The implementation of the script's logic begins at callout E. The script parses the command-line parameters defined in callout A. The script uses the WSH 5.6 XML command-line parsing technique explained in "Secure Script Execution with WSH 5.6," August 2002, InstantDoc ID 25644. During the command-line parsing, the list of groups specified on the command line is stored in the strGroupName array.
Next, the script establishes the WMI connection, as the code at callout F shows. The WQL query stub defined in the cWMIQuery constant at callout D is customized to include the group names specified in the command line. The script performs the WQL event query modification in a loop, which the code at callout G shows. For the two sample groups specified in the command-line sample, the resulting WQL event query will be
Select * From __Instance
ModificationEvent Within 10
Where TargetInstance ISA 'ds_group' And
(TargetInstance.ds_name='Enterprise Admins' Or
TargetInstance.ds_name=
'Domain Admins')
Next, the script submits the WQL query for asynchronous notifications. Submitting a WQL event query for asynchronous notification issues a request for WMI to transmit events matching the event query to a custom subroutine. The code at callout F defines this subroutine, which begins with the prefix "SINK_" followed by the name of the SWbemSink object that supports the event. In this example, the subroutine handling the WMI events is called SINK_OnObjectReady(). You can visit http://msdn.microsoft.com/library/en-us/wmisdk/wmi/swbemsink.asp to read more information about the SWbemSink object and the OnObjectReady event. The script enters an idle state and waits for events matching the submitted WQL event query, as the code at callout G shows.
When a modification is made to one of the specified groups, the script invokes the event sink routine, which the code at callout H shows, and sends an email alert by using the GenerateHTML() and SendMessage() functions, which the code at callout I shows. The first parameter of the GenerateHTML() function contains the PreviousInstance object, which is the WMI instance containing the WMI AD group instance before the modification occurred. The second parameter of the GenerateHTML() function contains the TargetInstance object, which is the WMI AD instance after the modification occurred. Both WMI AD instances are formatted in HTML and stored in a MIME HTML email message. The GenerateHTML() function will highlight in the email message the difference between the original instance and the modified one to show which attribute was modified. Note that under Windows 2003 and XP, you can get a WMI instance representation in XML. By using Extensible Style Language (XSL), you can get an HTML representation similar to the one returned by the GenerateHTML() function. However, to make sure this script works under Win2K, which doesn't support the XML functionality, I used a generic GenerateHTML() function to ensure the script's backward-compatibility.
Maintain a Healthy Enterprise
AD contains information crucial to the security and health of an enterprise. Monitoring sensitive groups is just one example of what you can track in AD. Because the AD providers can retrieve and monitor any AD object, class, or setting, you can monitor any kind of AD modification. In the next article in this series, I'll show you how to monitor the five Flexible Single-Master Operation (FSMO) roles by adapting some of the WMI tricks I discuss in this article.