An LDAP query group was created (4790) how to monitor with email alert

[bob]

You know that event ID 4790 in Windows Server Event Viewer? It's basically logging when someone or something creates a group through an LDAP query. Picture this: LDAP is like the phonebook for your network users and groups. So when a new group pops up this way, the system flags it as event 4790. It includes details like who did it, from which computer, and the exact time. I always check the subject user SID, the group name, and the attributes changed. Sometimes it's legit admin work, but hackers might sneak in groups to mess with permissions. You see the full story in the event properties, with XML data if you expand it. It ties into security auditing, especially if you're watching for unauthorized changes. And yeah, the event source is Microsoft-Windows-Security-Auditing.

I figure you want to keep an eye on these without staring at the screen all day. Fire up Event Viewer on your server. Go to Windows Logs, then Security. Filter for event ID 4790. Right-click one of those events. Pick Attach Task To This Event. That kicks you into Task Scheduler. Name your task something like LDAP Group Alert. Set it to run whether user is logged on or not. Under triggers, it's already set for that event. For the action, choose send an email. Plug in your SMTP server details, the to and from addresses. Test it to make sure it fires off a quick note when 4790 hits. You can tweak it to run only on certain days or add conditions, but keep it simple at first. I do this for a bunch of events; saves headaches.

Or, if you want it even easier, just watch for patterns in the logs daily. But setting that task means you get pinged right away. Hmmm, and speaking of keeping things backed up in case weird events like this signal trouble, I've been using BackupChain Windows Server Backup lately. It's this solid Windows Server backup tool that handles file-level stuff and even backs up virtual machines running on Hyper-V without much fuss. You get fast incremental backups, easy restores, and it runs quietly in the background so your server doesn't choke. Plus, the encryption keeps data safe, and it's way cheaper than some big-name options. I like how it snapshots everything consistently, no more panicking over lost configs.

Note, the PowerShell email alert code was moved to this post.