In our last installment, I showed you how you can analyze the current status of all of your groups that have elevated privileges. After you analyze your groups and ensure that only the correct users have elevated privileges, you then need to keep tabs on these groups to ensure that the group membership does not change without your knowledge.
If we try to accomplish this using Microsoft auditing, Event Viewer, and Scheduled Tasks, we will find that there is no way to just get alerts regarding our elevated privileged groups.
However, if you use the alerting capability of ADAudit Plus, getting those alerts is extremely easy. You can see in Figure 1 how easy it is to define the groups that you want to track.
Figure 1. ADAudit Plus provides custom reporting for changes to your elevated privileged groups.
Now that you have a report for your elevated privileged groups, you simply need to associate an alert with this report. You can have an alert show in the ADAudit Plus interface, but you can also have an email sent out when one of the groups changes membership to get immediate notification of the change. Figure 2 illustrates how this alert would be configured.
Figure 2. ADAudit Plus provides alerts for any and all reports, including email alerts.
Once a change occurs to one of your elevated privileged groups, the ADAudit Plus interface will indicate the change in the alert area, as shown in Figure 3.
Figure 3. ADAudit Plus provides immediate feedback when an alert is triggered.