SCOM: Alerting when a user is added or removed from a Distribution Group in AD

Although this is similar to alerting when a user is added to a security group there are a few things that need to be changed.

Target: Windows Domain Controllers
Log: Security
Event ID: 5136
EventDescription contains: “Name of Distribution Group”

User added
EventDescription contains: %%14674

User removed
EventDescription contains: %%14675


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.