I want to know if someone joins an AD group like Domain Admins and get a notification when this happens.
Created on Dec 17, 2014 2:07:04 PM by
Last change on Mar 16, 2015 5:08:16 PM by
9 Replies
Accepted Answer
How to Monitor AD Group Membership
Using the following script with the EXE/Script Advanced Sensor in PRTG, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.
param([string]$ADWSDC = "localhost")
$i=0
$strCriticalGroup = "Domain Admins"
Import-Module ActiveDirectory
$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName
foreach ($AccountName in $GroupMembers)
{
$i = $i+1
}
Write-Host "<prtg>"
Write-Host "<result>"
"<channel>Domain Admins</channel>"
"<value>"+ $i +"</value>"
"</result>"
"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"
Write-Host "</prtg>"
If you want to monitor a group other than Domain Admins you can change the group name in the $strCriticalGroup variable.
Note: This will require the PRTG machine to have the Active Directory PS Module which can be installed following this guide.
Note 2: If you do not specify a domain controller in the placeholder field of the Custom EXE/Script Sensor, this will only query the localhost.
If you're insecure about the usage of Custom-Script sensors (the EXE/Script Advanced Sensor in this case) or are encountering any errors, please refer to:
Created on Dec 17, 2014 2:14:05 PM by
Last change on Apr 4, 2019 7:39:31 AM by
The script can be done in a much more versatile and performant way:
param( [string]$ADWSDC = "localhost", [string]$strCriticalGroup = "Domain Admins" ) Import-Module ActiveDirectory $GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC Write-Host "<prtg>" Write-Host "<result>" "<channel>Users</channel>" "<value>"+ $GroupMembers.count +"</value>" "</result>" "<text>" + $GroupMembers.count + "members in " + $strCriticalGroup + "</text>" Write-Host "</prtg>"
If you really need all member names you have to have to set
$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName
and in the line before the last:
"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"
Created on Aug 8, 2017 7:48:04 AM by
Last change on Aug 8, 2017 8:05:36 AM by
Could anyone help me at a more basic level? I have created the ps1 but am getting an error:
| XML: The returned XML does not match the expected schema. (code: PE233) -- JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231) |
I am brand new to the product
Created on Nov 13, 2017 4:25:02 PM by
Last change on Nov 14, 2017 8:38:01 AM by
Hello Mitch,
What results do you receive when you execute the ps1-file manually via PowerShell ISE or CMD? Replace localhost by the address of the target host and Domain Admins by the name of the group which you want to monitor. Ensure that all preconditions mentioned above are fulfilled.
Best regards, Felix
Created on Nov 14, 2017 1:41:28 PM by
Can Support update the URL for the guide on how to install the "Active Directory PS Module" in the answer in the "Note"??
Created on Apr 3, 2019 12:59:00 PM by
Hi, thank you for providing this how-to and information. I can run this script locally on the PRTG installation and I get the correct value and info returned from both scripts, and I setup the sensor and the sensor is green but not bringing back any values in the PRTG interface, it just shows "0#"
I am not sure why it works fine in the script running locally but doesn't return anything on the sensor. Thanks.
Hi Vince,
This might be related to the security level of the user account under which the PRTG script runs. RDP on the (remote-) Probe on which the script gets executed, open services.msc, open the properties of the PRTG Probe Service and change the Logon-User to an administrative Windows User. Restart the service to see if the script works correctly afterwards.
If it still does not return the expected values, open the settings page of the sensor in PRTG and enable the option Write sensor result to disk (Filename: "Result of Sensor [ID].txt"). The results will be written into the log file directory of the probe, where the sensor is configured:
C:\ProgramData\Paessler\PRTG Network Monitor\Logs\sensors
You can then paste the results in here, or forward it to [email protected] by mentioning this KB article. The ID of the sensor is part of the web browser URL and is also displayed on the sensor's overview page.
Kind regards,
Felix Saure, Tech Support Team
Created on Apr 1, 2021 4:19:35 AM by
I wanted to know when new members are added to the domain admins group, or any existing member deleted from the domain admin group.
Is it possible to put in something like?
if return value laserfiche, fmtadmin, mother value = 1 Matches OK if anything, else value = 0 Error
Then we can use a lookup file to define the status to:
- 1 if the check is green
- 0 if the check is red.
The goal is to set it, so we are checking the actual account names in the domain admin group not just the number of accounts.
If its possible, Can you please send me some PowerShell script examples.
Created on Jul 7, 2021 6:48:00 AM by
Last change on Jul 9, 2021 2:08:32 PM by
Hello Sahil,
Thank you for your message.
Regarding what you would like to achieve, I'm afraid that there is a main limitation which is that the script is not aware of the existing users who belong to the admin group. Therefore, getting the name of new/removed account(s) is not possible.
However, if you have all the users displayed in the sensor message field, you could get the information at each scanning interval by using the API of PRTG:
https://PRTGServer/api/table.json?content=sensors&columns=message&count=*&filter_objid=SensorID&username=PRTGUser&passhash=Passhash
The message should then follow a specific format to be reusable at each scanning interval, such as: User1,User2,User3 | New/Removed: User4(removed), User5(Added)
Where the first part displays the list of users, and the second part the name of the accounts removed and added.
Here is how the script could behave:
- Get the last sensor data (channels and message)
- Create a list of users based on the sensor message
- Get the list of users from AD
- Compare both lists
- Return the list (got from AD) and new/removed users by following the format above (to be usable for the next scanning interval)
- Return the number of new/removed account
Regards.
Created on Jul 9, 2021 2:40:18 PM by
Please log in or register to enter your reply.
Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
Add comment