This is a Change Auditor for Active Directory tutorial that will show you how to create an alerting search that alerts when the membership of a specified active directory group or groups that's modified. The functionality demonstrated in this tutorial applies to any 6.x version of Change Auditor for Active Directory. And you must have a valid Change Auditor for Active Directory license installed.
In your Change Auditor console, navigate to the Search 's tab. Because there's already a built-in Search and Change Auditor that reports on group membership changes, I'm not going to create this from scratch. Instead, I'm going to locate that search, copy it and make the necessary changes to its criteria to alert on the group I'm interested in tracking. In this demonstration, I'm going to use the Domain Admins Group
The Search I'm looking for is located in Shared, Built-in, Security, Group Activity, and I'm referencing the group membership changes in the last 30 days search. Now I do want to point out that CA has a special event that audits changes to all critical AD groups as a single event. If you're interested in auditing changes to all of those groups, such as domain admins, enterprise admins, account operators, the six or seven built-in elevated privileged groups, you can use this particular search here, instead, and simply just turn alerting on for it.
However, if you're trying to audit a normal group, like finance or HR or accounting, et. cetera, then you need to use the group membership changes in the last 30 days search. So right-click, Copy, locate a Custom folder or container that you've created in your Change Auditor, right-click, Paste. Once that's pasted in, you can highlight it and begin to edit it.
So I would suggest that you edit the search name on the Info tab to something that identifies the new search's purpose, such as Alerts Online Changes to Domain Admins. Next you go to the What tab, and notice that because we copied this search, we already have the appropriate events identified to look for in this search. So if you want to modify these, you absolutely can. If you're only interested in what's been added, not what's been removed, for example, you can click on this and clear the criteria.
You can also add additional events, but typically this is what you're interested in. These events will track direct membership ads and removes and nested membership add and removed. So next what you want to do is specify the group or groups you're looking for. So the little drop-down arrow here next to the Add button on the toolbar, you click that, click Subsystem, choose Active Directory.
Now because you're looking for a particular object, you're going to choose This Object. You can leave the All Actions and All Transports selected. And then you just search for the group or groups that you want to audit. You can either search through the Browse function or you can use the Search tab which is what I like to do, and then just type the name of the group you're looking for. Once that's highlighted, click Add.
And if you're looking to add multiple groups here, maybe you are trying to do the same type of auditing or alerting on five or six groups, you can add all five or six here in this window. Click OK. Now you want to go to the When button and clear the criteria. What this has basically done is added to the generic of Look at All Groups for these events to just the groups I've specified and at any time. So you're clearing this criteria so that it's not looking for a specified time frame.
Once you have all that, click Save. Now you can set up the alerting. Go back to your new search, right-click on it, go to Alert, choose Enable Transport, and choose your transport. Now FMTP is a built-in alerting feature. You simply set this up in Change Auditor and, therefore, you can set it to send to whomever you want it to. SNMP and WMI are supported. It takes a little extra configuration which can be found in the admin guide.
So choose your transport, in this case, I'm going to use e-mail. So select the group or groups that you want to send this to. You can also add dynamic recipients. So for example, you might want to add the person who actually generated the event, the person who actually made the change or the owners or who sat as the manager of the group. And those are dynamic.
So it's going to identify what this information is for that particular event it's about to alert on. You can also configure the body. You can change this, the body, the event details, you can add a signature. And I always suggest changing the subject to something that's going to actually capture their attention. So for example, maybe you put Critical Alert Change Made to Domain Admins. Click OK.
Once you've done that, now you have some additional settings that you can choose or additional management functionalities for alert. You go to the Alert tab, and you can also set up these additional transports. You can make other modifications, such as time zones, et cetera. And you can also bring up that little wizard again to configure your email if you ever need to change what's actually being presented in the email.
Now that that's done you now have an alert that will generate each time someone makes a change to the domain admins group and send it to the group of people that you've identified.