Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > Log and Event Manager (LEM) Training > Free SolarWinds Training Videos - LEM > How-To Use Log & Event Manager to Detect Privilege Changes in Active Directory - Video

How-To Use Log & Event Manager to Detect Privilege Changes in Active Directory - Video

Updated August 18th, 2016


This video will show you how to use LEM to alert you when users are added to privileged groups in Active Directory®.




  • Log & Event Manager

Video Transcription

Before creating the rules ensure you have configured the email connector in your LEM console. To enable email navigate to the Ops Center view, locate the "Getting Started" widget and click on "Configure Basic LEM Settings". A wizard will appear and guide you through the email configuration process.

Let's get started!

  1. Login to your web console and navigate to BUILD the Rules.
  2. LEM includes several rules specifically designed to monitor Active Directory located in the Change Management category.
  3. Within the Change Management category select "Group Changes" and locate the "New Critical Group Member" rule.
  4. To view and edit the rule, select "Clone" and it will open the rule configuration interface.
  5. The Correlations window contains the logic and information needed to detect the proper event. So as you can see here, the rule is specifically looking in the Eventinfo field within the New Group Member event for the message "Member Added to Group". The rule is also looking in the MemberID field to ensure that it does NOT contain a $ and the specific group names belonging to a list of Admin Groups.
  6. To view or edit the Admin Groups list, click on "Build" then "Groups." Then under the Type drop-down menu select "User Defined Groups." User defined groups are basically lists of information you can use throughout the web console.
  7. Click on the group to view the list details. As you can see, all of the well-known Administrative groups have already been added. If you wish to add more group names simply click the gear icon next to the list and select "Edit."
  8. Now back to the rule. The rules interface, like other interfaces within the web console uses AND/OR boolean logic which is easily changed by clicking on the outside of the group. The thick blue line with a triangle in the middle seen here indicates AND. If you click on it again, it will switch to an OR operator indicated with a thick orange line and a half circle. You can use combinations of AND/OR operators to create well-defined correlation rules.
  9. Now that you have defined exactly what you want LEM to detect, the next step is to configure a threshold.
  10. The purple box located here allows you to further define exactly when the rule should send you an email. This can be very helpful in reducing false positives. In this case, we want know when any account has been added to an admin group so the threshold should be left at "1".
  11. Next, you will need to review the email action and select a recipient. The Actions area already contains a pre-configured email template however you can edit and create templates under Build menu.
  12. Starting at the top, you can see the Account Modification template is in use and if you click on the "Recipients" drop-down menu you can select who should receive this notification.
  13. The items here in the email that display a dollar sign represent fields. Typically, this will be specifically related to the event or events you have configured in the correlation window above.
  14. To verify fields are correct, click on the "Events" menu, type in "Group", select "New Group Member" from the list and match up the fields. LEM will collect the information located in these fields and write the data to the email notification so you know who was added to an admin group and when they were added.
  15. Now that you have verified the rule is configured properly, select the "enable" check box above, then save the rule and finally, click the "Activate Rules" button at the top.

For more training, visit:



Last modified