A question I have seen come up is how do I monitor access to important security groups such as Domain Admin. You always want to minimize access to this group but sometimes someone may give this access without you knowing and you want to know about it. Here is a solution you can use to monitor security groups in a windows 2008 R2 environment.
When a user is added to a security group such as Domain Admins an event is triggered in the security event log on your domain controller. By looking for this event you can easily trigger a notification.
start by setting up a scheduled task: Server Manager -> Configuration -> Task Scheduler -> right click -> new task
Give you task a name and description if you want and check run whether user is logged on or not.
Switch to the triggers tab and create a new trigger:
The Event ID you want to log is 4728 which will be triggered when a users is added to a global security group.
Next we want to add some actions: Like email me when this event triggers.
You may wonder well this isn’t very descriptive… I dont know who was added or to what security group they were added. So how do I get that information as well? Well you can parse the logs with wevutil and attach them to the email. so lets move on to step 2…
We want to get the log information as well when we are notified so lets parse the security log and attach the log information to the notification.
Lets start by creating a simple script, I named mine SecLogQuery.cmd:
del %temp%query.txt wevtutil qe Security "/q:*[System [(EventID=4728)]]" /f:text /rd:true /c:1 >%temp%query.txt
What this does is create a file in your user temp directory called query.txt that contains a parse of the security log. It grabs the last instance of event ID 4728 and writes it to the file. I put this script in my documents but you can put it anywhere.
Now we need to create an action on our task to kick off this script:
NOTE: your account will need to be given permissions to log on as batch job for this action to run.
Make sure that this new action is first on the action list:
Now the final part is we want to attach the output of the script to our notification:
The file location in my example is C:UsersusernameAppDataLocalTempquery.txt
Add a user to a security group and if everything was set up correctly you should get an email notification with the attached event log parse.