Shockwave’s Blog

One of the benefits we were looking for after the implementation of SCOM 2007 R2 was the ability to be alerted when any account is added to or removed from important groups such as Domain Admins, Schema Admins, Enterprise Admins… You get the picture!

With a little bit of assistance from our friendly Gold Partners we now generate alerts with subscriptions whenever accounts are added to these groups. The steps we took to complete this are shown below:

• Create a new rule

• Select an Alert Generating Rules > Event based > NT Event Log (Alert).

• Place into an appropiate Management Pack and select ‘Next’

• Select an appropiate rule name

• Select the ‘Rule Category’ as ‘Event Collection’ and the ‘Rule Target as ‘Windows Domain Controller’ then select ‘Next’

• Set “Security” as the log name and select ‘Next’.

• Enter the ‘Event ID’ value as ‘632’.

• Click ‘Event Source’ to hightlight the radio button. Select the radio button.

• Select ‘Specify event specific parameter to use:’ and change the value to ‘3’. Select ‘OK’ and enter the ‘Parameter 3’ value as ‘Domain Admins’. Select ‘Next’.

• On the ‘Configure alerts’ page change the ‘Priority’ if required. and enter an alert description of:

$Data/Params/Param[2]$ has been added to $Data/Params/Param[3]$. The modification was carried out by $Data/Params/Param[6]$

• Select ‘Create’

• Test rule by adding a user to Domain Admins

Other Event IDs that you may find useful for this are:
• User added to group – 632
• User removed from group – 633
• Account locked out – 644
• Object creation – 566
• Failure Audit – 529
• RDP Logon – 528