Just logged a question with you guys and I already have another :)

I have been tasked with monitoring our Domain Admins sec group and the setting up an alert when a user is added or removed from the group.

I tried setting up an Event Log rule that should fire off when a certain event log appears on our DCs - in this case, the event ID is 4728, which appears in Event Viewer when a user is added to a security-enabled global group. Please see attached snip of the Rule criteria.

I've added this event log monitor to all our DCs and then tested it by adding a user to the sec group. The Event ID didn't populate in Event Viewer on any of the DCs though, so I'm still looking into that.

My question is: Is this the correct way of doing this or am I barking up the wrong tree?

If this is the incorrect way of monitoring and alerting on sec group changes, what would be the correct way?

Thank you very much for your time, I really do appreciate it :)

Cheerio!

Mat