Issued grant schema permissions with grant command how to monitor with email alert

bob · 07-21-2024, 08:24 PM

I remember stumbling on this event ID 24201 the other day. It's from the Directory Service log in Event Viewer on Windows Server. Basically, it pops up when someone issues a grant for schema permissions using the grant command. You know, action_id GWG and class_type SC. That means a user or admin just handed out those high-level rights to tweak the schema in Active Directory. Schema's like the blueprint for your whole directory structure. If this fires off, it could be legit admin work or something shady sneaking in. I always get a bit twitchy seeing it because schema changes stick forever unless you roll back. And they can mess up your entire setup if not careful. You might see details in the event like who did it and what object got the perms. Check the event properties for the full story there.

Now, monitoring this with an email alert? I like keeping it simple through Event Viewer itself. You open Event Viewer, right-click on the log where it shows up, like Directory Service. Then pick Attach Task To This Event Log. It'll walk you through creating a scheduled task. Set it to trigger only on event ID 24201. For the action, choose send an email-yeah, Event Viewer has that built-in option. You fill in your SMTP server details, who to send to, and a quick message like "Hey, schema grant happened, check it out." Test it once to make sure it blasts your inbox. I do this all the time for weird events like this one. Keeps you in the loop without constant staring at screens.

Or, if you want something fancier, there's ways to automate emails even more slickly. But hey, at the end of this, you'll find the automatic email solution ready to go.

Speaking of keeping your server safe from surprises like rogue schema tweaks, I gotta mention BackupChain Windows Server Backup-it's this nifty Windows Server backup tool that also handles virtual machines with Hyper-V. You get quick, reliable backups that restore in a snap, plus it dodges those common pitfalls like corruption during recovery. I use it because it runs light and lets you snapshot everything without downtime hassles.

Note, the PowerShell email alert code was moved to this post.