Tuesday, February 10, 2009

Steps for building monitor to check membership of Domain Admin Global Groups

  1. In the Console go to Authoring, Management Pack Objects, Monitors. Go to 'Change Scope'. In the 'Look For' box type 'Windows Server 2003 Computer'. Only select this target, click OK.

  2. Collapse 'windows server 2003 computer', 'Entity Health', right click 'Security', select 'Create a monitor', 'Unit Monitor'.

  3. Create a new MP with a logical name. Select as type of monitor 'Windows Events', 'Simple Event Detection', 'Timer Reset' , Next

  4. Specify a logical name, for instance 'Domain Admins Watcher' when this particular monitor checks the Global Group 'Domain Admins'. Deselect 'Monitor is Enabled', Next

  5. Log name 'Security', Next

  6. EventID equals '632'. Besides Parameter Name 'EventSource' is a button with 3 dots. Click it. Select 3rd option 'Use parametername not specified above', type 'EventDescription', OK. By Operator select 'Contains'. By Value type 'Domain Admins', Next


  7. Set Auto Reset Timer to 10 minutes. (When notifications are configured and this Alert will be sent by mail/sms/pager, this time can be reduced to two minutes), Next>

    A timer has been set since otherwise this monitor won't fire a new alert until it has been reset manually. Al the time the monitor isn't reset, membership of the monitored global group can be changed without having SCOM to alert upon it...

  8. Set Health State to 'Critical' when an Event is raised, Next

  9. Select 'Generate alerts for this monitor'. Set Priority to 'High'. Set as Alert Description '$Data/Context/EventDescription$' (the eventdescription of the eventid will be displayed in the Alert), Create.

Create two more monitors, each following these steps but instead of 'Domain Admins' for the EventDescription, one uses 'Enterprise Admins' for the second monitor and 'Schema Admins' for the third monitor. Be sure to put these monitors into the same Management Pack.

Enabling these monitors for the DCs
By using overrides these monitors have to be enabled for the Domain Controllers. Do this by selecting 'Overrides', 'Override the Monitor', 'For a Group…’ and select the group ‘AD Domain Controller Group (Windows 200x Server)’, (when the AD MP is loaded). Otherwise create group containing the DCs (store this group into the same MP as these monitors) and use that Group as the override target.

This article is based upon a blog posting of Kevin Holman. Look here for this blog posting.

11 comments:

Sree said...

I applied the same logic for alerting me for new account creation and it doesn't work. I gave the event id as 624 (as well as tried with 626) and I'm not getting alerted.
Any ideas why?
Help much appreciated.

Thanks,
Sree

Marnix Wolf said...

Hi Sree.

Thanks for visiting my blog.

Tested it on one of my sandboxes and it still works, even in R2.

Are you using Windows 2003 Server? For this test I have created a new account. The security log of the DC logs a security event with EventID 624. (Category:Account Management).

When I create this monitor I also use step 6 where I filter on two things: - EventID 642 AND 'EventDescription' CONTAINS 'User Account Created' (all without the quotes).

Then I follow the rest of the steps and enable them for the DC's (using the 'Windows Server 2003 Computer' objects).

When I open the Health Explorer for a DC is see this monitor showing up under the node 'Security' and after a couple of minutes it gets a state 'Monitored'.

Is this also your case?

When you look on a DC at the OpsMgr eventlog do you see EventIDs 1200 (new config. requested), 1201 (new MP received, with name of MP), 1210 (new config became active)?

These two ways (Health Explorer AND OpsMgr events on DC) tell you whether all has arrived.

Hope this helps.

Sree said...

I have checked the event logs and the monitor under health explorer and I'm seeing what you're seeing. I created the monitor with event id 624 (you probably had a typo - you have mentioned 642) and description as User account created.
However I'm not getting alerts.
We have SCOM 2007 R2 running on Win2K3 64-bit

Marnix Wolf said...

Hi Sree.

When you leave your mailaddress I'll sent you the MP containing the monitor.

For this I have enabled the monitor by default.

And yes, it was a typo.:)

When leaving your mailaddress do not use @ but AT instead with spaces. Use DOT instead of . otherwise you'll endup being spammed.

Sree said...

My email id is krsg hotmail DOT com
Please also advise on how the monitor can be imported.
Thanks a bunch

Sree said...

Never mind my email. It worked fine. Thanks a lot.
Do you know where I can find a list of all event id's used in user administration besides user creation, such as deletion, etc?

Marnix Wolf said...

Hi Sree,

Good to know all is well now.

SecureVantage delivers good stuff. Also offers a good free download package, (ACS Resource Kit) found here: http://www.securevantage.com/Products/ACSResourceKit.aspx

For Windows 2008 (R2 as well) and Windows 7 Microsoft just released an Excelsheet. I blogged today about it: http://thoughtsonopsmgr.blogspot.com/2009/08/acs-and-windows-2008-r2-and-windows-7.html

LayneR said...

Hi Marnix, thanks for another good article. I just wanted to mention the option to target the monitor at Windows Domain Controller instead of Windows Server 200x Computer. Since these events are only logged on a domain controller it may make sense to target more specifically. I also use rules for this as setting state is not important for us.

Keep up the good work!

Marnix Wolf said...

Hi LayneR,

thanks for your comment and good thinking. Of course it is better to use targeting which is as granular as possible. Comments like yours are a good and positive incentive to keep on blogging.

Have a nice week-end.
Marnix

Bas said...

I've been trying to get this to work on Windows Server 2008 R2 DC's but I can't seem to generate reports.

I'm monitoring for EventID 4728 and the words 'Domain Admins' (without the quotes) in the EventDescription. I'm wondering if EventDescription should be changed to EventData?

Marnix Wolf said...

Hi Bas.

Thanks for visiting my blog. Kevin Holman has written some good postings about how to use the W2K08 events to their fullest extend in SCOM. I have used that posting many times since it is spot on. I hope it will help you as well:
http://blogs.technet.com/kevinholman/archive/2009/02/25/authoring-rules-for-windows-2008-events-and-how-to-cheat.aspx

Cheers,
Marnix