New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Can I use PRTG to monitor AD Group Membership

Votes:

0

Your Vote:

Up

Down

I want to know if someone joins an AD group like Domain Admins and get a notification when this happens.

active-directory custom-script-exe custom-sensor group-membership powershell prtg

Created on Dec 17, 2014 2:07:04 PM by  Greg Campion [Paessler Support]

Last change on Mar 16, 2015 5:08:16 PM by  Martina Wittmann [Paessler Support]



4 Replies

Accepted Answer

Votes:

1

Your Vote:

Up

Down

How to Monitor AD Group Membership

Using the following script with the EXE/Script Advanced Sensor in PRTG, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.

param([string]$ADWSDC = "localhost")
$i=0
$strCriticalGroup = "Domain Admins"

Import-Module ActiveDirectory


$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

foreach ($AccountName in $GroupMembers) 
    {
    $i = $i+1
    }
    
Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Domain Admins</channel>" 
    
"<value>"+ $i +"</value>" 
"</result>"
"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"
Write-Host "</prtg>"

If you want to monitor a group other than Domain Admins you can change the group name in the $strCriticalGroup variable.

Note: This will require the PRTG machine to have the Active Directory PS Module which can be installed following this guide.

Note 2: If you do not specify a domain controller in the placeholder field of the Custom EXE/Script Sensor, this will only query the localhost.


If you're insecure about the usage of Custom-Script sensors (the EXE/Script Advanced Sensor in this case) or are encountering any errors, please refer to:

Created on Dec 17, 2014 2:14:05 PM by  Greg Campion [Paessler Support]

Last change on Apr 4, 2019 7:39:31 AM by  Sven Roggenhofer [Paessler Technical Support]



Votes:

1

Your Vote:

Up

Down

The script can be done in a much more versatile and performant way:

param(
	[string]$ADWSDC = "localhost",
	[string]$strCriticalGroup = "Domain Admins"
	)

Import-Module ActiveDirectory

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC

Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Users</channel>" 
"<value>"+ $GroupMembers.count +"</value>" 
"</result>"
"<text>" + $GroupMembers.count + "members in " + $strCriticalGroup + "</text>"
Write-Host "</prtg>"

If you really need all member names you have to have to set

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

and in the line before the last:

"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"

Created on Aug 8, 2017 7:48:04 AM by  SecPRTG (60) 1

Last change on Aug 8, 2017 8:05:36 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Could anyone help me at a more basic level? I have created the ps1 but am getting an error:

XML: The returned XML does not match the expected schema. (code: PE233) -- JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)

I am brand new to the product

Created on Nov 13, 2017 4:25:02 PM by  mitchhenry (0)

Last change on Nov 14, 2017 8:38:01 AM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello Mitch,

What results do you receive when you execute the ps1-file manually via PowerShell ISE or CMD? Replace localhost by the address of the target host and Domain Admins by the name of the group which you want to monitor. Ensure that all preconditions mentioned above are fulfilled.

Best regards, Felix

Created on Nov 14, 2017 1:41:28 PM by  Felix Saure [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.