Shockwave’s Blog

Just another geeky blog…
  • Home
  • About

Alerts when users are added to Domain Admins using SCOM

Rob | October 5, 2009

One of the benefits we were looking for after the implementation of SCOM 2007 R2 was the ability to be alerted when any account is added to or removed from important groups such as Domain Admins, Schema Admins, Enterprise Admins… You get the picture!

With a little bit of assistance from our friendly Gold Partners we now generate alerts with subscriptions whenever accounts are added to these groups. The steps we took to complete this are shown below:

• Create a new rule

• Select an Alert Generating Rules > Event based > NT Event Log (Alert).

• Place into an appropiate Management Pack and select ‘Next’

• Select an appropiate rule name

• Select the ‘Rule Category’ as ‘Event Collection’ and the ‘Rule Target as ‘Windows Domain Controller’ then select ‘Next’

• Set “Security” as the log name and select ‘Next’.

• Enter the ‘Event ID’ value as ‘632’.

• Click ‘Event Source’ to hightlight the radio button. Select the radio button.

• Select ‘Specify event specific parameter to use:’ and change the value to ‘3’. Select ‘OK’ and enter the ‘Parameter 3’ value as ‘Domain Admins’. Select ‘Next’.

• On the ‘Configure alerts’ page change the ‘Priority’ if required. and enter an alert description of:

$Data/Params/Param[2]$ has been added to $Data/Params/Param[3]$. The modification was carried out by $Data/Params/Param[6]$

• Select ‘Create’

• Test rule by adding a user to Domain Admins

Other Event IDs that you may find useful for this are:
• User added to group – 632
• User removed from group – 633
• Account locked out – 644
• Object creation – 566
• Failure Audit – 529
• RDP Logon – 528

Categories
Tech
Tags
How-To, Monitoring, SCOM
Comments rss
Comments rss
Trackback
Trackback

« SCOM 2007 R2 – Servers ‘Not Monitored’ Powershell – Exporting AD users to CSV with a specific delimiter »

Leave a Reply

Click here to cancel reply.

Blogroll

  • Ops Man Jam
  • Petri
  • Server Chronicle
  • System Centre Forum

Tags

AD BES ByteNight Charity Exchange FundRaising How-To HP ITIL Mac Mail Management Monitoring Openview OSX Patching Photography Powershell Problem Problem Management Reboot Restart SCOM SCW Security Server SIM Snow Leopard SysAdmin Virtualisation Windows 7 Work WSUS
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox