8 Replies Latest reply on Mar 24, 2015 6:48 AM by twuk

    Modifying your own AD account Alerts

    rfletcher

      Has anyone had any success with monitoring or triggering on the modification of their own AD account? I'm having difficulties because the way LEM handles event 4728 it separates the Source Account into 2 different fields Account and Domain (for example SourceAccount: Rfletcher SourceDomain: Contoso). If this value was saved as Contoso\rfletcher, then i know i would be able to trigger on that and the memberID field but nothing is lining up. Does anyone have any idea's?

        • Re: Modifying your own AD account Alerts
          HolyGuacamole

          Do you want this for a specific user(s) or any user?

          • Re: Modifying your own AD account Alerts
            nicole pauls

            I'll use UserModifyAttribute as an example, but to detect that the same user that modified the account is the owner account I think you can use:

             

            UserModifyAttribute.SourceAccount = UserModifyAttribute.DestinationAccount

            AND

            UserModifyAttribute.SourceDomain = UserModifyAttribute.DestinationDomain

             

            If you want to limit to only certain accounts being changed, you could do

            AND

            UserModifyAttribute.DestinationAccount = <whatever account> (or use an AD or User-Defined group)

             

            If you only want to know when a specific account is being changed, you could use:

            UserModifyAttribute.SourceAccount = <whatever account>

            AND

            UserModifyAttribute.DestinationAccount = <whatever account>

            • Re: Modifying your own AD account Alerts
              rfletcher

              Thanks Nicole, My problem stems mainly around NewGroupmember event and my trouble is when the destination account is the username "rfletcher" for example then the source name is unable to resolve username. Also when the source name is usable again like "rfletcher" the destination account is returned in the form of an AD distignuished name (CN=Fletcher, OU=Acme, DC=Contoso,DC=com) so i can't use the equal statement.

              • Re: Modifying your own AD account Alerts
                twuk


                Have you tried Auditable Group Events.EventInfo

                 

                I use the strings

                 

                Member "*" removed from group "DOMAIN\Group Name"

                 

                Member "*" added to group "DOMAIN\Group Name"

                  • Re: Modifying your own AD account Alerts
                    rfletcher

                    That's how i do my alerts for people added to groups who aren't pre-approved, but i don't see how that will tell me if a user modifies their own account.

                     

                    However, you did give me an idea (this may be kind of convoluted but it's just a starting point). What if we can correlate 2 different events and make an alert from them. For every time i change my own group memberships in testing I trigger an object audit event that has some of information actually populates correctly such has Fletcher\, Ryan or Domain\rfletcher. Do you guys think that might work?