What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Can I use PRTG to monitor AD Group Membership

Votes:

0

Your Vote:

Up

Down

I want to know if someone joins an AD group like Domain Admins and get a notification when this happens.

active-directory custom-script-exe custom-sensor group-membership powershell prtg

Created on Dec 17, 2014 2:07:04 PM by  Greg Campion [Paessler Support]

Last change on Mar 16, 2015 5:08:16 PM by  Martina Wittmann [Paessler Support]



9 Replies

Accepted Answer

Votes:

1

Your Vote:

Up

Down

How to Monitor AD Group Membership

Using the following script with the EXE/Script Advanced Sensor in PRTG, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.

param([string]$ADWSDC = "localhost")
$i=0
$strCriticalGroup = "Domain Admins"

Import-Module ActiveDirectory


$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

foreach ($AccountName in $GroupMembers) 
    {
    $i = $i+1
    }
    
Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Domain Admins</channel>" 
    
"<value>"+ $i +"</value>" 
"</result>"
"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"
Write-Host "</prtg>"

If you want to monitor a group other than Domain Admins you can change the group name in the $strCriticalGroup variable.

Note: This will require the PRTG machine to have the Active Directory PS Module which can be installed following this guide.

Note 2: If you do not specify a domain controller in the placeholder field of the Custom EXE/Script Sensor, this will only query the localhost.


If you're insecure about the usage of Custom-Script sensors (the EXE/Script Advanced Sensor in this case) or are encountering any errors, please refer to:

Created on Dec 17, 2014 2:14:05 PM by  Greg Campion [Paessler Support]

Last change on Apr 4, 2019 7:39:31 AM by  Sven Roggenhofer [Paessler Technical Support]



Votes:

1

Your Vote:

Up

Down

The script can be done in a much more versatile and performant way:

param(
	[string]$ADWSDC = "localhost",
	[string]$strCriticalGroup = "Domain Admins"
	)

Import-Module ActiveDirectory

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC

Write-Host "<prtg>"
Write-Host "<result>" 
"<channel>Users</channel>" 
"<value>"+ $GroupMembers.count +"</value>" 
"</result>"
"<text>" + $GroupMembers.count + "members in " + $strCriticalGroup + "</text>"
Write-Host "</prtg>"

If you really need all member names you have to have to set

$GroupMembers = Get-ADGroupMember $strCriticalGroup -Server $ADWSDC | select SamAccountName

and in the line before the last:

"<text>" + (($GroupMembers | select SamAccountName | ConvertTo-Csv -NoTypeInformation | select -skip 1 ) -join ", ").replace("""","") + "</text>"

Created on Aug 8, 2017 7:48:04 AM by  SecPRTG (60) 1

Last change on Aug 8, 2017 8:05:36 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Could anyone help me at a more basic level? I have created the ps1 but am getting an error:

XML: The returned XML does not match the expected schema. (code: PE233) -- JSON: The returned JSON does not match the expected structure (Invalid JSON.). (code: PE231)

I am brand new to the product

Created on Nov 13, 2017 4:25:02 PM by  mitchhenry (0)

Last change on Nov 14, 2017 8:38:01 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Hello Mitch,

What results do you receive when you execute the ps1-file manually via PowerShell ISE or CMD? Replace localhost by the address of the target host and Domain Admins by the name of the group which you want to monitor. Ensure that all preconditions mentioned above are fulfilled.

Best regards, Felix

Created on Nov 14, 2017 1:41:28 PM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Can Support update the URL for the guide on how to install the "Active Directory PS Module" in the answer in the "Note"??

Created on Apr 3, 2019 12:59:00 PM by  Shawn Kennedy (0) 1



Votes:

0

Your Vote:

Up

Down

Hi, thank you for providing this how-to and information. I can run this script locally on the PRTG installation and I get the correct value and info returned from both scripts, and I setup the sensor and the sensor is green but not bringing back any values in the PRTG interface, it just shows "0#"

I am not sure why it works fine in the script running locally but doesn't return anything on the sensor. Thanks.

Created on Mar 31, 2021 5:40:53 PM by  Vince (0) 1



Votes:

0

Your Vote:

Up

Down

Hi Vince,

This might be related to the security level of the user account under which the PRTG script runs. RDP on the (remote-) Probe on which the script gets executed, open services.msc, open the properties of the PRTG Probe Service and change the Logon-User to an administrative Windows User. Restart the service to see if the script works correctly afterwards.

If it still does not return the expected values, open the settings page of the sensor in PRTG and enable the option Write sensor result to disk (Filename: "Result of Sensor [ID].txt"). The results will be written into the log file directory of the probe, where the sensor is configured:

C:\ProgramData\Paessler\PRTG Network Monitor\Logs\sensors

You can then paste the results in here, or forward it to [email protected] by mentioning this KB article. The ID of the sensor is part of the web browser URL and is also displayed on the sensor's overview page.


Kind regards,
Felix Saure, Tech Support Team

Created on Apr 1, 2021 4:19:35 AM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I wanted to know when new members are added to the domain admins group, or any existing member deleted from the domain admin group.

Is it possible to put in something like?

if return value laserfiche, fmtadmin, mother 
value = 1 Matches OK
if anything, else
value = 0 Error

Then we can use a lookup file to define the status to:

  • 1 if the check is green
  • 0 if the check is red.

The goal is to set it, so we are checking the actual account names in the domain admin group not just the number of accounts.

If its possible, Can you please send me some PowerShell script examples.

Created on Jul 7, 2021 6:48:00 AM by  sahilkm011 (0) 1

Last change on Jul 9, 2021 2:08:32 PM by  Florian Lesage [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello Sahil,

Thank you for your message.

Regarding what you would like to achieve, I'm afraid that there is a main limitation which is that the script is not aware of the existing users who belong to the admin group. Therefore, getting the name of new/removed account(s) is not possible.

However, if you have all the users displayed in the sensor message field, you could get the information at each scanning interval by using the API of PRTG:

https://PRTGServer/api/table.json?content=sensors&columns=message&count=*&filter_objid=SensorID&username=PRTGUser&passhash=Passhash

The message should then follow a specific format to be reusable at each scanning interval, such as: User1,User2,User3 | New/Removed: User4(removed), User5(Added)

Where the first part displays the list of users, and the second part the name of the accounts removed and added.

Here is how the script could behave:

  • Get the last sensor data (channels and message)
  • Create a list of users based on the sensor message
  • Get the list of users from AD
  • Compare both lists
  • Return the list (got from AD) and new/removed users by following the format above (to be usable for the next scanning interval)
  • Return the number of new/removed account

Regards.

Created on Jul 9, 2021 2:40:18 PM by  Florian Lesage [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.