Having visibility into the changes going on within your systems can be critical for an IT professional, especially when it comes to your Active Directory system. I have come up with a quite simple, and very useful, setup that sends an automated alert whenever a User Account is Disabled, Created, or added to a Domain Group. This can help out whenever you have multiple individuals with access to perform these changes within Active Directory, as it will alert you immediately whenever it is performed, and it will provide insight into who has made the change.
In order to configure this setup, you should be familiar with Windows Task Scheduler, and you will need access to a Domain Account with the following:
- Ability to schedule tasks on your Active Directory server
- Read access to your Active Directory server's Event Logs
- A corresponding E-Mail address from which you can send the alerts
Account Created Alert
In order to configure the alert for when a user account is created, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4720 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Created" -body $MailBody -smtpServer [SMTP Server IP]
Once this has been created, you can schedule it within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access (listed above). Ideally, this account would be some sort of "service" account and not associated with a particular IT Admin. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4720 occurs. This is key, as the above PowerShell script will send you an E-Mail with the content of the most recent instance of this Event ID. This will contain the user account that has been created, along with the administrative account that created it.
Account Added to Domain Group Alert
In order to configure the alert for when a user account is added to a Domain Group, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4728 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was added to a Domain Group" -body $MailBody -smtpServer [SMTP Server IP]
Just like with the previous alert, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4728 occurs. Just like with the previous alert, This is a key step. This particular alert will contain the user account that was added to a group, the corresponding domain group, and the administrative account that added it.
Account Disabled Alert
In order to configure the alert for when a user account is disabled, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Disabled" -body $MailBody -smtpServer [SMTP Server IP]
Just like with the previous two alerts, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4725 occurs. As with the other alerts, this is important. This particular alert will contain the user account that was disabled, and the administrative account that disabled it.
If you have followed these steps correctly, you will now be able to receive E-Mail alerts whenever someone Creates a new Domain Account, adds an existing one to a Domain Group, or Disables an existing account.
NOTE: If you receive an error stating that "File cannot be loaded because the execution of scripts is disabled on this system" while testing your scheduled script, you will need to manually run the following PowerShell command in order to allow this feature:
Set-ExecutionPolicy Unrestricted
In order to configure this setup, you should be familiar with Windows Task Scheduler, and you will need access to a Domain Account with the following:
- Ability to schedule tasks on your Active Directory server
- Read access to your Active Directory server's Event Logs
- A corresponding E-Mail address from which you can send the alerts
Account Created Alert
In order to configure the alert for when a user account is created, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4720 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Created" -body $MailBody -smtpServer [SMTP Server IP]
Once this has been created, you can schedule it within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access (listed above). Ideally, this account would be some sort of "service" account and not associated with a particular IT Admin. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4720 occurs. This is key, as the above PowerShell script will send you an E-Mail with the content of the most recent instance of this Event ID. This will contain the user account that has been created, along with the administrative account that created it.
Account Added to Domain Group Alert
In order to configure the alert for when a user account is added to a Domain Group, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4728 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was added to a Domain Group" -body $MailBody -smtpServer [SMTP Server IP]
Just like with the previous alert, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4728 occurs. Just like with the previous alert, This is a key step. This particular alert will contain the user account that was added to a group, the corresponding domain group, and the administrative account that added it.
Account Disabled Alert
In order to configure the alert for when a user account is disabled, you must first create the following PowerShell script:
$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Disabled" -body $MailBody -smtpServer [SMTP Server IP]
Just like with the previous two alerts, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4725 occurs. As with the other alerts, this is important. This particular alert will contain the user account that was disabled, and the administrative account that disabled it.
If you have followed these steps correctly, you will now be able to receive E-Mail alerts whenever someone Creates a new Domain Account, adds an existing one to a Domain Group, or Disables an existing account.
NOTE: If you receive an error stating that "File cannot be loaded because the execution of scripts is disabled on this system" while testing your scheduled script, you will need to manually run the following PowerShell command in order to allow this feature:
0 comments:
Post a Comment