Skip to content
IT-Admins
a website from a systems administrator for systems administrators
  • Home
  • IT-Admins tool
    • Features
    • Scenarios
    • Screenshots
    • Release notes
    • FAQ
    • Download
    • Online Manual
      • Overview
      • Generic search functions
      • Configuration
      • Domain Users
      • Domain Groups
      • Domain Computers
      • Domain Contacts
      • NTFS ACLs
      • Long Paths
      • Directory compare
      • Search function
  • IT Assets database
    • IT Assets DB Video
    • Features
    • Installation
    • Release Notes
    • Update to the newest version
    • Download
    • Online manual
      • Overview
        • The floating / roaming task execution
      • Using the the sys search
      • Main menu
      • Workstations
      • Monitors
      • Departments
      • Printers
        • Printer models and supplies
        • Toner inventory
      • Incidents
      • Software and licenses
      • LDAP change reporting / synchronization
        • Employees
        • LDAP Groups
      • IP addresses – IPAM
      • DNS management
      • Servers and equipment
        • databases
        • backup reviews
        • Certificate management
        • Webserver Management
      • Vendors and contacts
      • Links and URLs
      • Reminders
      • Purchases
      • Expenses
      • Project management
        • Project tasks
      • Phones and DIDs
      • LDAP compare
      • VMware compare
      • Wiki aka. knowledge base
      • Owner / rights matrix
      • Application users
      • Change Requests
      • Foreign data views
        • RADIUS log example
        • SysLog example
      • System configuration views
        • Sys Config
        • Sys columns
        • Sys Errors
      • MAC address search
      • IT Supplies
      • Notes (applies to many modules)
      • TAGs
      • Checklists
      • History reports / emails
    • Information for developers
  • IT Printer Management
    • Installation
    • Download
    • Online Manual
      • Executing the script
      • Using the Sys-Search
      • Managing printers
      • Reviewing the log
      • User to printer (v2)
      • Computer to printer (v2)
  • IT Search
    • How it works
    • Release Notes
    • Download
    • Installation
    • Online Manual
      • Applying updates
      • Search Providers
      • Configuration
      • Error Log viewer
      • Active Users
      • Monitoring and Statistics
      • Backup and Restore
  • Blog
  • Contact

Blog

Monitor group memberships in Active Directory with PRTG

October 13, 2020 Florian Rossmark

There is at least one group you want to monitor for any membership changes in Active Directory / LDAP – the Domain Admins group. This is so important, as any changes to this group could cause great harm to your whole system. Of course there are other ways in but you for sure want to monitor at least the basic information of the amount of users in this group.

In order to do so, I wrote a PowerShell script that provides you the amount of members of any given group in Active Directory, as well as a text response (under the probe name and in some alerts if activated) of the sAMAccountName of each member in the group. This way you can hopefully right away determine the changed object, assuming you know what should be in there and what not.

If you have nested groups, you might wanna monitor them as well till you reach a user only level.

Create the script as always on your PRTG probing server in C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML and add a new EXE/Advanced XML sensor in PRTG. Select the script and provide at a bare minimum the parameter MonitoredGroup.

Parameter samples:

  • -MonitoredGroup “Domain Admins”
  • -MonitoredGroup “Domain Admins” -Server “MyDC.domain.local”

If you do not provide a server name, the system will try determine it on it’s own – default Domain-Membership etc..

Once the first run was successful you should review the results and set the upper and lower error limit on the PRTG sensor to the current amount of members. Any change then will cause the sensor to go in to error status and inform you therefor about the change.

Get-LDAPGroupChanges.ps1
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
param(
[string]$Server = "",
[string]$MonitoredGroup = ""
)
Import-Module ActiveDirectory
 
If ($Server.Length -gt 0) {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server
} Else {
    $LDAPGroup = Get-ADGroupMember $MonitoredGroup
}
 
[string]$LDAPGroupMembers = ""
Foreach ($Member in $LDAPGroup){
    If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "}
    $LDAPGroupMembers += $Member.SamAccountName
}
 
$XML = "<prtg>
            <result>
                <channel>Amound of Users in Group</channel>
                <value>"+ $LDAPGroup.count +"</value>
            </result>
            <text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text>
        </prtg>"
Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code...
{
$StringWriter = New-Object System.IO.StringWriter;
$XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter;
$XmlWriter.Formatting = "indented";
$xml.WriteTo($XmlWriter);
$XmlWriter.Flush();
$StringWriter.Flush();
Write-Output $StringWriter.ToString();
}
WriteXmlToScreen $XML;

 

Posted in: powershell, prtg, script Filed under: account, active directory, ldap, monitoring, notification, powershell, prtg, script, security

Post navigation

← Auditing network users against HR lists etc.
Make Microsoft TEAMS the default IM application →

Search this site

Recent blog posts

  • Windows Print Server Aliases January 13, 2021
  • Bypassing Windows 10 UAC for Unknown Publishers December 8, 2020
  • Make Microsoft TEAMS the default IM application October 15, 2020
  • Monitor group memberships in Active Directory with PRTG October 13, 2020
  • Auditing network users against HR lists etc. September 25, 2020
  • Monitoring relative printer page counts with PRTG June 17, 2020
  • Office 365 licenses and activated features per user March 24, 2020
  • PRTG and Cisco ASA VPN monitoring March 19, 2020
  • Amount of locked out accounts October 25, 2019
  • RDS – Fix broken local RDS links in start menu October 3, 2019
  • PRTG and VMware 6.7 vCenter host hardware status August 8, 2019
  • Search the Windows Security Eventlog for a string / text August 7, 2019
  • Active Directory password reset events and group change events August 1, 2019
  • APC InRow A/C error monitoring with PRTG July 19, 2019
  • Summarize SQL server database file size information as a single row May 21, 2019
  • Move user Documents and Desktop to OneDrive April 18, 2019
  • Compare a TRACEROUTE against an expected route March 6, 2019
  • Request a DNS based web site directly from an IP address March 6, 2019
  • Using PRTG to monitor manufacturing machines March 6, 2019
  • Find user account lockout events February 20, 2019

Tags

account active directory apc automate backup backup exec cleanup database dfs dns domain join eventlog excel expiration filesystem gpo html index ip javascript ldap lockout monitoring notification office Office 365 outlook password performance powershell print profile prtg rds script security server slack SNMP sql sus UEFI veritas vmware windows
  • Terms & Conditions
  • SPICEWORKS
  • LOPSA
  • RSS
  • LinkedIn
  • ITML
  • XING
Privacy Policy
Copyright © 2018 Florian Rossmark — Velux WordPress theme by GoDaddy