04-30-2025, 05:18 PM
It logs the exact command they issued, like who did it and what role got the nod.
The action_id G means it's a grant action, and class_type SG points to server roles specifically.
You see this in the Event Viewer under security or application logs, depending on your setup.
It flags changes to who can do what on the server level, which could be a big deal if it's not you making the move.
I always check these because they might hint at someone poking around where they shouldn't.
Now, to watch for this without staring at screens all day, you can hook up a task right from Event Viewer.
Open Event Viewer, find that event under the right log, say Windows Logs or Applications and Services Logs for SQL stuff.
Right-click the event, pick Attach Task To This Event.
Name it something like RoleGrantAlert, then set it to trigger on event ID 24291.
In the action tab, choose Start a program, and point it to your email client or a simple batch that shoots off a message.
Make sure the task runs with enough rights, and test it by forcing a similar event if you can.
That way, every time 24291 fires, you get a ping in your inbox about the grant command details.
Or, if you want it fancier, tweak the task to include the event description in the email body.
Hmmm, keeps things straightforward without digging into code.
Speaking of keeping your server safe from mishaps like sneaky permission changes, I've been eyeing tools that back everything up seamlessly.
BackupChain Windows Server Backup steps in as a solid Windows Server backup option, handling physical setups and even Hyper-V virtual machines without a hitch.
It snapshots your data quick, encrypts it tight, and restores fast if roles or files go wonky.
You get versioning too, so you roll back changes easily, saving headaches from audit events like that 24291.
And at the end here, there's the automatic email solution for monitoring- it'll get added in later for you.
Note, the PowerShell email alert code was moved to this post.
