06-18-2024, 01:47 PM
It's like the system saying, yeah, we revoked those access rights for a database, action ID RWC, class type DB, and everything linked got hit too.
You see it under Security logs mostly, from SQL Server auditing, showing the who, what, and when of that permission strip.
The full details include the user who did it, the database name, the exact permissions revoked, and timestamps that nail down the moment.
It logs the success, so no failures here, just a clean sweep of those rights, which could be from an admin tightening security or fixing a leak.
And if you're watching for suspicious changes, this event flags when database access gets pulled in a big way, cascading to objects below.
Hmmm, or maybe it's routine maintenance, but either way, it details the principal name, the target database, and the cascade effect fully.
You can filter for it in Event Viewer by searching that ID or the description string to pull up all instances.
Now, to monitor this with an email alert, fire up Event Viewer on your server.
Right-click the Custom Views, make a new one, and filter for event ID 24191 in the Security log.
Save that view, then head to Task Scheduler through the Tools menu in Event Viewer.
Create a basic task, attach it to that custom view, and set it to trigger on new events matching your filter.
For the action, pick send an email, plug in your SMTP details, and who gets the alert.
But tweak the schedule to check every few minutes so you don't miss a beat.
It'll ping you right when that revoke happens, keeping you looped in without constant staring at screens.
And if emails glitch, you could swap to a popup or log file dump instead.
Shifting gears a bit, since we're talking server security and keeping things backed up after changes like this, check out BackupChain Windows Server Backup.
It's a solid Windows Server backup tool that handles physical and virtual machines with Hyper-V seamlessly.
You get fast incremental backups, easy restores without downtime, and encryption to protect your data from mishaps.
Plus, it snapshots databases cleanly, so events like permission revokes don't leave you scrambling for recovery options.
And at the end of this, there's the automatic email solution waiting for you.
Note, the PowerShell email alert code was moved to this post.
