Hi,
I am looking for an assistance in quest intrust.
Whenever AD group membership changes occurs particular group owner should get email notifications.
I have tried in quest change auditor but no results.
Please assist me on this.
Regards
P. Balasubramaniam
Are you trying to generate the alerts using InTrust or Change Auditor?
Can you please provide us some details on what you have tried (including screen caps if possible)?
Thank you so much for the reply.
I have lot of critical AD group level one team adding and removing the AD group according to incident request.
Whenever user account added or removed group owners should be notified automatically via email alert.
I have quest intrust and change auditor in my infrastructure.
Hi mcsebala,
This can be achieved if you have InTrust 11.3.1 or later, with little customization efforts. In case you have an older version, need to upgrade to 11.3.1 or later.
Find the InTrustPDOImport.exe tool in InTrust installation folder or on DVD and run the following commands on InTrust server box under InTrust admin account:
InTrustPDOImport.exe -import "Group's Manager Address Discovery.xml"
InTrustPDOImport.exe -import "Group's Manager.xml"
<?xml version="1.0" encoding="utf-8" ?>
<!--
==============================================================================
Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
$Workfile: Group's Manager.xml $
$Revision: 0 $
$Modtime: 7/4/2018 07:34:01 $
==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->
<ADCNotificationOperator original_parent="\Configuration\Objects\{716614E3-3700-45C4-9701-B60B28B84CB8}\Operators">
<Description></Description>
<Type>{A7B4859C-DFB4-43C1-9868-9516BEB7CF3E}</Type>
<Name><![CDATA[Group's Manager]]></Name>
<Guid>{D7FFB57E-D7CB-42C4-B49B-9135D26D7E84}</Guid>
<Addresses>
<ADCNotificationAddress>
<Guid>{CCD38DDB-5F5E-466E-B9FC-33E9D84F0438}</Guid>
<Address>01000000000000000000000000000000</Address>
<Type>{0E9BDFCB-7463-499A-A52C-C663CB9FFFC8}</Type>
</ADCNotificationAddress>
<ADCNotificationAddress>
<Guid>{AFD650D9-E6E2-4134-B253-4EF173987722}</Guid>
<Address>0100000000000000</Address>
<Type>{F4F57A86-AADE-4BF2-9181-EB4CB5905310}</Type>
</ADCNotificationAddress>
<ADCNotificationAddress>
<Guid>{777B357E-4C5C-4029-8CBF-F89BEAC34178}</Guid>
<Address>01000000260000007B00460041003700370035003500350030002D0039004100420034002D0034004400320043002D0038004400340045002D003500440030004100450032003300350045004300370038007D0021000000470072006F00750070002700730020004D0061006E00610067006500720020004100640064007200650073007300200044006900730063006F007600650072007900</Address>
<Type>{BD5388DC-BCD8-423D-97A8-81B18CAE935B}</Type>
</ADCNotificationAddress>
</Addresses>
</ADCNotificationOperator>
<?xml version="1.0" encoding="utf-8" ?>
<!--
==============================================================================
Copyright 2018 Quest Software Inc. ALL RIGHTS RESERVED.
$Workfile: Group's Manager Address Discovery.xml $
$Revision: 0 $
$Modtime: 7/4/2018 07:34:20 $
==============================================================================
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
==============================================================================
-->
<ITRTWSHScript original_parent="\Configuration\Objects\{48797482-BD95-4F64-9526-9D15578E66E5}\ResponseActions">
<Name><![CDATA[Group's Manager Address Discovery]]></Name>
<Guid>{FA775550-9AB4-4D2C-8D4E-5D0AE235EC78}</Guid>
<Language>{832BD5B4-61BE-487D-BFA0-96C6BD7E8F89}</Language>
<Description>Discovers the email address of the user which is specified in ManagedBy attribute of the Group. Can be used with Group Membership events only.</Description>
<Script><![CDATA[
#include <Enumeration script: Common Functions>
var ScriptID = "LDAP SCOM Enumerator:{5C6BC096-C36B-49b7-BB8A-17075710F838}";
#TRACE TraceDebug "Start script execution..."
// Domain get from server.
// you can redefine it
var prefix = "LDAP://"
iScope = Parameters["Search Scope"];
iNeedDeepSearch = Parameters["Need Deep Search"];
function resolve(filter, attribute) {
strFilter = filter;
#TRACE TraceDebug "ProcessParameters"
strAttributeName=attribute;
var query = ProcessParameters();
#TRACE TraceDebug "query = " + query
#TRACE TraceDebug "attribute = " + attribute
var command = CreateADOCommand();
try
{
command.CommandText = query;
#TRACE TraceDebug "Execute..."
var Rs = command.Execute();
#TRACE TraceDebug "complete..."
if (Rs.EOF) {
#TRACE TraceDebug "not found"
return null;
}
var attr = Rs.Fields.Item(0).Value;
var dn = Rs.Fields.Item(1).Value;
#TRACE TraceDebug "dn = " + dn
#TRACE TraceDebug "attr = " + attr
var obj = {};
obj[attribute] = attr;
obj["dn"] = dn;
return obj;
}
catch(e)
{ }
return null;
}
var filterBegin = "(&(&(objectCategory=group)(objectSid=*))(anr=";
var filterEnd = "))";
function findManager(user, domain)
{
strBindString = prefix + domain
#TRACE TraceDebug "user = " + user
#TRACE TraceDebug "try find in domain " + domain
return resolve(filterBegin + user + filterEnd, "ManagedBy");
}
function ResolveManagerEmail()
{
try
{
var manager = "";
var mail = "";
#TRACE TraceDebug "start process"
var strGroup;
var index;
var eventCount = EventCount();
#TRACE TraceDebug "eventCount = " + eventCount
for(var i = 0; i < eventCount; ++i)
{
index = "_" + i;
#TRACE TraceDebug "index = " + index
strGroup = Events[index].String3;
strDomain = Events[index].String4;
#TRACE TraceDebug "Try to resolve in target domain ..."
manager = findManager(strGroup, strDomain)
if (manager == null) {
#TRACE TraceDebug "Try to resolve in InTrust domain ..."
var intrustDomain = Domain();
manager = findManager(strGroup, intrustDomain);
if (manager == null) {
#TRACE TraceDebug "cannot resolve manager"
continue;
}
}
var dnManager = manager["ManagedBy"];
#TRACE TraceDebug "resolved manager = " + dnManager
var q = "(distinguishedname=" + dnManager + ")";
var resp = resolve(q, "mail");
mail = resp["mail"];
#TRACE TraceDebug "resolve mail complete = " + mail
AddResult(mail);
}
}
catch(e)
{
alert("need to report an error!!! " + e.description);
}
#TRACE TraceDebug "Script execution finished"
}
]]></Script>
<Parameters>
<ITRTWSHScriptParameter>
<Name>Search Scope</Name>
<Guid>{5C58B8F8-1D8D-4928-8C72-625B3A00C2A4}</Guid>
<DefaultValue>2</DefaultValue>
<Description>0-base, 1-one level, 2-subtree</Description>
</ITRTWSHScriptParameter>
<ITRTWSHScriptParameter>
<Name>Need Deep Search</Name>
<Guid>{EB4CD1AA-055C-4585-B200-6B1200D67A32}</Guid>
<DefaultValue>1</DefaultValue>
<Description>Lookup the attribute in domains if not found in a Global Catalog. 1-yes, 0-no</Description>
</ITRTWSHScriptParameter>
</Parameters>
</ITRTWSHScript>
After that, open InTrust Manager anew and observe the new objects, "Configuration|Personnel|Operators|Group's Manager" and "Configuration|Advanced|Scripts|Group's Manager Address Discovery". "Group's Manager" operator can be used instead of (or along with) standard Operator in the monitoring policy that includes the predefined rules "Group member added by unauthorized personnel" and "Group member removed by unauthorized personnel" or the rules that are based on these two.
Note that email address will not be resolved if you try to use "Group's Manager" operator in the policy with other rules e.g. "Group created by unauthorized personnel". This is because "Group's Manager Address Discovery" script relies on certain string numbers of the certain group membership management event IDs. To cover the latter scenario, need to create another script and another operator.
Thank you for post.
I achieved the requirement via change auditor.
I will try your option as well.