We all know that Administrators are trustworthy people, and that they all love to fill pages after pages of report about the whole new user they’ve created.
So what happen when you want reporting on their work event if they don’t want to?
First thing is to forward Domain Controllers event to a trusted computer you manage, and for achieve this you can follow this article to achieve this: http://technet.microsoft.com/en-us/library/cc749140.aspx
But this is only good for you if you have time to read those events..
So here is a solution for you : Get alerted, by mail, about specific collected events.
This article assume that event auditing is activated/configured on your DC, and take from example that you want to know “When and by who a user account is created?”.
First step: Identify the events you need to get report about.
Or you know the event by heart, or you read the official list here (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3a15b562-4650-4298-9745-d9b261f35814), or you just generate the message you want by creating a new user🙂
Then look at your event viewer and search for it.
Here its Category: User Account Management, ID: 4720
Right-click: Attach Task to this event
This open a new Basic Task creation wizard.
Now it’s time to name this task
Next. Then “When an event is logged » (greyed out, but default parameters are just fine)
Action : Display a message
Next > Summary > Finish
Second step: Task fine tunning
Ok, now we have a nice whole new task generating a superb pop-up message
But we have no clue about the “when and who”.
So we have to get the event data inside our task and generate a custom message from here.
Open the event you used at the “Attach a Task To This Event” in the event viewer, and look upon the Details pane.
Note the field name you want to use in your task , here I will use the following fields:
System – Computer
EventData – TargetUserName
EventData – SubjectUserName
EventData – UserPrincipalName
Then open the XML task file (here I used Notepad++) and insert the following XML
entry in the EventTrigger section :
ValueQueries section and its Value data as shown in the picture bellow :
Note that data from SYSTEM is imported using
<Value name= »your_variable_here »>Event/System/_source_</Value>
But from EventData it’s a little different format so you have to use:
<Value name= »your_variable_here »>Event/EventData/Data[@Name=’_source_‘]</Value>
Save, and import the taks in the task scheduler (note: you need to delete the
previous task if you want to update it)
Now that our event fields are updated in the task variable, we can use them in our
Edit the task, and go to the Action pane
Modify the « Display a message » action
As you can see, it’s pretty straightforward : $(your_variable_here) will use the
variable filled from the event data as a string.
Just generate a new user and you will have a pop-up like this one :
Now just add a new Action to your task to send an email.
You will have an email each time a new user is generated by your admins, with the admin account and the new user name.
Isn’t this Task Scheduler great?