I know the title is a bit odd! However, I tried to come up with some items that were really different to make my point about different approaches to Active Directory alerting. Based on my tours around the world, Active Directory admins typically want to track and get immediate alerts on key changes that occur in their Active Directory environments. For example, getting an alert when the membership of the Domain Admins group changes is a common request. 

Now, let’s look at two approaches to completing this common alert request. The first will be using Microsoft Windows and the ability to focus on one or more event IDs to generate an alert. In lieu of being verbose and redundant, I’ll keep us focused on just one event ID, which is 4728. This event ID is for when an object is added to a security group.

If we create an Scheduled Task around this event (which is the method used with Microsoft technology), we can perform one of three tasks when this event ID occurs. The three tasks include:

  • Run a program

  • Send an email

  • Display a message

Here, we are going to try to compare apples to apples by choosing “display a message,” which will be similar to a task in our second approach. (Don’t worry, we’ll get back to the sour cream!) If we proceed with this configuration, we will have quite a few options to configure, which you can see in Figure 1.

alerting_figure1

Figure 1. Scheduled Task to display a message when event ID 4728 is generated.

You can see the options for the task, as well as the options for what the message will display. When event ID 4728 is generated, the message that is shown is displayed in Figure 2.

alerting_figure2

Figure 2. Message displayed when a specified event ID is generated.

As you can see in Figure 2, the image is larger than just the message. This is on purpose. When the message is generated, an icon shows on the Start bar, but the message does not come to the front. So, unless you are looking for it, you will not see the message. You can also see in Figure 2 that there is nothing in the message regarding the event and what is registered for the security log. It is just a generic message that forces you to go into the Event Viewer to find the task. (I will not dwell on the fact that if there are 10 domain controllers, the message will ONLY appear on the domain controller where the change occurred!)

Now, the second approach is to use ADAudit Plus from ManageEngine. Here, we simply associate an alert with a default report in ADAudit Plus. Since the report is there by default, we are not concerned with the details of the event ID, we just point to the report, as you can see in Figure 3.

alerting_figure3

Figure 3. Associating an alert with a report in ADAudit Plus.

You can see in Figure 3 that an alert is nothing more than a reference to a report. Also see that the message displayed can be customized with variables for more granular detail. This, however, is not really necessary, as you will soon see.

When a group is changed, the message in Figure 4 is displayed.

alerting_figure4

Figure 4. Alert indicating group membership change in ADAudit Plus.

Even without the full details in the customization for the message, you see the details of the event in the interface. No need to go to the Event Viewer, and no need to try and find “which DC” the event occurred on or monitor X number of DCs.

As you can see, the results of the two alerting options is certainly not apples to apples. It’s not even apples to oranges. It is more like applies to sour cream. You can pick which is the sour cream!

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.