This KB article provides a modified version of predefined rule 'Administrative Group Membership Changed' from ChangeAuditor for AD Knowledge Pack. The mofidified version contains additional filter that makes the alert not to be matched when group membership is changed by CERTAIN user(s).
Predefined rule is matched whenever the specified security group is changed by ANY user.
1. Create copy of the predefined real-time rule 'Administrative Group Membership Changed' in Intrust Manager.
2. Open the copy of the rule, go to Matching>Advanced. Replace rule definition text by the contents of the attached file.