none
Alerta para o grupo Domain Admins RRS feed

  • Pergunta

  • Boa tarde,

    Preciso gerar um alerta e me envie email toda vez que alterarem algum usuário no grupo Domain Admins. Sei que existe a delegação de controle,  mas no momento não poderei utilizar.

    Nao consegui achar algo que ajude na internet, talvez nao soube procurar, alguém conhece algum modo de executar esta operação?

    O que fiz no momento é:

    - Exportar a lista dos usuarios que estão no Domain Admins para TXT ou CSV (em determinados horarios);

    - Envie por email!

    Mas esse procedimento nao atendeu muito bem, pois nao consigo pegar em real time.

    Obrigado

    domingo, 26 de janeiro de 2020 16:57

Respostas

    • Marcado como Resposta AnaZ81 quarta-feira, 19 de fevereiro de 2020 20:09
    segunda-feira, 27 de janeiro de 2020 17:55
  • Olá caro @AnaZ81, tudo bem!

    Segue abaixo alguns passos necessários, está dividido em 03 etapas.

    Podem ser usadas diversas ferramentas, sendo esse recurso abaixo bem efetivo.

    Step 1: Enable Active Directory Auditing through Group Policy

    1. Type GPMC.MSC in “Run” box and press “Enter.” The “Group Policy Management” console opens up.
    2. Go to “Forest” → “Domains” → “www.domain.com” in the left panel.
    3. Right-click the “Default Domain Policy” or any customized domain-wide policy. (However, we recommend you to create a new GPO, link it to the domain, and edit it).
    4. Select “Edit” to access “Group Policy Management Editor.”
    5. Next, navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policies”.
    6. Management and access properties.
    7. Click to select “Define these policy settings” option.
    8. Select both “Success” and “Failure” checkbox to enable audit policy for monitoring successful events.
    9. Now, close “Group Policy Management Editor”.
    10. After closing it, you will be back at “Group Policy Management Console”. Select the GPO that you have modified.
    11. In the “Security” filtering section in the right pane, click “Add” to apply this GPO to all objects of Active Directory. Type “Everyone” in the dialog box that opens up. Click “Check Names” and “OK” to add the value.
    12. Close “Group Policy Management Console”.
    13. It is recommended to update the Group Policy instantly so that new changes can be applied to the entire domain. Run the following command at the Command Prompt or in the “Run” box to update the Group Policies on all domain controllers.

      gpupdate /force

    Step 2: Enable Auditing of Active Directory through ADSI edit

    1. In “Start Menu” or in “Control Panel”,“Administrative Tools” and open “ADSI Edit.”
    2. Right-click ADSI Edit node in the left panel and select “Connect To”.
    3. In “Connection Settings” window, select “Default Naming Context” in the drop-down menu of selecting a well-known Naming Context.
    4. 
    5. Click “OK” to establish the connection to the Default Naming Context of the domain. It is node displayed in the left tree pane, just below the top ADSI Edit node.
    6. Expand “Default Naming Context [dc.www.doamin.com]” and access the top node under it.
    7. Right-click this top node having the fully qualified domain name and click “Properties” in the context menu.
    8. In the properties, switch to “Security” tab and click “Advanced” button to access “Advanced Security Settings for www”.
    9. Switch to “Auditing” tab and click “Add” button to add a new auditing entry. It shows “Auditing Entry for www” window on the screen.<figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;"></figure>
    10. Click “Select a principal” to add“Everyone”.
    11. Select type as “Success” and applies to as “This object and descendant objects.”
    12. Under “Permissions,” select all check boxes by clicking “Full Control,” except following permissions.
      • Full Control
      • List contents
      • Read all properties
      • Read permissions
    13. Click “OK”.

    Step 3: Track Group Membership changes through Event Viewer

    1. To track the changes in Active Directory, open “Windows Event Viewer,” go to “Windows logs” → “Security.” Use the “Filter Current Log” in the right pane to find relevant events.

      The following are some of the events related to group membership changes.

      • Event ID 4727 indicates a Security Group is created.
      • The following screenshot shows more detail of this event.

        <figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;">
        </figure>
      • Event ID 4728 indicates a ‘Member is added to a Security Group’.
      • Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’.
      • Event ID 4730 indicates a‘Security Group is deleted’.

        The following screenshot filters all events related to changes in Active Directory Group Memberships.

        <figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;"><figcaption style="box-sizing:border-box;margin:0.5em 0px 1em;padding:0px 0px 0px 30px;text-align:center;color:#555d66;font-size:13px;">
        </figcaption></figure>

    Abcs FOL!


    • Sugerido como Resposta FÁBIOFOL quinta-feira, 30 de janeiro de 2020 22:07
    • Editado FÁBIOFOL quinta-feira, 30 de janeiro de 2020 22:08 Dica
    • Marcado como Resposta AnaZ81 quarta-feira, 19 de fevereiro de 2020 20:09
    quinta-feira, 30 de janeiro de 2020 22:07

Todas as Respostas

    • Marcado como Resposta AnaZ81 quarta-feira, 19 de fevereiro de 2020 20:09
    segunda-feira, 27 de janeiro de 2020 17:55
  • Olá caro @AnaZ81, tudo bem!

    Segue abaixo alguns passos necessários, está dividido em 03 etapas.

    Podem ser usadas diversas ferramentas, sendo esse recurso abaixo bem efetivo.

    Step 1: Enable Active Directory Auditing through Group Policy

    1. Type GPMC.MSC in “Run” box and press “Enter.” The “Group Policy Management” console opens up.
    2. Go to “Forest” → “Domains” → “www.domain.com” in the left panel.
    3. Right-click the “Default Domain Policy” or any customized domain-wide policy. (However, we recommend you to create a new GPO, link it to the domain, and edit it).
    4. Select “Edit” to access “Group Policy Management Editor.”
    5. Next, navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policies”.
    6. Management and access properties.
    7. Click to select “Define these policy settings” option.
    8. Select both “Success” and “Failure” checkbox to enable audit policy for monitoring successful events.
    9. Now, close “Group Policy Management Editor”.
    10. After closing it, you will be back at “Group Policy Management Console”. Select the GPO that you have modified.
    11. In the “Security” filtering section in the right pane, click “Add” to apply this GPO to all objects of Active Directory. Type “Everyone” in the dialog box that opens up. Click “Check Names” and “OK” to add the value.
    12. Close “Group Policy Management Console”.
    13. It is recommended to update the Group Policy instantly so that new changes can be applied to the entire domain. Run the following command at the Command Prompt or in the “Run” box to update the Group Policies on all domain controllers.

      gpupdate /force

    Step 2: Enable Auditing of Active Directory through ADSI edit

    1. In “Start Menu” or in “Control Panel”,“Administrative Tools” and open “ADSI Edit.”
    2. Right-click ADSI Edit node in the left panel and select “Connect To”.
    3. In “Connection Settings” window, select “Default Naming Context” in the drop-down menu of selecting a well-known Naming Context.
    4. 
    5. Click “OK” to establish the connection to the Default Naming Context of the domain. It is node displayed in the left tree pane, just below the top ADSI Edit node.
    6. Expand “Default Naming Context [dc.www.doamin.com]” and access the top node under it.
    7. Right-click this top node having the fully qualified domain name and click “Properties” in the context menu.
    8. In the properties, switch to “Security” tab and click “Advanced” button to access “Advanced Security Settings for www”.
    9. Switch to “Auditing” tab and click “Add” button to add a new auditing entry. It shows “Auditing Entry for www” window on the screen.<figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;"></figure>
    10. Click “Select a principal” to add“Everyone”.
    11. Select type as “Success” and applies to as “This object and descendant objects.”
    12. Under “Permissions,” select all check boxes by clicking “Full Control,” except following permissions.
      • Full Control
      • List contents
      • Read all properties
      • Read permissions
    13. Click “OK”.

    Step 3: Track Group Membership changes through Event Viewer

    1. To track the changes in Active Directory, open “Windows Event Viewer,” go to “Windows logs” → “Security.” Use the “Filter Current Log” in the right pane to find relevant events.

      The following are some of the events related to group membership changes.

      • Event ID 4727 indicates a Security Group is created.
      • The following screenshot shows more detail of this event.

        <figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;">
        </figure>
      • Event ID 4728 indicates a ‘Member is added to a Security Group’.
      • Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’.
      • Event ID 4730 indicates a‘Security Group is deleted’.

        The following screenshot filters all events related to changes in Active Directory Group Memberships.

        <figure class="wp-block-image" style="box-sizing:border-box;margin:0px 0px 1em;padding:0px;max-width:100%;"><figcaption style="box-sizing:border-box;margin:0.5em 0px 1em;padding:0px 0px 0px 30px;text-align:center;color:#555d66;font-size:13px;">
        </figcaption></figure>

    Abcs FOL!


    • Sugerido como Resposta FÁBIOFOL quinta-feira, 30 de janeiro de 2020 22:07
    • Editado FÁBIOFOL quinta-feira, 30 de janeiro de 2020 22:08 Dica
    • Marcado como Resposta AnaZ81 quarta-feira, 19 de fevereiro de 2020 20:09
    quinta-feira, 30 de janeiro de 2020 22:07
  • Prezado Fabio,

    Muito obrigada, este step by step funcionou perfeitamente.

    Prezado WillFellipe,

    Nao conhecia este software, achei bem bacana tbm, muito obrigado pelea informação.

    Os dois deram certos perfeitamente.

    quarta-feira, 19 de fevereiro de 2020 20:09
  • Show!

    Abcs FOL!

    • Sugerido como Resposta FÁBIOFOL quinta-feira, 20 de fevereiro de 2020 15:42
    quinta-feira, 20 de fevereiro de 2020 15:42
  • Olá AnaZ81,

    Obrigada por confirmar que foi encontrada uma solução para a pergunta, esta Thread será encerrada.

    Caso seja necessário, por gentileza, abra uma nova thread.

    Atenciosamente,

    Camila Brito
    __________________________________________________________________________
    Por favor lembre-se de "Marcar como resposta" as respostas que solucionaram seu problema, é uma forma comum de reconhecer aquelas pessoas que te ajudaram, e faz com que seja mais fácil para os outros visitantes encontrar a solução depois.

    Microsoft oferece esse serviço de forma gratuita, com a finalidade de ajudar os usuários e ampliar a base de dados de conhecimentos relacionados com os produtos e tecnologias de Microsoft.

    Este conteúdo é proporcionado "tal qual" e não implica nenhuma responsabilidade por parte de Microsoft.

    segunda-feira, 9 de março de 2020 21:44
    Moderador