Greyware's Membership Monitor (GWMM) adds valuable second-level protection to your Windows user groups
by generating emails, logs, and audible alerts when there
are any changes in the groups you select to monitor.
Once a LAN gets beyond the size where one administrator can handle all the changes
-- especially with multiple sysadmins and account managers at multiple sites --
it becomes easy to lose track of which user is a member of which group. An unwanted
or unauthorized change can go undetected for days or months, by which time the
damage has long been done. And if your network has any security holes that allow
users to promote themselves, you may never know what happened...the user can
join a privileged group, access restricted data, then unjoin the group without
leaving any sort of record behind.
Greyware's Membership Monitor prevents these kind of surprises. With a few simple
clicks you can establish a monitor for any one -- or all -- user groups in your
enterprise. Membership Monitor sits quietly in the background, watching for changes.
When a monitored group has a member added or removed, the program sends email alerts.
In addition, Membership Monitor can keep a detailed log file, showing all changes to
monitored groups.
Requirements
Runs on Windows XP, 2003/2003 R2, Vista, 2008/2008 R2, Win7, Win8, Win8.1, Win2012/Win2012 R2, Win10, Win2016, Win2019.
Both 32 and 64-bit versions provided.
Version History
2.1.b.20220322 - optional upgrade
Added Logon Type dropdown to the Credentials dialog. Choices are Standard Impersonation (the default), Negotiated Impersonation (helpful for
disjoint networks, or where not all DCs support the same Kerberos level), and Interactive Impersonation (helpful for situations where
domain policies prevent all but foreground users to read the Security Event Log).
Added code to increase reliability of enumerating and checking DCs.
Added additional debug-level log output to show the individual steps involved in reading a DC's Security Log.
2.1.b.20210501 - optional upgrade
Minor updates to cope with changed Windows/Temp folder permissions.
2.1.b.20160701 - optional upgrade
Verified operation with Win2012, Win2012r2, Win10, and Win2016
Enhanced SMTP delivery options
2.1.b.20140829 - optional upgrade
Added option for SSL/TLS to email
Enhanced SMTP logs and error messages
2.1.b.20110803 - optional upgrade
Added ability to click on pop-up balloon notifications to start the Control Panel applet.
Added date/time stamp (optional; defaults to enabled) to log lines and email alerts
2.1.b.20101120 - recommended upgrade; minor bug fix
Fixed display bug where some lines in the list of groups could be rendered as white text on a white background.
No other changes
2.1.b.20101010 - complete rewrite, incorporating all customer requests. Recommended upgrade.
Support for x86/x64
Support for XP, Vista, Windows 7, and Windows 2008 (including R2)
Added syslog reporting and audible alerts
Uses LDAP for group enumeration on AD domains
Automatic configuration of all DCs in a domain
1.5.b.20050813 - recommended upgrade. Bugfixes for 2000/2003 AD slow email notifications, occasional
high CPU usage, and change detection frequency. Also upgraded internal structures to use current version
of service support framework. Upgrade recommended for all users.
1.5.b.20040308 - maintenance release. Added workaround for occasional XP shutdown problem.
1.5.b.20030310 - optional upgrade. Added advanced dialog to Control Panel applet; enhanced
debugging output for diagnostics; included XP graphical style.
1.5.b.20020518 - optional upgrade. Increased compatibility with XP machines that are not
members of a domain; added support for .Net. Increased efficiency of monitoring groups on
local machine in cases where the registry is restricted for security reasons. (GWMM will
still try to monitor the registry directly, but if that fails, will fall back to a different
internal monitoring method that still avoids polling). No other changes.
1.5.b.20010815 - recommended upgrade. Added lookup for "responsible person" information (i.e.,
the user who added or removed an account). Lookup requires that account auditing be enabled
(see KB2001.815).
Hardened security in gwmmtray.exe (the system tray icon program). Added more robust internal
error handling to provide more informative error messages. Packed Intel distributable into
a self-extracting zip called gwmm15.exe that automatically unpacks files into a temp direcotory,
runs setup.exe, and then cleans up. Minor rearrangement of the Control Panel applet, plus
addition of sound file vs. speaker beep for audible alerts.
1.4.b.20010405 - optional upgrade. Added monitoring for pseudo-groups domain trusts and
computer accounts. Added ability to view current membership list of any group, including
account types and details. Enhanced internal error handling when groups are unavailable
or deleted. Added automatic stop of monitoring when a monitored group is deleted.
1.4.b.20010306 - recommended upgrade. Made same changes as 20010305 for Win2000 Professional edition
with Active Directory enabled. Also added workaround for invalid information returned by local
group enum API after inter-domain trusts are added and then removed.
1.4.b.20010305 - minor bug fixes. Upgrade recommended for Win2000-AD users; optional for
mixed-mode Win2000 domains, or NT. Also updated control panel graphics.
1.4.b.20010126 - many improvements.
Added optional system tray icon
Added user full names and group descriptions to reports
Cache file ACLs restrict modifications to LocalSystem (Admins have read)
Cache files encrypted on disk
Email temp file ACLs restrict modifications to LocalSystem (Admins have read)
Registry ACLs restrict modifications to LocalSystem and Admins
Log file ACLs set to limit modifications to LocalSystem and Admins
Service may not be paused or stopped
Settings changes recorded in Event Viewer and log file
Email alerts may be high priority or normal, settable per group
Email alerts may be HTML or plain text
Multiple SMTP hosts may be listed
Multiple email recipients may be listed
Balloon help added to dialog boxes
1.3.b.20000531 - added support for name-lookups across trusts, eliminating potential
false duplications ("Administrator" from Domain A, "Administrator" from
Domain B, etc.). Added log file. Added ability to select a domain name
rather than machine name as the data source; in this case, Membership
Monitor will locate an appropriate domain controller at runtime, switching
to an alternate if the original choice becomes unavailable.
1.2.b.19990915 - fixed bug in email code that could prevent sending mail if modem
not present.
1.2.b.19990913 - first public release.
1.0 through 1.1 - internal use.
Setup & Installation
Installation
Membership Monitor runs as a system service.
You must be logged on using an account with administrative privileges to install or remove the service.
After you download the zip file, unzip the contents to a temporary directory on your
machine (or a shared network directory), then double-click setup.exe and click
the Install button.
If Membership Monitor is already installed, the Install button will not
be present. Instead, setup will present an Upgrade button.
If older versions of any of the distribution files
already exist on your machine, the program will upgrade them automatically when you
select Upgrade.
In some cases, it may be necessary for you to reboot your machine to complete
installation or an upgrade. If so, you will be prompted to restart.
Membership Monitor installs to the system directory (usually C:\Windows\system32).
Removal
Run setup.exe again, and click the Remove button on the setup dialog.
You may also run gwmm.exe /remove from the system directory. The Remove
button will only be enabled if setup determines that the service is already installed.
Upgrading
To upgrade to a new version, download and unzip the new version to a temporary
directory. Double-click the new setup.exe and click the Upgrade button.
The Upgrade button will only be visible if setup determines that an older version
of the service is already installed. Otherwise, only the Install and Remove
buttons will be shown.
Command-line Options
Although not generally needed, you may specify the following command-line options when
running setup.exe or gwmm.exe. You may use a dash or a forward slash before the option. Slashes
are shown below for clarity. Options may also be specified by just the first letter.
gwmm.exe /version or setup.exe /version -- displays the program's version and copyright information.
setup.exe /install -- forces installation.
gwmm.exe /remove or setup.exe /remove-- forces removal.
gwmm.exe /foreground -- (only if supported) runs the program in the foreground.
setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.
To assist with automated installations, the program also supports the /quiet command-line switch.
You may use the /quiet switch in conjunction with /remove, /install, or /upgrade.
When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered;
otherwise, the program performs the requested function and exits immediately. This feature makes it easy to
handle installations or upgrades network-wide with a simple batch file.
Administrative Options and Remote Installation
Remote Install or Removal
The setup program, setup.exe allows you to specify parameters on the command line for remote installation
or removal:
setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
setup -remove \\barney would remove the service from the machine \\barney
setup -install -quiet would install the service onto the local machine without any prompts
setup -remove -quiet would remove the service from the local machine without any prompts
Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples
using \\fred and \\barney), both the machine you are working on and the target machine must be logged on
under an account that has administrative privileges on the target machine.
Documentation
Membership Monitor is controlled by its Control Panel applet. To start the applet, find the Membership Monitor icon in the Windows Control Panel and click it.
The applet lets you set the options appropriate for your machine. Any changes you make will not take effect until you click the "Apply" button or close the
applet. You do not need to reboot or stop and restart the service after making changes.
Group Lists
When you start the applet, the program will attempt to display all user groups visible from the machine on which you are running Membership Monitor. If the machine is
a member of a domain, the groups associated with that domain will be listed under a tab named for the domain. If the machine can discover and has rights to other domains (such as
child domains), the other domains will be listed on their own tab. If the machine is a stand-alone machine, its groups will be listed under a tab named for the local machine.
Note:
By default, only domains that are discovered through Active Directory will automatically appear in their own tabs. If you have other domains with a trust relationship
that allows interrogation of group accounts from the domain hosting Membership Monitor, then you may add them manually by editing the following key in the regsitry:
Enter the flat name (NetBIOS name) of each additional domain to enumerate, one name per line, i.e.
OTHER_DOMAIN
ANOTHER_DOMAIN
etc...
Restart the Membership Monitor service to apply the changes.
The groups listed are displayed based on Windows own internal domain group discovery methods. If your groups are not listed, you will need to verify that the machine's domain membership,
Active Directory access, etc. are working correctly. You will also need to provide security credentials to each domain (see below).
Credentials
Membership Monitor needs sufficient rights to be able to read the security logs from domain controllers in each domain it monitors. Since the program runs as a background service, you will
need to provide an account with Domain Admin rights to each domain you will be monitoring. You do this by clicking the Security
Credentials for [DOMAIN] link on the bottom-left of each domain tab page. This brings up the Credentials Dialog.
IMPORTANT: You MUST provide a valid credentials account for each domain you monitor. Membership Monitor will not be able to detect group
changes without this access.
Monitoring Groups
To monitor a group for changes, simply click the group's checkbox. Membership Monitor will begin tracking members in in the group.
Keep in mind that group changes will not necessarily be visible immediately. The actual time it takes a change to become visible will depend
on which domain controllers were involved with the change and the replication schedule of your domain. If you are looking for
the fastest notification possible, you should run Membership Monitor on the PDC-Emulator.
See the Timings section of the Advanced Settings page for details on changing the polling rate and method to optimize notification rates.
Membership Monitor works with Windows Auditing to report the username of the account responsible for making changes. Membership Monitor will automatically
enable the correct local policy to permit this (
Security Settings | Local Policies | Audit Policy | Audit Account Management | Success) for you. However if you have
group policies that override this setting, you will need to edit them to ensure the Success auditing remains enabled.
Setting the Alert Actions
When Membership Monitor detects a change to a monitored group, it will take the actions you specify to alert you or log the event. You may choose use the Default Actions
or define custom actions for any group. The selected type of action for any group will be displayed in the Alert Actions column.
The Default Actions
The Default Actions are set using the Options -> Alert Options item from the applet menu.
Email Notifications
If you want email notifications for change events, you will need to click the Email Setup... button to define default email servers and recipients. You can also use the
setup dialog to send test mails and to advanced email troubleshooting. You MUST have a default email user and email servers defined if you plan to use email notifications.
Custom Alert Actions
To define a custom alert action for any monitored group, right-click the desired group name and choose Set Custom Alert Actions... from the context menu.
Changes you make here will override the Default Alert Actions settings (the Default settings are shown in light grey). If you want to ensure an action occurs even if the Default Actions change,
change a setting so the checkbox is solid black. To be sure an action does not occur, be sure the checkbox is cleared completely.
You may also set custom email recipients for this group using this dialog. Recall that you must also have defined your email servers on the Default Alert Actions dialog (see above).
Audible Alert Options
You may want to have an audible alert when your monitiored groups change. To enable this option, choose Options -> Audible Alert Choices... from the applet menu.
Note: You must have the System Tray applet loaded in order to hear audible alerts. See the System Tray Icon section of the Advanced Settings page to enable/disable the tray.
Logging Options
Membership Monitor has the ability to write data to several types of logs:
Service Text Logs
Syslog
Windows Event Logs (set on the Alert Actions dialogs (see above)
Set the options for each type of log by choosing their dialog screens from the Options menu.
Advanced Settings
Pick the Options -> Advanced Settings... from the applet menu to set the following options:
Timings
Membership Monitor obtains information about changes to groups and who made the changes by polling domain controllers. The main polling functions happen on the schedule set here.
You will want to set a schedule that alerts you in a timely manner but does not result in excessive network activity. On most networks, this will not be a concern, even at a high
polling rate, but if you have underpowered systems or have a very large network with groups with many hundreds or thousands of members, you will want to moderate this setting.
You can sometimes increase the efficiency and timeliness of notifications by enabling the Trigger option which can result in collection of the necessary data when
Membership Monitor detects a change.
System Tray Icon
Sets whether the System Tray Icon is displayed, and whether alerts are shown in balloon notifications. You must have the tray loaded if you want to receive audible alerts (see above).