Friday, June 17, 2016

SCOM 2012 R2 - How to Monitor Domain Administrators Group

So one of the requests I get fairly regularly when working with SCOM is can SCOM alert when users are added to the Domain Administrators group. The answer is YES, and as it turns out this is quite an easy thing to accomplish. It is very similar to the blog I wrote a while back on How to Generate Alerts from Event Logs. The major difference is we will be doing this with a Rule, not a Monitor.

Build the Custom Rule:
Open up the SCOM console and go to Authoring > Management Pack Objects > Rules. In the Tasks window Click Create a Rule

When the Create Rule Wizard runs, drill down to Alert Generating Rules > Event Based and Select NT Event Log (Alert). Select a custom management pack, or create one if you don't have one yet. Click Next

Give it a unique name similar to below. I worded it this way as I will also setup a rule to monitor when users are removed from this group (discussed later in this segment). Add a clear description as well. Rule Category is Alert and be sure to set Windows Domain Controller as the Rule target. Check Rule is enabled and Click Next.

For Event Log Name click the ... on the right. Be sure one of your domain controllers is in the Computer field. Then select the Security log. Click OK

Log name should read Security. If not repeat the previous step. Click Next

For Event ID you want 4728 and change Event Source to Parameter 3 and equals Domain Admins. Click Next

I modified the Alert Description a little bit to pass through additional information. I also changed the Priority to High. Click Create

Give it a bit of time to propagate throughout your environment and test it by adding someone to the DA group.

This process can be expanded to removing users from the Domain Admins group as well as adding / removing from Schema Admins and Enterprise Admins by using the information below:

Domain Admins
Security Group Alert - User Added to Domain Admins
Event ID = 4728
Parameter 3 = Domain Admins

Security Group Alert - User Removed from Domain Admins
Event ID = 4729
Parameter 3 = Domain Admins

Schema Admins
Security Group Alert - User Added to Schema Admins
Event ID = 4756
Parameter 3 = Schema Admins

Security Group Alert - User Removed from Schema Admins
Event ID = 4757
Parameter 3 = Schema Admins

Enterprise Admins
Security Group Alert - User Added to Enterprise Admins
Event ID = 4756
Parameter 3 = Enterprise Admins

Security Group Alert - User Removed from Enterprise Admins
Event ID = 4757
Parameter 3 = Enterprise Admins

In the next segment I will show you how to protect the security groups using SCORCH.

More to come!


If you like this blog, give it a g+1

Tuesday, June 7, 2016

SCCM 2012 - How to Deploy SCOM 2012 Agent

So now that we have SCCM 1511 up and running I wanted to setup up a deployment for the SCOM agent. This is actually a very simple application to setup.

Gather SCOM Agent Files:
So the first thing we need is the SCOM Agent files. On your SCOM server navigate to %ProgramFiles%\System Center 2012\Operations Manager\Server\AgentManagement. You will see AgentLogs, amd64, UnixAgents and x86. Since all the servers in my lab are 64bit I am going to copy the amd64 folder over to my app catalog on my SCCM server. I plan to cover multi-platform deployment in the next segment.

Create the Application:
Since this is an .msi we will be building an Application. On your SCCM server go to Software Library > Application Management > Applications. Right Click on Applications and choose Create Application. Type is .msi and you will need to browse to the share location of the MOMAgent.msi. Click Next

If you copied the entire amd 64 folder, all of your install files should be discovered successfully. Click Next

I like to be fairly detailed when building Applications. It makes it easier to manage them in the long run. Fill out the Application information as you feel is necessary. For Installation program you should fill it out as follows (updating the yellow text for your enveronment):

msiexec /i momagent.msi /qn USE_SETTINGS_FROM_AD=0 USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=Management Group Name MANAGEMENT_SERVER_DNS=FQDN of RMS Server ACTIONS_USE_COMPUTER_ACCOUNT=1 AcceptEndUserLicenseAgreement=1

Click Next

Review the summary and Click Next

Wait for it...

And Done!

One final step. Open the SCOM console and go to Administration > Settings > Security. Change the radio button to Review new manual agent installations in pending management view and Check Automatically approve new manually installed agents. This will allow all newly installed clients to be accepted into the Management Group without any administrator intervention.

Distribute the content and deploy to your servers collection and you are all set!

More to come!


If you like this blog, give it a g+1