There is at least one group you want to monitor for any membership changes in Active Directory / LDAP – the Domain Admins group. This is so important, as any changes to this group could cause great harm to your whole system. Of course there are other ways in but you for sure want to monitor at least the basic information of the amount of users in this group.
In order to do so, I wrote a PowerShell script that provides you the amount of members of any given group in Active Directory, as well as a text response (under the probe name and in some alerts if activated) of the sAMAccountName of each member in the group. This way you can hopefully right away determine the changed object, assuming you know what should be in there and what not.
If you have nested groups, you might wanna monitor them as well till you reach a user only level.
Create the script as always on your PRTG probing server in C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML and add a new EXE/Advanced XML sensor in PRTG. Select the script and provide at a bare minimum the parameter MonitoredGroup.
Parameter samples:
- -MonitoredGroup “Domain Admins”
- -MonitoredGroup “Domain Admins” -Server “MyDC.domain.local”
If you do not provide a server name, the system will try determine it on it’s own – default Domain-Membership etc..
Once the first run was successful you should review the results and set the upper and lower error limit on the PRTG sensor to the current amount of members. Any change then will cause the sensor to go in to error status and inform you therefor about the change.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
param( [string]$Server = "", [string]$MonitoredGroup = "" ) Import-Module ActiveDirectory If ($Server.Length -gt 0) { $LDAPGroup = Get-ADGroupMember $MonitoredGroup -Server $Server } Else { $LDAPGroup = Get-ADGroupMember $MonitoredGroup } [string]$LDAPGroupMembers = "" Foreach ($Member in $LDAPGroup){ If ($LDAPGroupMembers.Length -gt 0) {$LDAPGroupMembers += ", "} $LDAPGroupMembers += $Member.SamAccountName } $XML = "<prtg> <result> <channel>Amound of Users in Group</channel> <value>"+ $LDAPGroup.count +"</value> </result> <text>"+ $MonitoredGroup +" Members: " + $LDAPGroupMembers + "</text> </prtg>" Function WriteXmlToScreen ([xml]$XML) #just to make it clean XML code... { $StringWriter = New-Object System.IO.StringWriter; $XmlWriter = New-Object System.Xml.XmlTextWriter $StringWriter; $XmlWriter.Formatting = "indented"; $xml.WriteTo($XmlWriter); $XmlWriter.Flush(); $StringWriter.Flush(); Write-Output $StringWriter.ToString(); } WriteXmlToScreen $XML; |