Monitor Group Membership Changes

From: Alan (Alan_at_discussions.microsoft.com)
Date: 02/01/05


Date: Tue, 1 Feb 2005 04:35:08 -0800

Although it's possible to detect an update to a group using the security
event log, this doesn't give the detail of the change.
Does anyone know of a mechanism or tool that would allow the state of a
group to be logged before and after a change was made ?
In other operating systems, this sort of thing can be done with a
configurable "exit" - i.e. an event trap that could call user written code to
perform a required action, e.g. log something to a file, generate an email,
etc. If a configurable exit were available between the membership change
being requested and being actioned that would allow the content of the group
to be writen out.

Similarly, after the change had been committed an exit could allow the
logging of the group post change. This would allow an audit trail of exactly
what changes were made to a group over time.

Does anyone know if this exists in an Active Directory environment ?

If not, are there any third party tools that might achieve the same result
and any speculation on how they achieve this ?

Thanks for any information or suggestions.