We have alerts setup when Groups in AD change (add/remove users) or when a user is deleted from AD. Is there a variable that can be added to the email template that will tell us the specific account that made these changes in AD?
I added a screenshot of the alert. The alert works but I still am missing the Source Account for the change.
When you look for these events in nDepth, what is populated in the SourceLogonID field? I'm not sure that the Windows logs on the DC actually send that information to the LEM, but I don't have an AD DC to play with in my lab to confirm. Can you capture a sample event?
Usually SourceAccount is the account making the change, and DestinationAccount is the account that was changed (with group events, you also get MemberID - DestinationAccount is the group that was changed, and MemberID is the user modified). SourceLogonID is often populated with a text unique string of the logon ID, and not actually a username.
