Get notified when the list of domain administrators grows

Find all domain administrators

In Active Directory there is a LDAP_MATCHING_RULE_IN_CHAIN matching rule OID (object identifier) with which you can look up the ancestry of an object:

:1.2.840.113556.1.4.1941:=LDAP_MATCHING_RULE_IN_CHAIN

This makes it possible to find all members of a group including the members of the nested groups. And that is with a single LDAP query! For example, the following query finds all users who are the members of group myGroup by checking whether a user belongs to any group within the chain of groups with the top at myGroup:

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=myGroup,ou=groups,dc=maxcrc,dc=de))

This nice matching rule OID allows you to find all members of group Administrators in container Builtin and thus control administrator accounts in Active Directory.

Create a view

Open the File | Settings | Views dialog and click the Add button.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-01.png

Type in a name of the new filter, set the scope to Active Directory and declare the LDAP filter:

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com))

Then specify the list of attributes you would like to have and save the settings by clicking Applyor OK.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-02.png

The new view domain admins is now created and you can selected it in the Views combo box.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-04.png

Here are the direct members of group CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com:

NameObject TypeDescription
AdministratoruserBuilt-in account for administering the computer/domain
Domain AdminsgroupDesignated administrators of the domain
Enterprise AdminsgroupDesignated administrators of the enterprise
FTPAdminuserAdministrator managing FTP connections
TrolleyManagergroupCustom group definition

Here you can see all users who are the members of CN=Administratorsn,CN=Builtin,DC=labor,DC=maxcrc,DC=com and its descendant groups.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-05.png

How to get the report by email

You can send the content of the view by email through the Email Report dialog (click Task | Email Report… to invoke it). Please note that you should create an email profile first (Read about that in the documentation).

email-report

The corresponding entry appears in the message log.

report-logging

The report is in HTML format, which can be interpreted by most of mail clients:

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-09.png

When you want to schedule receiving reports, use the Scheduled Tasks and Task Propertieswindows. If you need to get notified only when a particular number of domain administrators is reached, specify this in Send email only when the number of entries returned by the LDAP search >=.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-14.png

To test the task, click the the Run Task Now button. When Windows needs some elevated permissions for running the task, a special dialog informs you about that.

Thumbnail image for ~/images/cont/articles/Userbooster-Light/userbooster-admin-11.png