General Security Auditing - Group Membership Change Notification

I've had a few clients inquire on how to receive alerts when Security Group Membership changes in Windows Server 2008. For example when a user is added or removed from the Domain Administrators global security group. I thought I'd post a small "How-To" because the necessary security event numbers have changed in Windows 2008 from those in Windows 2003.

1. Navigate to Authoring / Management Pack Objects / Rules and in the 'Actions' pane click on 'Create a rule'

2. Select Alert Generating Rule / Event Based / 'NT Event Log (Alert)' and select an applicable Management Pack. Ideally, a dedicated management pack for security related rules.

3. Click Next. On the 'Rule Name and Description' window, name the rule and set the rule target to 'Windows Domain Controller' and uncheck 'Rule is enabled'

4. Click Next. Navigate to one of your domain controllers and select the 'Security' for 'Log name'

5. Build the Event Expression as the one in the image below. Use he same Event IDs.

6. Click Next. In the 'Configure Alerts' window: Give the Alert a name, and for the 'Alert description' enter  '$Data/EventDescription$' this will populate the Alert's description field with the contents of the description of the actual security event.

7. Click 'Create'

8. Find the newly created rule. Easiest way is to paste its name into 'Search' Remember the rule was disabled by default? Now enable it with an override 'For all objects of type: Windows Domain Controller' 

So now whenever a user is added to or removed from a global security group, an Alert will be generated:

You can adapt this to alert on pretty much anything that appears in the security log of a domain controller or server. Quite powerful and effective.

Enjoy.