check sensitive windows groups
In our previous life, we had written a Nagios plugin to check whether a sensitive Windows group had changed (e.g., Domain Admins). I created a replacement for this within LM, but since we can't really keep track of deltas without a key/value store, we use a property for each group that specifies the expected members, which should be updated when membership changes intentionally. We also use a property to list the groups for AD so we can store useful ILPs, but since those ILPs are not passed to the collection script (they could be, just are not currently passed for Powershell), the list of groups that can be checked is restricted to what is builtin to the collection script.
For one or more AD controllers then, you would specify (for example):
windows.groupcheck.list: Domain Admins
windows.groupcheck.spec.Domain_Admins: administrator,alice,bob
If the list diverges, the datapoint for that group will alert. There is also a total count of members that is tracked, and can be used to set an alert if needed (e.g., some groups like Schema Admins should normally be empty, but that can be handled by the spec).
2Y9FM6