The objectSID attribute is not monitored by default and will need to be added to the CA Configuration before a search or alert will return data. Complete the following steps to add the attribute and create a search/alert for changes to the ObjectSID attribute of a specific user:
- Open the CA Client
- Click View | Administration
- Click Auditing in the bottom left
- Select Attributes under Active Directory
- Select User
- In the bottom pane under Unmonitored Attribute, type 'ObjectSID'
- Select it and click the > arrow
- Refresh the agent configuration of all DCs to have the changes effective immediately or wait 15 minutes for the agent configurations to update automatically
- Create a new Search
- Click the down arrow beside the “Plus” or “Add” button in the button-bar of the “What” tap of the search properties
- Select “Subsystem” | “Active Directory”
- Select “This Object” for the Scope
- Browse or search for the AD user
- Click add to move the selected user to the section below and click “Ok”
- Select the “Alert” tab
- Click the “Configure email.” Button and add the recipient email
- Check the “Enable alert” check box and save the search
To track the SID value, use the "Before value" property of the "user ObjectSID changed" Event Class.
