What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Can I use PRTG to monitor AD Group Membership

Votes:

0

I want to know if someone joins an AD group like Domain Admins and get a notification when this happens.

active-directory custom-script-exe custom-sensor group-membership powershell prtg

Created on Dec 17, 2014 2:07:04 PM by Greg Campion [Paessler Support]

Last change on Mar 16, 2015 5:08:16 PM by Martina Wittmann [Paessler Support]



7 Replies

Accepted Answer

Votes:

2

How to Monitor AD Group Membership

Using the following script with the EXE/Script Advanced Sensor in PRTG, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.

param([string]$ADWSDC = "localhost")
$i=0
$strCriticalGroup = "Domain Admins"

Import-Module ActiveDirectory


$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

foreach ($AccountName in $GroupMembers) 
    {
    $i = $i+1
    }
    
Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Domain Admins</channel>" 
    
"<value>"+ $i +"</value>" 
"</result>"
"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"
Write-Host "</prtg>"

If you want to monitor a group other than Domain Admins you can change the group name in the $strCriticalGroup variable.

Note: This will require the PRTG machine to have the Active Directory PS Module which can be installed following this guide.

Note 2: If you do not specify a domain controller in the placeholder field of the Custom EXE/Script Sensor, this will only query the localhost.

If you're insecure about the usage of Custom-Script sensors (the EXE/Script Advanced Sensor in this case) or are encountering any errors, please refer to:

Created on Dec 17, 2014 2:14:05 PM by Greg Campion [Paessler Support]

Last change on Apr 4, 2019 7:39:31 AM by Sven Roggenhofer [Paessler Technical Support]



Votes:

1

The script can be done in a much more versatile and performant way:

param(
	[string]$ADWSDC = "localhost",
	[string]$strCriticalGroup = "Domain Admins"
	)

Import-Module ActiveDirectory

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC

Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Users</channel>" 
"<value>"+ $GroupMembers.count +"</value>" 
"</result>"
"<text>" + $GroupMembers.count + "members in " + $strCriticalGroup + "</text>"
Write-Host "</prtg>"

If you really need all member names you have to have to set

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

and in the line before the last:

"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"

Created on Aug 8, 2017 7:48:04 AM

Last change on Aug 8, 2017 8:05:36 AM by Torsten Lindner [Paessler Support]



Votes:

0

Could anyone help me at a more basic level? I have created the ps1 but am getting an error:

XML: The returned XML does not match the expected schema. (code: PE233) -- JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)

I am brand new to the product

Created on Nov 13, 2017 4:25:02 PM

Last change on Nov 14, 2017 8:38:01 AM by Luciano Lingnau [Paessler]



Votes:

0

Hello Mitch,

What results do you receive when you execute the ps1-file manually via PowerShell ISE or CMD? Replace localhost by the address of the target host and Domain Admins by the name of the group which you want to monitor. Ensure that all preconditions mentioned above are fulfilled.

Best regards, Felix

Created on Nov 14, 2017 1:41:28 PM by Felix Saure [Paessler Support]



Votes:

0

Can Support update the URL for the guide on how to install the "Active Directory PS Module" in the answer in the "Note"??

Created on Apr 3, 2019 12:59:00 PM



Votes:

0

Hi, thank you for providing this how-to and information. I can run this script locally on the PRTG installation and I get the correct value and info returned from both scripts, and I setup the sensor and the sensor is green but not bringing back any values in the PRTG interface, it just shows "0#"

I am not sure why it works fine in the script running locally but doesn't return anything on the sensor. Thanks.

Created on Mar 31, 2021 5:40:53 PM



Votes:

0

Hi Vince,

This might be related to the security level of the user account under which the PRTG script runs. RDP on the (remote-) Probe on which the script gets executed, open services.msc, open the properties of the PRTG Probe Service and change the Logon-User to an administrative Windows User. Restart the service to see if the script works correctly afterwards.

If it still does not return the expected values, open the settings page of the sensor in PRTG and enable the option Write sensor result to disk (Filename: "Result of Sensor [ID].txt"). The results will be written into the log file directory of the probe, where the sensor is configured:

C:\ProgramData\Paessler\PRTG Network Monitor\Logs\sensors

You can then paste the results in here, or forward it to [email protected] by mentioning this KB article. The ID of the sensor is part of the web browser URL and is also displayed on the sensor's overview page.

Kind regards,
Felix Saure, Tech Support Team

Created on Apr 1, 2021 4:19:35 AM by Felix Saure [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.