This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Modifying your own AD account Alerts

Has anyone had any success with monitoring or triggering on the modification of their own AD account? I'm having difficulties because the way LEM handles event 4728 it separates the Source Account into 2 different fields Account and Domain (for example SourceAccount: Rfletcher SourceDomain: Contoso). If this value was saved as Contoso\rfletcher, then i know i would be able to trigger on that and the memberID field but nothing is lining up. Does anyone have any idea's?

  • Do you want this for a specific user(s) or any user?

  • FormerMember
    0 FormerMember

    I'll use UserModifyAttribute as an example, but to detect that the same user that modified the account is the owner account I think you can use:

    UserModifyAttribute.SourceAccount = UserModifyAttribute.DestinationAccount

    AND

    UserModifyAttribute.SourceDomain = UserModifyAttribute.DestinationDomain

    If you want to limit to only certain accounts being changed, you could do

    AND

    UserModifyAttribute.DestinationAccount = <whatever account> (or use an AD or User-Defined group)

    If you only want to know when a specific account is being changed, you could use:

    UserModifyAttribute.SourceAccount = <whatever account>

    AND

    UserModifyAttribute.DestinationAccount = <whatever account>

  • Thanks Nicole, My problem stems mainly around NewGroupmember event and my trouble is when the destination account is the username "rfletcher" for example then the source name is unable to resolve username. Also when the source name is usable again like "rfletcher" the destination account is returned in the form of an AD distignuished name (CN=Fletcher, OU=Acme, DC=Contoso,DC=com) so i can't use the equal statement.

  • FormerMember
    0 FormerMember in reply to rfletcher

    Ah! That makes sense. Can you copy/paste a couple of example events (and maybe the source events from the event log)? Maybe we can find a way to make this work more cleanly.

  • Here is a screenshot of what i wanted to alert on. Sorry for all the black I had to remove anything that reference's our AD or AD structure.

    pastedImage_0.png


  • Have you tried Auditable Group Events.EventInfo

    I use the strings

    Member "*" removed from group "DOMAIN\Group Name"

    Member "*" added to group "DOMAIN\Group Name"

  • That's how i do my alerts for people added to groups who aren't pre-approved, but i don't see how that will tell me if a user modifies their own account.

    However, you did give me an idea (this may be kind of convoluted but it's just a starting point). What if we can correlate 2 different events and make an alert from them. For every time i change my own group memberships in testing I trigger an object audit event that has some of information actually populates correctly such has Fletcher\, Ryan or Domain\rfletcher. Do you guys think that might work?

  • Yes the AND / OR functionality helps here I use this to differentiate between domain account password resets for people (that I want to know about as soon as the change is made) and computers (that I am happy to just log and review later)