We have alerts setup when Groups in AD change (add/remove users) or when a user is deleted from AD. Is there a variable that can be added to the email template that will tell us the specific account that made these changes in AD?
When you look for these events in nDepth, what is populated in the SourceLogonID field? I'm not sure that the Windows logs on the DC actually send that information to the LEM, but I don't have an AD DC to play with in my lab to confirm. Can you capture a sample event?
Usually SourceAccount is the account making the change, and DestinationAccount is the account that was changed (with group events, you also get MemberID - DestinationAccount is the group that was changed, and MemberID is the user modified). SourceLogonID is often populated with a text unique string of the logon ID, and not actually a username.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.