Sends email, console or other alerts when group membership changes!
Great for sending automatic notices of user account changes to various departments!
Perfect for networks with multiple administrators!
Keep detailed logs separate from NT event logs for added audit security!
Overview
Greyware's Membership Monitor (GWMM) adds valuable second-level protection to your NT user groups
by generating emails, event viewer records, and administrative alerts when there
are any changes in the groups you select to monitor.
Once a LAN gets beyond the size where one administrator can handle all the changes
-- especially with multiple sysadmins and account managers at multiple sites --
it becomes easy to lose track of which user is a member of which group. An unwanted
or unauthorized change can go undetected for days or months, by which time the
damage has long been done. And if your network has any security holes that allow
users to promote themselves, you may never know what happened...the user can
join a privileged group, access restricted data, then unjoin the group without
leaving any sort of record behind.
Greyware's Membership Monitor prevents these kind of surprises. With a few simple
clicks you can establish a monitor for any one -- or all -- user groups in your
enterprise. Membership Monitor sits quietly in the background, watching for changes.
When a monitored group has a member added or removed, the program silently sends
out up to three alerts:
An event viewer log entry
An email
An administrative alert to a computer(s) or user(s)
In addition, Membership Monitor can keep a detailed log file, showing all changes to
monitored groups.
Requirements
Runs on Windows NT4/2K/XP/2003/Vista/2008. Both Intel and Alpha binaries provided. In order for administrative alerts to work, the
built-in Messenger service must be running. Highly recommended: Use NTFS on the system
partition of the machine where you install Membership Monitor. Membership Monitor now restricts
access to its cache, log, and temp files if the system partition is NTFS.
Version History
1.5.b.20050813 - recommended upgrade. Bugfixes for 2000/2003 AD slow email notifications, occasional
high CPU usage, and change detection frequency. Also upgraded internal structures to use current version
of service support framework. Upgrade recommended for all users.
1.5.b.20040308 - maintenance release. Added workaround for occasional XP shutdown problem.
1.5.b.20030310 - optional upgrade. Added advanced dialog to control panel applet; enhanced
debugging output for diagnostics; included XP graphical style.
1.5.b.20020518 - optional upgrade. Increased compatibility with XP machines that are not
members of a domain; added support for .Net. Increased efficiency of monitoring groups on
local machine in cases where the registry is restricted for security reasons. (GWMM will
still try to monitor the registry directly, but if that fails, will fall back to a different
internal monitoring method that still avoids polling). No other changes.
1.5.b.20010815 - recommended upgrade. Added lookup for "responsible person" information (i.e.,
the user who added or removed an account). Lookup requires that account auditing be enabled
(see KB2001.815).
Hardened security in gwmmtray.exe (the system tray icon program). Added more robust internal
error handling to provide more informative error messages. Packed Intel distributable into
a self-extracting zip called gwmm15.exe that automatically unpacks files into a temp direcotory,
runs setup.exe, and then cleans up. Minor rearrangement of the control panel applet, plus
addition of sound file vs. speaker beep for audible alerts.
1.4.b.20010405 - optional upgrade. Added monitoring for pseudo-groups domain trusts and
computer accounts. Added ability to view current membership list of any group, including
account types and details. Enhanced internal error handling when groups are unavailable
or deleted. Added automatic stop of monitoring when a monitored group is deleted.
1.4.b.20010306 - recommended upgrade. Made same changes as 20010305 for Win2000 Professional edition
with Active Directory enabled. Also added workaround for invalid information returned by local
group enum API after inter-domain trusts are added and then removed.
1.4.b.20010305 - minor bug fixes. Upgrade recommended for Win2000-AD users; optional for
mixed-mode Win2000 domains, or NT. Also updated control panel graphics.
1.4.b.20010126 - many improvements.
Added optional system tray icon
Added user full names and group descriptions to reports
Cache file ACLs restrict modifications to LocalSystem (Admins have read)
Cache files encrypted on disk
Email temp file ACLs restrict modifications to LocalSystem (Admins have read)
Registry ACLs restrict modifications to LocalSystem and Admins
Log file ACLs set to limit modifications to LocalSystem and Admins
Service may not be paused or stopped
Settings changes recorded in Event Viewer and log file
Email alerts may be high priority or normal, settable per group
Email alerts may be HTML or plain text
Multiple SMTP hosts may be listed
Multiple email recipients may be listed
Balloon help added to dialog boxes
1.3.b.20000531 - added support for name-lookups across trusts, eliminating potential
false duplications ("Administrator" from Domain A, "Administrator" from
Domain B, etc.). Added log file. Added ability to select a domain name
rather than machine name as the data source; in this case, Membership
Monitor will locate an appropriate domain controller at runtime, switching
to an alternate if the original choice becomes unavailable.
1.2.b.19990915 - fixed bug in email code that could prevent sending mail if modem
not present.
1.2.b.19990913 - first public release.
1.0 through 1.1 - internal use.
Setup & Installation
Installation
Membership Monitor requires Windows NT4/2K/XP/2003/Vista/2008, and runs as a system service.
You must be logged on using an account with administrative privileges to install or remove the service.
After you download the zip file, unzip the contents to a temporary directory on your
machine (or a shared network directory), then double-click setup.exe and click
the Install button.
If Membership Monitor is already installed, the Install button will not
be present. Instead, setup will present an Upgrade button.
If older versions of any of the distribution files
already exist on your machine, the program will upgrade them automatically when you
select Upgrade.
In some cases, it may be necessary for you to reboot your machine to complete
installation or an upgrade. If so, you will be prompted to restart.
Membership Monitor installs to the system directory (usually c:\windows\system32 or c:\winnt\system32).
Removal
Run setup.exe again, and click the Remove button on the setup dialog.
You may also run gwmm.exe /remove from the system directory. The Remove
button will only be enabled if setup determines that the service is already installed.
Upgrading
To upgrade to a new version, download and unzip the new version to a temporary
directory. Double-click the new setup.exe and click the Upgrade button.
The Upgrade button will only be visible if setup determines that an older version
of the service is already installed. Otherwise, only the Install and Remove
buttons will be shown.
Command-line Options
Although not generally needed, you may specify the following command-line options when
running setup.exe or gwmm.exe. You may use a dash or a forward slash before the option. Slashes
are shown below for clarity. Options may also be specified by just the first letter.
gwmm.exe /version or setup.exe /version -- displays the program's version and copyright information.
setup.exe /install -- forces installation.
gwmm.exe /remove or setup.exe /remove-- forces removal.
gwmm.exe /foreground -- (only if supported) runs the program in the foreground.
setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.
To assist with automated installations, the program also supports the /quiet command-line switch.
You may use the /quiet switch in conjunction with /remove, /install, or /upgrade.
When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered;
otherwise, the program performs the requested function and exits immediately. This feature makes it easy to
handle installations or upgrades network-wide with a simple batch file.
Administrative Options and Remote Installation
Remote Install or Removal
The setup program, setup.exe allows you to specify parameters on the command line for remote installation
or removal:
setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
setup -remove \\barney would remove the service from the machine \\barney
setup -install -quiet would install the service onto the local machine without any prompts
setup -remove -quiet would remove the service from the local machine without any prompts
Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples
using \\fred and \\barney), both the machine you are working on and the target machine must be Windows NT4/2K/XP/2003/Vista/2008, and you
must be logged on under an account that has administrative privileges on the target machine.
Security Context Selection
During Setup, you will be prompted to supply an account for the service to use as its security context.
It's recommended this account be a member of the Administrators and/or Domain Admins
user groups. Membership Monitor will use this account to contact the machine or domain controller(s)
to obtain the groups to monitor and it must have sufficient rights to do so.
Enter the desired account's username and password. Setup will attempt to verify the account's
right to Log on as a Service, and grant this right if not already present. If the service
cannot grant the right, it will continue installation and you will have to grant the right
manually afterward. See more info on granting system rights.
The Security Context Selection Screen
Notes
Membership Monitor is controlled by its Control Panel applet. The applet lets you set
the options appropriate for your machine. You do not need to reboot or stop and
restart the service after making changes; the service will automatically recognize
and start using the new settings immediately.
The Membership Monitor Control Panel Applet
Monitored and Not Monitored Groups section
These controls allow you to select which groups you wish to monitor for changes.
Change Data Source... (button)
Used to select the machine used as the data source for monitoring groups.
By default, Membership Monitor uses the user account database on the machine where it is installed. This means
that if you install Membership Monitor on a PDC or BDC, you will see the list of domain
groups (both global and local). If you install Membership Monitor on a stand-alone server
or workstation, you will see the list of groups on that machine only. In either case,
Membership Monitor can check the database on its own machine using change event signalling (no polling),
so CPU overhead and network traffic are close to zero, and alerts are generated within
milliseconds of a change.
You may change this behavior by clicking the Data Source button and specifying another machine
from which Membership Monitor should draw its groups. When getting group information from
another machine, Membership Monitor cannot use change event signalling, and so must poll
the other machine periodically for updates. This means that alerts can be generated only
after a polling interval, and that both CPU usage and network traffic are increased during
the poll.
The Membership Monitor Select Data Source Screen
If you install Membership Monitor on a stand-alone server or workstation, but set the Data Source
to the the domain name (or to the domain's PDC or BDC), you can monitor the domain groups (both global
and local). You could also use a workstation to monitor a server, a BDC to monitor a workstation, etc.
This allows you to have all the benefits of domain-wide monitoring without installing Membership Monitor
on your PDC or BDC. The only restriction is that the service account running Membership Monitor must have security
access to the user database on the source machine (i.e., must be members of the same domain, or have
the appropriate n-way trust in place).
Details
Monitor Additions to this group
If this box is checked, Membership Monitor will generate alerts when users
or groups are added to the selected group.
Monitor Deletions from this group
If this box is checked, Membership Monitor will generate alerts when users
or groups are removed from the selected group. (Note: If a group
is being monitored, but neither Monitor Additions nor Monitor Deletions is
checked, then Membership Monitor will still watch the group, but not
generate any alerts.)
Record Changes in Event Viewer Log
If this box is checked, Membership Monitor will create an event viewer log
entry when users or groups are added or removed (based on which of the two
monitor checkboxes you have checked).
Send Email Notifications
If this box is checked, Membership Monitor will send an SMTP email alert
when users or groups are added or removed (based on which of the two monitor
checkboxes you have checked). This box will be grayed out until you have
clicked the Email Setup... button in the Options section (see below)
and specified a valid SMTP host, FROM address, and TO address.
Send Administrative Alerts
If this box is checked, Membership Monitor will send an Administrative Alert
when users or groups are added or removed (based on which of the two monitor
checkboxes you have checked). You may specify multiple names, separated by
commas or semi-colons. Each name must be
An NT computer name, in which case the alert is sent to the
console of that computer regardless of who is logged on; or
An NT username, in which case the alert is sent to that user,
no matter where on the network the user is logged on.
Administrative Alerts generate a pop-up message box on the target machine. In
order for the Administrative Alert to be received, the built-in NT Messenger
Service must be running on the target machine. The Messenger Service is an unreliable
transport; it does not guarantee delivery, and may deliver multiple copies of the
same message. In most LAN enviromnents, Administrative Alerts are fast and
dependable; however, we recommend that you not reply solely on Administrative Alerts
for notifications.
Options
Show System Tray Icon
If this box is checked, the Membership Monitor system tray icon will be displayed in the Start Bar System Tray.
Look up responsible person
If checked, Membership Monitor will attempt to determine the user account responsible for making the change,
if possible.
This information may not always be available due to the different methods and locations that NT (and
especially Win2000) uses to record auditing information (see KB2001.815).
In order for the lookup to succeed:
Windows NT4/2K/XP/2003/Vista/2008 Security Auditing must be enabled. Specifically, the machine or domain being monitored must have Success auditing for User and Group Management
enabled in the Security Policy.
To learn how to enable auditing, Microsoft's Knowledgebase articles
Q157238 (NT4) and
Q300549 (Windows 2000).
To test that auditing is functioning properly, use Event Viewer to inspect the Security log on your PDC (or PDC Emulator
on Win2000). Look for events with the Category Account Management, Souce Security, and Type Success Audit.
The user account used for running the Membership Monitor service must have sufficient rights to read the
event logs on all machines being monitored. To test this, log in with the service account and use the Event Viewer to
connect to the remote machines and verify that you are able to read both the local and remote event logs (particularly
on the PDC, or the PDC emulators on Win2000 trees).
Important Note: Due to the way Windows NT4/2K/XP/2003/Vista/2008 records account information in the event logs when
using domain trusts, the person responsible reported may be incorrectly listed as coming from the local domain.
For example if a trust exists between the domains LOCALDOMAIN and REMOTEDOMAIN and a change made on a LOCALDOMAIN system by
a trusted account from REMOTEDOMAIN (i.e. \\REMOTEDOMAIN\AdminUser), it may be incorrectly reported as having been made
by a LOCALDOMAIN account (LOCALDOMAIN\AdminUser).
Record changes in gwmm.log file
If checked, Membership Monitor will record all changes to monitored groups (whether or not the
change generates an alert) to your %systemroot%\system32\gwmm.log file.
Max size KB
Controls the maximum size of the gwmm.log file. If set to zero, the log file size is limited only
by available disk space. Any other number represents the number of kilobytes for the log file.
Membership Monitor trims the log file by removing old entries from the top of the file. The most
current entry will always be the last line in the log file.
Email Setup... (button)
Used for setting default email settings.
The Membership Monitor Email Setup Screen
When you click the Email Setup button, you are presented with another
dialog box that allows you to specify:
SMTP host -- you may give either an Internet-style name or an IP number.
FROM address -- the email address from which the mail is sent.
A Default TO address -- the email address to which the mail is sent if no
other email address is specified for a particular group's alerts.
Whether email should be sent in HTML format or as plain text.
Whether your machine is permanently wired to a LAN and can send email at
any time, or uses Dial-Up Networking and can only send email when connected.
Email names may be either plain or decorated. A plain name is one like person@place.com. A
decorated name is one like "Tech Support" <techsupport@yourdomain.com>. The quotation
marks are required by some SMTP servers if the decorated portion of the name contains space characters.
Advanced... (button)
Used for setting additional options.
The Membership Monitor Advanced Settings Screen
When you click the Advanced button, you are presented with another
dialog box with the following options:
Enable debug output in logfile
If this box is checked, Membership Monitor will produce a verbose version of the gwmm.log file, which
includes a substantial amount of additional information. You should choose this option only if you
are attempting to resolve an issue. The log can grow quite rapidly when this option is enabled.
Check all Domain Controllers for Event Log records
If this box is checked, Membership Monitor will poll all Domain Controllers for change information.
You only need to enable this option if you are running Active Directory in mixed-mode and Membership
Monitor is not reporting all of the changes made to a monitored group.
Buy It 
Greyware's Membership Monitor (GWMM) adds valuable second-level protection to your NT user groups
by generating emails, event viewer records, and administrative alerts when there
are any changes in the groups you select to monitor.
See our complete catalog of software...
