Get notified when the list of domain administrators grows
Find all domain administrators
In Active Directory there is a LDAP_MATCHING_RULE_IN_CHAIN matching rule OID (object identifier) with which you can look up the ancestry of an object:
:1.2.840.113556.1.4.1941:=LDAP_MATCHING_RULE_IN_CHAIN
This makes it possible to find all members of a group including the members of the nested groups. And that is with a single LDAP query! For example, the following query finds all users who are the members of group myGroup by checking whether a user belongs to any group within the chain of groups with the top at myGroup:
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=myGroup,ou=groups,dc=maxcrc,dc=de))
This nice matching rule OID allows you to find all members of group Administrators in container Builtin and thus control administrator accounts in Active Directory.
Create a view
Open the File | Settings | Views dialog and click the Add button.
Type in a name of the new filter, set the scope to Active Directory and declare the LDAP filter:
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com))
Then specify the list of attributes you would like to have and save the settings by clicking Applyor OK.
The new view domain admins is now created and you can selected it in the Views combo box.
Here are the direct members of group CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com:
| Name | Object Type | Description |
|---|---|---|
| Administrator | user | Built-in account for administering the computer/domain |
| Domain Admins | group | Designated administrators of the domain |
| Enterprise Admins | group | Designated administrators of the enterprise |
| FTPAdmin | user | Administrator managing FTP connections |
| TrolleyManager | group | Custom group definition |
Here you can see all users who are the members of CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com and its descendant groups.
How to get the report by email
You can send the content of the view by email through the Email Report dialog (click Task | Email Report… to invoke it). Please note that you should create an email profile first (Read about that in the documentation).
The corresponding entry appears in the message log.
The report is in HTML format, which can be interpreted by most of mail clients:
When you want to schedule receiving reports, use the Scheduled Tasks and Task Propertieswindows. If you need to get notified only when a particular number of domain administrators is reached, specify this in Send email only when the number of entries returned by the LDAP search >=.
To test the task, click the the Run Task Now button. When Windows needs some elevated permissions for running the task, a special dialog informs you about that.
