Any way to monitor AD group membership changes?

ixtab · Post by **ixtab** » Wed May 13, 2009 7:36 am

Hi,

Is there any monitor/method that I can use to query/monitor Active Directory group membership (when someone adds/removes users from AD groups)?

Any idea will be appreciated.

Thanks!
Ix

ixtab · Post by **ixtab** » Wed May 13, 2009 8:13 am

Made some progress and wanted to share. So it seems to be quite easy to use WMI to query group membership and it works fine with HostMonitor:

Here is an example for checking "Domain Admins" group membership in the "MyDomainName" domain:

Code: Select all

SELECT * FROM Win32_GroupUser where GroupComponent = "Win32_Group.Domain=\"MyDomainName\",Name=\"Domain Admins\""

Now for the next challenge (please let me know if you have any idea how to accomplish this second challenge): I would like to use HostMonitor to query the above group membership and only alert if users were added/removed from the list.

Any idea?

KS-Soft · Post by **KS-Soft** » Wed May 13, 2009 8:30 am

H'm, HostMonitor can start alert when number of rows returned by WMI query was changed. However if 1 user account was removed and another account was added at the same time (between test probes), HostMonitor will not detect the events.
Probably its better to setup NT Event Log test to monitor account activities?

Regards
Alex

ixtab · Post by **ixtab** » Wed May 13, 2009 8:58 am

I will consider monitoring the eventlog instead, thanks for the idea.

Is there a way on the HostMonitor WMI checks to send the complete WMI query results as part of the email?

KS-Soft · Post by **KS-Soft** » Wed May 13, 2009 9:33 am

Not yet. We plan to implement such option in future versions

Regards
Alex