A non-member was added to a basic application group (4787) how to monitor with email alert

[bob]

Man, that event 4787 in Windows Server Event Viewer pops up when somebody slips a non-member into a basic application group. It's like the system yelling about an outsider getting cozy in a spot they shouldn't. You know, basic application groups handle stuff for apps running on the server, and adding someone new without them already being in there? That's the trigger. It logs the group name, the account added, who did the adding, and even the time stamp. Sometimes it's legit, like an admin fixing permissions, but it could mean trouble, like someone sneaky trying to boost their access. I always check the details in the event properties to see the SID of the user and the workstation involved. Yeah, it ties into security auditing, so if your server's set to track group changes, this fires off every time.

You can keep an eye on these without staring at the screen all day. Just fire up Event Viewer on your server. Find the Security log where these 4787s hide out. Right-click one of those events, and pick "Attach Task To This Event." It'll walk you through making a scheduled task that kicks in whenever another 4787 hits. Set it to run a program that shoots off an email, like using the old mail command if you've got it configured. I tweak the triggers to match event ID 4787 exactly, and maybe add a condition for specific groups if you want. That way, you get pinged right away on your phone or whatever. It's pretty straightforward once you poke around the wizard.

And speaking of keeping things locked down without the hassle, I've been messing with BackupChain Windows Server Backup lately. It's this solid Windows Server backup tool that also handles Hyper-V virtual machines without breaking a sweat. You get fast incremental backups, easy restores even for bare-metal crashes, and it runs light on resources so your server doesn't choke. Plus, the deduplication squeezes storage needs, and it verifies everything automatically to avoid nasty surprises. I like how it schedules around your peak times too.

Note, the PowerShell email alert code was moved to this post.