has experience with this and can recommend on a solution?
0
 

Author Comment

by:iNc0g
ID: 39736136
I came across "eventtriggers.exe" command line which is available on 2003 servers as well.
this can help triggering an action whenever a certain event ID is logged, I am looking for a way to get notified whenever event ID 632 is logged and in the description of the event there's "Domain Admins" in the "Target Account Name" field.

I think this is more of a scripting related question.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 400 total points
ID: 39737868
So for a free solution you can use the script GroupMonitor.wsf from http://www.lissware.net (Download the Volume 2 Script Kits from the homepage), this uses WMI event sinks to monitor the event log.  An you can configure an SMTP server + details at the beginning of the script.
0
 

Author Comment

by:iNc0g
ID: 39737894
Hi  JonLambert and thank you for your response!

How would I go about and modify the script according to my needs?
I see the obvious things like "cTargetRecipient", "cSourceRecipient", "cSMTPServer", "cSMTPPort".

Can you please assist with the rest of the details such as where do I define the event ID (632) and the name of the group (Domain Admins) to which a user has been added, also, how would I make this script to trigger an email each time the event ID + Domain Admins combination is logged in the event viewer?

Thanks a lot.
0
 

Author Comment

by:iNc0g
ID: 39737909
I've edited the GroupMonitor.wsf and added the source and target recipient, SMTPserver and SMTPPort, I then opened CMD on the server and ran the following:

> GroupMonitor.wsf "Domain Admins" and pressed enter.

got the following popups at this order:

1
2
3
4
0
 
LVL 10

Expert Comment

by:JonLambert
ID: 39739010
Hi,

Are you running the script from a 2008/2008R2 server?  If so you will need to start the CMD prompt as an administrator before running the script.

If the server is 2003, you may need to increase the amount of memory for WMI as per MS KB http://support.microsoft.com/kb/2404366

BTW  a quick google should show you some examples/info on using GroupMonitor.wsf

Cheers,

Jon
0
 

Accepted Solution

by:
iNc0g earned 0 total points
ID: 39744715
Server is 2003.  I've already increased the amount of memory for WMI and it did not solve the problem.

I ended up installing SCOM2007 and configuring an email alert of what I wanted there.

Thanks anyway.
0
 

Author Closing Comment

by:iNc0g
ID: 39753370
Using SCOM2007 helped me achieve what I was looking for.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month14 days, 7 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question