How to create an alert for when a gMSA is created

How to create an alert for when a gMSA is created

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators when a Group Managed Service Account (gMSA) is created in Active Directory. Monitoring gMSA creation enhances visibility into service account provisioning, ensures secure delegation, and supports compliance with privileged account governance policies.

Prerequisites  

  • Access to the ADAudit Plus web console is needed.

  • A user account with administrator privileges or a technician account with delegated permission to configure alert profiles in ADAudit Plus is needed.

  • All relevant domain controllers must be added and must be actively collecting event logs.

  • The following audit policy must be enabled via the Group Policy Management Editor:

    • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > DS Access > Audit Directory Service Changes.

    • Enable Success.

  • To receive alert notifications via email from ADAudit Plus, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

Steps to follow

Step 1: Create a new alert profile  

  1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

  2. Navigate to the Alerts tab.

  3. Click New Alert Profile in the top-right corner.

  1. Enter a relevant Name and Description (e.g., Alert: New gMSA Created).

  2. Click the + symbol next to Report Profiles.

  3. From the Domain drop-down, select the on-premises domain.

  4. Select All other AD Object changes as the report profile.

Step 2: Configure advanced alert settings  

  1. Use the Advanced Configuration options to customize alerts based on thresholds, business hours, and advanced filtering criteria.
  2. Enable the Filter option.

  3. Configure the first filter with the following criteria:

    • Attribute: Event Number

    • Operator: equals 

    • Value: 5137

  4. Configure the second filter with the following criteria:

    • Condition: and

    • Attribute: Object Class

    • Operator: equals 

    • Value: msDS-GroupManagedServiceAccount

Note: This setup ensures the alert is triggered specifically when a gMSA is created in Active Directory.

Step 3: Configure alert notification

  1. In the Alert Actions section, enable E-mail Notification.
  2. Enter the recipient email addresses where the alert should be delivered.

  3. Provide a clear, relevant subject line for the email notification.

  4. Select the preferred format for the alert email, either HTML or Text.

  5. Select the details you would like to include in the email:

  • Alert Message

  • Alert Profile Name

  • Event Details

  1. Enable the Throttle Notification option to combine multiple alerts into a single notification based on the defined criteria.
    Example: If multiple login failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

  2. If the SMS provider settings are already configured in ADAudit Plus (under Admin > General Settings > Server Settings > SMS), enable SMS Notification for real-time updates.

  3. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive login failures from that account.

  4. If a ticketing tool is integrated with ADAudit Plus (under Admin > Configuration > Ticketing System Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use the Throttle Ticket Generation option to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

  1. Click Save to activate the alert profile.

Validation and confirmation  

  1. Manually log a test event.
  2. Navigate to Alerts and expand the on-premises domain under Profile Based Alerts.

  3. Select the alert profile that was created and view alerts in the ADAudit Plus console.

  4. Verify that the alert appears with the correct event details.

  5. Ensure the alert email is received at the specified addresses.

Tips

  • Monitor high-risk gMSA containers.

  • Keep gMSA alerts in a separate alert profile with a clear name (e.g., gMSA Creation Alert) for easy identification and management.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products