The following code illustrates a simple WQL event query that you can use to monitor the Enterprise Admins group in AD:
Select * From
__InstanceModificationEvent
Within 10
Where TargetInstance ISA
'ds_group' AND
TargetInstance.ds_name=
'Enterprise Admins'
This WQL event query requests a notification within 10 seconds for any modifications made to an instance of the Enterprise Admins group. I used this query in a script I created to monitor Windows group modifications, which Listing 1 shows. You can download the script and the helper functions it uses from the Windows Scripting Solutions Web site. Go to http://www.winnetmag.com/windowsscripting, enter InstantDoc ID 41835 in the InstantDoc ID box, then click Download the Code. The script uses this WQL event query with command-line parameters to specify the groups for which you want to monitor modifications. When a WMI notification is received, the script sends an HTML email alert. The sample script is an immediate application of the WMI AD providers and the WMI monitoring capabilities. You must run the script in the Administrator security context, with the groups you want to monitor listed on the command line separated by a space. The command's syntax is
GroupMonitor.wsf "GroupName1"
["GroupName2"] ["GroupNameN"]
[/Machine:value] [/User:value]
[/Password:value]
The GroupName1 to GroupNameN values in the command-line definition represent the list of groups to monitor. The /Machine switch represents the name of the domain controller (DC) to which WMI should connect (the default is localhost). The /User switch specifies the username to use for the WMI connection, and the /Password switch specifies its associated password. For example, to monitor the Enterprise Admins and Domain Admins groups for modifications from a DC named ServerA.LissWare.Net, you'd use the command . . .
Register
Steven Griffiths March 22, 2004