Top of Page

Membership Monitor Logo

Monitor any Windows membership group for additions or deletions -- finally, a way to know who changed what, when!


Sends email, console or other alerts when group membership changes!


Great for sending automatic notices of user account changes to various departments!


Perfect for networks with multiple administrators!


Keep detailed logs separate from Windows event logs for added audit security!

 

 

Installation
Documentation

 Overview

Greyware's Membership Monitor (GWMM) adds valuable second-level protection to your Windows user groups by generating emails, logs, and audible alerts when there are any changes in the groups you select to monitor.

The Membership Monitor Control Panel Applet
The Membership Monitor Control Panel Applet   [Click for larger size]
Download
30-Day Trial Version
Buy Now!

 

GWMM Spy

Once a LAN gets beyond the size where one administrator can handle all the changes -- especially with multiple sysadmins and account managers at multiple sites -- it becomes easy to lose track of which user is a member of which group. An unwanted or unauthorized change can go undetected for days or months, by which time the damage has long been done. And if your network has any security holes that allow users to promote themselves, you may never know what happened...the user can join a privileged group, access restricted data, then unjoin the group without leaving any sort of record behind.

Greyware's Membership Monitor prevents these kind of surprises. With a few simple clicks you can establish a monitor for any one -- or all -- user groups in your enterprise. Membership Monitor sits quietly in the background, watching for changes. When a monitored group has a member added or removed, the program sends email alerts.

In addition, Membership Monitor can keep a detailed log file, showing all changes to monitored groups.

Requirements
    Runs on Windows XP, 2003/2003 R2, Vista, 2008/2008 R2, Win7, Win8, Win8.1, Win2012/Win2012 R2, Win10, Win2016, Win2019. Both 32 and 64-bit versions provided.

Version History
  • 2.1.b.20220322 - optional upgrade
    • Added Logon Type dropdown to the Credentials dialog. Choices are Standard Impersonation (the default), Negotiated Impersonation (helpful for disjoint networks, or where not all DCs support the same Kerberos level), and Interactive Impersonation (helpful for situations where domain policies prevent all but foreground users to read the Security Event Log).
    • Added code to increase reliability of enumerating and checking DCs.
    • Added additional debug-level log output to show the individual steps involved in reading a DC's Security Log.

  • 2.1.b.20210501 - optional upgrade
    • Minor updates to cope with changed Windows/Temp folder permissions.

  • 2.1.b.20160701 - optional upgrade
    • Verified operation with Win2012, Win2012r2, Win10, and Win2016
    • Enhanced SMTP delivery options

  • 2.1.b.20140829 - optional upgrade
    • Added option for SSL/TLS to email
    • Enhanced SMTP logs and error messages

  • 2.1.b.20110803 - optional upgrade
    • Added ability to click on pop-up balloon notifications to start the Control Panel applet.
    • Added date/time stamp (optional; defaults to enabled) to log lines and email alerts

  • 2.1.b.20101120 - recommended upgrade; minor bug fix
    • Fixed display bug where some lines in the list of groups could be rendered as white text on a white background.
    • No other changes

  • 2.1.b.20101010 - complete rewrite, incorporating all customer requests. Recommended upgrade.
    • Support for x86/x64
    • Support for XP, Vista, Windows 7, and Windows 2008 (including R2)
    • Added syslog reporting and audible alerts
    • Uses LDAP for group enumeration on AD domains
    • Automatic configuration of all DCs in a domain

  • 1.5.b.20050813 - recommended upgrade. Bugfixes for 2000/2003 AD slow email notifications, occasional high CPU usage, and change detection frequency. Also upgraded internal structures to use current version of service support framework. Upgrade recommended for all users.

  • 1.5.b.20040308 - maintenance release. Added workaround for occasional XP shutdown problem.

  • 1.5.b.20030310 - optional upgrade. Added advanced dialog to Control Panel applet; enhanced debugging output for diagnostics; included XP graphical style.

  • 1.5.b.20020518 - optional upgrade. Increased compatibility with XP machines that are not members of a domain; added support for .Net. Increased efficiency of monitoring groups on local machine in cases where the registry is restricted for security reasons. (GWMM will still try to monitor the registry directly, but if that fails, will fall back to a different internal monitoring method that still avoids polling). No other changes.

  • 1.5.b.20010815 - recommended upgrade. Added lookup for "responsible person" information (i.e., the user who added or removed an account). Lookup requires that account auditing be enabled (see KB2001.815). Hardened security in gwmmtray.exe (the system tray icon program). Added more robust internal error handling to provide more informative error messages. Packed Intel distributable into a self-extracting zip called gwmm15.exe that automatically unpacks files into a temp direcotory, runs setup.exe, and then cleans up. Minor rearrangement of the Control Panel applet, plus addition of sound file vs. speaker beep for audible alerts.

  • 1.4.b.20010405 - optional upgrade. Added monitoring for pseudo-groups domain trusts and computer accounts. Added ability to view current membership list of any group, including account types and details. Enhanced internal error handling when groups are unavailable or deleted. Added automatic stop of monitoring when a monitored group is deleted.

  • 1.4.b.20010306 - recommended upgrade. Made same changes as 20010305 for Win2000 Professional edition with Active Directory enabled. Also added workaround for invalid information returned by local group enum API after inter-domain trusts are added and then removed.

  • 1.4.b.20010305 - minor bug fixes. Upgrade recommended for Win2000-AD users; optional for mixed-mode Win2000 domains, or NT. Also updated control panel graphics.

  • 1.4.b.20010126 - many improvements.
    1. Added optional system tray icon
    2. Added user full names and group descriptions to reports
    3. Cache file ACLs restrict modifications to LocalSystem (Admins have read)
    4. Cache files encrypted on disk
    5. Email temp file ACLs restrict modifications to LocalSystem (Admins have read)
    6. Registry ACLs restrict modifications to LocalSystem and Admins
    7. Log file ACLs set to limit modifications to LocalSystem and Admins
    8. Service may not be paused or stopped
    9. Settings changes recorded in Event Viewer and log file
    10. Email alerts may be high priority or normal, settable per group
    11. Email alerts may be HTML or plain text
    12. Multiple SMTP hosts may be listed
    13. Multiple email recipients may be listed
    14. Balloon help added to dialog boxes

  • 1.3.b.20000531 - added support for name-lookups across trusts, eliminating potential false duplications ("Administrator" from Domain A, "Administrator" from Domain B, etc.). Added log file. Added ability to select a domain name rather than machine name as the data source; in this case, Membership Monitor will locate an appropriate domain controller at runtime, switching to an alternate if the original choice becomes unavailable.

  • 1.2.b.19990915 - fixed bug in email code that could prevent sending mail if modem not present.

  • 1.2.b.19990913 - first public release.

  • 1.0 through 1.1 - internal use.

Setup & Installation
    Installation
    Membership Monitor requires Windows NT/2K/XP, and runs as a system service. You must be logged on using an account with administrative privileges to install or remove the service. After you download the zip file, unzip the contents to a temporary directory on your machine (or a shared network directory), then double-click setup.exe and click the Install button.

    If Membership Monitor is already installed, the Install button will not be present. Instead, setup will present an Upgrade button. If older versions of any of the distribution files already exist on your machine, the program will upgrade them automatically when you select Upgrade. In some cases, it may be necessary for you to reboot your machine to complete installation or an upgrade. If so, you will be prompted to restart.

    Membership Monitor installs to the system directory (usually C:\WINNT\system32).

    Removal
    Run setup.exe again, and click the Remove button on the setup dialog. You may also run gwmm.exe /remove from the system directory. The Remove button will only be enabled if setup determines that the service is already installed.

    Upgrading
    To upgrade to a new version, download and unzip the new version to a temporary directory. Double-click the new setup.exe and click the Upgrade button. The Upgrade button will only be visible if setup determines that an older version of the service is already installed. Otherwise, only the Install and Remove buttons will be shown.

    Command-line Options
    Although not generally needed, you may specify the following command-line options when running setup.exe or gwmm.exe. You may use a dash or a forward slash before the option. Slashes are shown below for clarity. Options may also be specified by just the first letter.

    • gwmm.exe /version or setup.exe /version -- displays the program's version and copyright information.
    • setup.exe /install -- forces installation.
    • gwmm.exe /remove or setup.exe /remove-- forces removal.
    • gwmm.exe /foreground -- (only if supported) runs the program in the foreground.
    • setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.

    To assist with automated installations, the program also supports the /quiet command-line switch. You may use the /quiet switch in conjunction with /remove, /install, or /upgrade. When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered; otherwise, the program performs the requested function and exits immediately. This feature makes it easy to handle installations or upgrades network-wide with a simple batch file.

    Administrative Options and Remote Installation

    • Remote Install or Removal
      The setup program, setup.exe allows you to specify parameters on the command line for remote installation or removal:

          setup [ -install | -remove | -upgrade ] [ -quiet ] [\\targetmachine]
              

      Examples

      • setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
      • setup -remove \\barney would remove the service from the machine \\barney
      • setup -install -quiet would install the service onto the local machine without any prompts
      • setup -remove -quiet would remove the service from the local machine without any prompts

      Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples using \\fred and \\barney), both the machine you are working on and the target machine must be NT/2K/XP, and you must be logged on under an account that has administrative privileges on the target machine.

Documentation
    Membership Monitor is controlled by its Control Panel applet. To start the applet, find the Membership Monitor icon in the Windows Control Panel and click it.

    The applet lets you set the options appropriate for your machine. Any changes you make will not take effect until you click the "Apply" button or close the applet. You do not need to reboot or stop and restart the service after making changes.

    The Membership Monitor Control Panel Applet
    The Membership Monitor Control Panel Applet   [Click for larger size]

    Group Lists
    When you start the applet, the program will attempt to display all user groups visible from the machine on which you are running Membership Monitor. If the machine is a member of a domain, the groups associated with that domain will be listed under a tab named for the domain. If the machine can discover and has rights to other domains (such as child domains), the other domains will be listed on their own tab. If the machine is a stand-alone machine, its groups will be listed under a tab named for the local machine.

    Note:
    By default, only domains that are discovered through Active Directory will automatically appear in their own tabs. If you have other domains with a trust relationship that allows interrogation of group accounts from the domain hosting Membership Monitor, then you may add them manually by editing the following key in the regsitry:

      HKLM\SOFTWARE\Greyware\Membership Monitor\Parameters\Additional Sources

    Enter the flat name (NetBIOS name) of each additional domain to enumerate, one name per line, i.e.

      OTHER_DOMAIN
      ANOTHER_DOMAIN

      etc...

    Restart the Membership Monitor service to apply the changes.

    The groups listed are displayed based on Windows own internal domain group discovery methods. If your groups are not listed, you will need to verify that the machine's domain membership, Active Directory access, etc. are working correctly. You will also need to provide security credentials to each domain (see below).

      Credentials
      Membership Monitor needs sufficient rights to be able to read the security logs from domain controllers in each domain it monitors. Since the program runs as a background service, you will need to provide an account with Domain Admin rights to each domain you will be monitoring. You do this by clicking the Security Credentials for [DOMAIN] link on the bottom-left of each domain tab page. This brings up the Credentials Dialog.

      The Credentials Dialog
      The Credentials Dialog   [Click for larger size]

      IMPORTANT:
      You MUST provide a valid credentials account for each domain you monitor. Membership Monitor will not be able to detect group changes without this access.

    Monitoring Groups
    To monitor a group for changes, simply click the group's checkbox. Membership Monitor will begin tracking members in in the group.

      Keep in mind that group changes will not necessarily be visible immediately. The actual time it takes a change to become visible will depend on which domain controllers were involved with the change and the replication schedule of your domain. If you are looking for the fastest notification possible, you should run Membership Monitor on the PDC-Emulator.

      See the Timings section of the Advanced Settings page for details on changing the polling rate and method to optimize notification rates.

      Membership Monitor works with Windows Auditing to report the username of the account responsible for making changes. Membership Monitor will automatically enable the correct local policy to permit this (Security Settings | Local Policies | Audit Policy | Audit Account Management | Success) for you. However if you have group policies that override this setting, you will need to edit them to ensure the Success auditing remains enabled.

    Setting the Alert Actions
    When Membership Monitor detects a change to a monitored group, it will take the actions you specify to alert you or log the event. You may choose use the Default Actions or define custom actions for any group. The selected type of action for any group will be displayed in the Alert Actions column.

      The Default Actions
      The Default Actions are set using the Options -> Alert Options item from the applet menu.

        The Default Alert Actions Dialog
        The Default Alert Actions Dialog   [Click for larger size]

        Email Notifications
        If you want email notifications for change events, you will need to click the Email Setup... button to define default email servers and recipients. You can also use the setup dialog to send test mails and to advanced email troubleshooting. You MUST have a default email user and email servers defined if you plan to use email notifications.

      Custom Alert Actions
      To define a custom alert action for any monitored group, right-click the desired group name and choose Set Custom Alert Actions... from the context menu.

        The Custom Alert Actions Dialog
        The Custom Alert Actions Dialog   [Click for larger size]

        Changes you make here will override the Default Alert Actions settings (the Default settings are shown in light grey). If you want to ensure an action occurs even if the Default Actions change, change a setting so the checkbox is solid black. To be sure an action does not occur, be sure the checkbox is cleared completely.

        You may also set custom email recipients for this group using this dialog. Recall that you must also have defined your email servers on the Default Alert Actions dialog (see above).

      Audible Alert Options
      You may want to have an audible alert when your monitiored groups change. To enable this option, choose Options -> Audible Alert Choices... from the applet menu.

      Logging Options
      Membership Monitor has the ability to write data to several types of logs:

      • Service Text Logs
      • Syslog
      • Windows Event Logs (set on the Alert Actions dialogs (see above)

        Set the options for each type of log by choosing their dialog screens from the Options menu.

      Advanced Settings
      Pick the Options -> Advanced Settings... from the applet menu to set the following options:

        The Advanced Settings Dialog
        The Advanced Settings Dialog   [Click for larger size]

        Timings
        Membership Monitor obtains information about changes to groups and who made the changes by polling domain controllers. The main polling functions happen on the schedule set here.

          You will want to set a schedule that alerts you in a timely manner but does not result in excessive network activity. On most networks, this will not be a concern, even at a high polling rate, but if you have underpowered systems or have a very large network with groups with many hundreds or thousands of members, you will want to moderate this setting.

          You can sometimes increase the efficiency and timeliness of notifications by enabling the Trigger option which can result in collection of the necessary data when Membership Monitor detects a change.

        System Tray Icon
        Sets whether the System Tray Icon is displayed, and whether alerts are shown in balloon notifications. You must have the tray loaded if you want to receive audible alerts (see above).

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2024 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.