Skip to content

How to Setup Alerts for Active Directory in Event Viewer?

To setup alerts for Active Directory events in Event Viewer, you can use the built-in Windows feature called “Event Forwarding”. Here are the steps to set this up:

  1. Configure the Event Collector:
    • Open Event Viewer on the server that will be used as the Event Collector.
    • In the left pane, right-click “Event Viewer” and select “Connect to another computer”.
    • Type the name of the domain controller where Active Directory events will be logged, then click “OK”.
    • In the left pane, right-click “Event Viewer” and select “Create Custom View”.
    • In the “Create Custom View” dialog box, select “By source” and choose “Microsoft-Windows-Security-Auditing” from the dropdown list.
    • Click “OK” to save the custom view.
    • Right-click “Subscriptions” in the left pane and select “Create Subscription”.
    • In the “Create Subscription” wizard, enter a name and description for the subscription.
    • In the “Source computer initiated” section, click “Select computers”.
    • Enter the name of the domain controller where Active Directory events will be logged, then click “OK”.
    • In the “Event delivery optimization” section, select “Collector initiated”.
    • In the “Subscription type” section, select “Events” and enter the ID of the Active Directory event that you want to monitor (e.g., 5136 for changes to directory objects).
    • Click “Next” to configure the event filter.
    • Set any additional filters as needed to narrow down the events you want to monitor.
    • Click “Next” to configure the event delivery.
    • Select “Forward events” and click “Select computers”.
    • Enter the name of the server where you want to receive the alerts, then click “OK”.
    • Click “Finish” to save the subscription.
  2. Configure the Event Collector Forwarder:
    • Open Event Viewer on the server where you want to receive the alerts.
    • In the left pane, right-click “Event Viewer” and select “Connect to another computer”.
    • Type the name of the Event Collector server, then click “OK”.
    • In the left pane, right-click “Event Viewer” and select “Create Custom View”.
    • In the “Create Custom View” dialog box, select “By source” and choose “Microsoft-Windows-EventCollector/ForwardedEvents” from the dropdown list.
    • Click “OK” to save the custom view.
    • Right-click “Subscriptions” in the left pane and select “Create Subscription”.
    • In the “Create Subscription” wizard, enter a name and description for the subscription.
    • In the “Source computer initiated” section, click “Select computers”.
    • Enter the name of the Event Collector server, then click “OK”.
    • In the “Event delivery optimization” section, select “Collector initiated”.
    • In the “Subscription type” section, select “Events” and enter the ID of the Active Directory event that you want to monitor (e.g., 5136 for changes to directory objects).
    • Click “Next” to configure the event filter.
    • Set any additional filters as needed to narrow down the events you want to monitor.
    • Click “Next” to configure the event delivery.
    • Select “Forward events” and click “Select computers”.
    • Enter the name of the server where you want to receive the alerts, then click “OK”.
    • Click “Finish” to save the subscription.

With these steps, you should now receive alerts for the Active Directory events that you have configured to monitor in Event Viewer.