I have been working for a little while on creating tools for an administrator to be able to manage an Active Directory for Least Privileges Principles, and to secure AD Access. Specifically here, I will be talking about configuring Monitoring and Alerts for suspicious behavior in the administration of Active Directory. The first activity to monitor and to generate an alert is a logon by a member of the Microsoft Privileged Groups. It is assumed that you have read and are following the Microsoft Best Practice of normally having ZERO members of the Privileged Groups (Domain Admins, Enterprise Admins, etc). Membership in these groups is only granted temporarily in order to perform a specific task. The Intruder Attack Surface of your Ad is minimized by reducing the time that this elevation of privileges exist. But what about abuse of privilege, or unauthorized role elevation? By monitoring and alerting on every logon and logoff on any computer of anyone with this group membership, you