Receive notification when user added to certain AD groups

Hello,

I am looking for a way to get an alert via email if a user has been added to certain AD groups of my choice such as Domain Admins group.

What native ways are there to achieve this and what 3rd party tools are there to provide this ability ?
domain functional level: 2003

Thank you.
iNc0gAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are running server 2003 then natively you are going to have to go through the Security logs on your DC. In later version of Windows 2008 and up you can somewhat use Powershell to accomplish this but if you are not familiar with powershell this is can be very difficult/frusterating.

I would recommend AD Audit PLus. I use this software in my current environment and it tracks basically everything that is happening in your AD domain. Anything from Password lockouts, group membership changes, GPO, OU created etc. You can then setup email notifications for all of a select group of tasks you would like to be able to monitor more closely. It also has a dashboard view which gives a high level overview of top offenders and also recent changes. You can also go grandualr reporting as well if needed.

The software is not free but it is not expensive either. They have a fully featured trial for 30 days. - http://www.manageengine.com/products/active-directory-audit/

Will
iNc0gAuthor Commented:
Thanks for the reply, I am more interested in a free solution, I see that event ID 632 is logged on the DC server security log when a user becomes a member of a group on AD, now all I need is to filter this event ID for the wanted group which is Domain Admins.

The events can be forwarded to a free program on another server and send email notifications when this specific event with the domain admin group is logged.

Anyone has experience with this and can recommend on a solution?
iNc0gAuthor Commented:
I came across "eventtriggers.exe" command line which is available on 2003 servers as well.
this can help triggering an action whenever a certain event ID is logged, I am looking for a way to get notified whenever event ID 632 is logged and in the description of the event there's "Domain Admins" in the "Target Account Name" field.

I think this is more of a scripting related question.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JonLambertCommented:
So for a free solution you can use the script GroupMonitor.wsf from http://www.lissware.net (Download the Volume 2 Script Kits from the homepage), this uses WMI event sinks to monitor the event log.  An you can configure an SMTP server + details at the beginning of the script.
iNc0gAuthor Commented:
Hi  JonLambert and thank you for your response!

How would I go about and modify the script according to my needs?
I see the obvious things like "cTargetRecipient", "cSourceRecipient", "cSMTPServer", "cSMTPPort".

Can you please assist with the rest of the details such as where do I define the event ID (632) and the name of the group (Domain Admins) to which a user has been added, also, how would I make this script to trigger an email each time the event ID + Domain Admins combination is logged in the event viewer?

Thanks a lot.
iNc0gAuthor Commented:
I've edited the GroupMonitor.wsf and added the source and target recipient, SMTPserver and SMTPPort, I then opened CMD on the server and ran the following:

> GroupMonitor.wsf "Domain Admins" and pressed enter.

got the following popups at this order:

1
2
3
4
JonLambertCommented:
Hi,

Are you running the script from a 2008/2008R2 server?  If so you will need to start the CMD prompt as an administrator before running the script.

If the server is 2003, you may need to increase the amount of memory for WMI as per MS KB http://support.microsoft.com/kb/2404366

BTW  a quick google should show you some examples/info on using GroupMonitor.wsf

Cheers,

Jon
iNc0gAuthor Commented:
Server is 2003.  I've already increased the amount of memory for WMI and it did not solve the problem.

I ended up installing SCOM2007 and configuring an email alert of what I wanted there.

Thanks anyway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iNc0gAuthor Commented:
Using SCOM2007 helped me achieve what I was looking for.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.