The following code illustrates a simple WQL event query that you can use to monitor the Enterprise Admins group in AD:
Select * From
__InstanceModificationEvent
Within 10
Where TargetInstance ISA
'ds_group' AND
TargetInstance.ds_name=
'Enterprise Admins'
This WQL event query requests a notification within 10 seconds for any modifications made to an instance of the Enterprise Admins group. I used this query in a script I created to monitor Windows group modifications, which Listing 1 shows. You can download the script and the helper functions it uses from the Windows Scripting Solutions Web site. Go to http://www.winnetmag.com/windowsscripting, enter InstantDoc ID 41835 in the InstantDoc ID box, then click Download the Code. The script uses this WQL event query with command-line parameters to specify the groups for which you want to monitor modifications. When a WMI notification is received, the script sends an HTML email alert. The sample script is an immediate application of the WMI AD providers and the WMI monitoring capabilities. You must run the script in the Administrator security context, with the groups you want to monitor listed on the command line separated by a space. The command's syntax is
GroupMonitor.wsf "GroupName1"
["GroupName2"] ["GroupNameN"]
[/Machine:value] [/User:value]
[/Password:value]
The GroupName1 to GroupNameN values in the command-line definition represent the list of groups to monitor. The /Machine switch represents the name of the domain controller (DC) to which WMI should connect (the default is localhost). The /User switch specifies the username to use for the WMI connection, and the /Password switch specifies its associated password. For example, to monitor the Enterprise Admins and Domain Admins groups for modifications from a DC named ServerA.LissWare.Net, you'd use the command
GroupMonitor.Wsf "Enterprise
Admins" "Domain Admins"
/Machine:"ServerA.LissWare.Net"
You can use any server as long as the selected server is part of an AD forest. Therefore, if you select a DC, the detection of a group modification will occur either when the modification is made on that server or when a modification made on any other DC that's part of the selected server domain is replicated to the selected server. To determine which DC is the origin of the group change, you need to analyze AD metadata replication. Unfortunately, you can't use WMI to access this information. Some tools, such as repadmin.exe (included in the Windows Support Tools) can display the origin of an AD object modification. However, the AD metadata auditing process is outside the scope of this article. Instead, let's look at leveraging the WMI interface in a sample script.
Register
