In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators when the primary group of an Active Directory user is changed. Monitoring such changes helps detect unauthorized privilege modifications, enhances visibility into group membership alterations, and supports compliance with security and auditing requirements.

 Prerequisites   

• Access to the ADAudit Plus web console.

• A user account with Administrator privileges or a Technician account with delegated permissions to configure alerts in ADAudit Plus.

• All relevant domain controllers must be added and configured in ADAudit Plus for auditing.

• Ensure real-time event fetching is enabled to receive instant alerts as soon as changes are detected in Active Directory.

• The following advanced audit policy must be enabled via group policy on all monitored domain controllers.

• Access the setting here: Advanced Audit Policy Configuration > DS Access > Audit Directory Service Changes

• Setting: Enable Success for auditing successful events.

• To receive alert notifications via email from ADAudit Plus, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

 Steps to follow 

1. Log in to the ADAudit Plus web console as an Administrator, or with a Technician account with delegated permissions to create or modify alerts.

2. Navigate to the Alerts tab.

3. Click New Alert Profile in the top-right corner.

4. Enter a relevant Alert Name and Description (e.g., "Primary Group Change - User Object").

5. Click the + symbol in the Report Profiles field.

6. Under Domain, select the on-premises domain.

7. In the Category dropdown, choose User Modification.

8. Search for and select the Modified User report profile. Click OK.

9. You can tailor the Alert Message to suit your specific requirements.

10. In the Advanced Configuration section, enable the Filter option.

11. Click Add Filter and configure it as:

• Attribute: Modified Attributes

• Operator: equals

• Value: primaryGroupID

12. In the Alert Actions section, enable E-mail Notification.

13. Enter the recipient email addresses where the alert should be delivered.

14. Provide a clear and relevant subject line for the email notification.

15. Select the preferred format for the alert email, either HTML or Plain Text.

16. Select the details you'd like to include in the email, such as:

• Alert Message

• Alert Profile Name

• Event Details

17. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

18. If SMS provider settings are already configured in ADAudit Plus (via Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

19. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

20. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

21. Click Save to activate the alert profile.

 Validation and confirmation 

• Trigger a test change   on a test user account in Active Directory to change the primary group.

• Go to the Alerts tab and expand the on-premises domain under Profile Based Alerts.

• Choose the alert profile that was created and view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified email address.

 Tips 

• To improve visibility and searchability, use clear naming and descriptions for the alerts.

• Monitor the movement of privileged or sensitive accounts separately.

 Related topics and articles 

• How to check when a user was added to a security group

• How to check when a user was removed from a security group