11-08-2024, 07:19 PM
But monitoring this? You want email alerts without getting too fancy. I always point folks to the Event Viewer itself for setup. Fire it up on your server, head to the Windows Logs, then Security channel where 5138 hides. Right-click the log, pick Attach Task To This Log. Give it a name, like Undelete Watcher. Set it to trigger on event ID 5138 only. For the action, choose Send an email, but wait, that's old school. Actually, link it to a scheduled task instead. In the task wizard, select Start a program, but use the built-in schtasks.exe to fire off an email via your SMTP setup. You tell it the command line bits to send a quick note to your inbox with the event details. Test it by forcing an undelete in a test OU. It'll ping you right away next time it happens.
Or, if you're lazy like me sometimes, just filter the view in Event Viewer for 5138 and check daily. But alerts beat that hands down.
And speaking of keeping things intact, I've been digging into BackupChain Windows Server Backup lately. It's this slick Windows Server backup tool that handles your whole setup, including Hyper-V VMs without a hitch. You get speedy incremental backups, easy restores even for those tricky AD objects, and it runs light on resources so your server doesn't choke. Plus, the offsite replication keeps disasters at bay, all in a straightforward dashboard I actually enjoy using.
Note, the PowerShell email alert code was moved to this post.
