Friday, June 17, 2016

SCOM 2012 R2 - How to Monitor Domain Administrators Group

So one of the requests I get fairly regularly when working with SCOM is can SCOM alert when users are added to the Domain Administrators group. The answer is YES, and as it turns out this is quite an easy thing to accomplish. It is very similar to the blog I wrote a while back on How to Generate Alerts from Event Logs. The major difference is we will be doing this with a Rule, not a Monitor.

Build the Custom Rule:
Open up the SCOM console and go to Authoring > Management Pack Objects > Rules. In the Tasks window Click Create a Rule

When the Create Rule Wizard runs, drill down to Alert Generating Rules > Event Based and Select NT Event Log (Alert). Select a custom management pack, or create one if you don't have one yet. Click Next

Give it a unique name similar to below. I worded it this way as I will also setup a rule to monitor when users are removed from this group (discussed later in this segment). Add a clear description as well. Rule Category is Alert and be sure to set Windows Domain Controller as the Rule target. Check Rule is enabled and Click Next.

For Event Log Name click the ... on the right. Be sure one of your domain controllers is in the Computer field. Then select the Security log. Click OK

Log name should read Security. If not repeat the previous step. Click Next

For Event ID you want 4728 and change Event Source to Parameter 3 and equals Domain Admins. Click Next

I modified the Alert Description a little bit to pass through additional information. I also changed the Priority to High. Click Create

Give it a bit of time to propagate throughout your environment and test it by adding someone to the DA group.

This process can be expanded to removing users from the Domain Admins group as well as adding / removing from Schema Admins and Enterprise Admins by using the information below:

Domain Admins
Security Group Alert - User Added to Domain Admins
Event ID = 4728
Parameter 3 = Domain Admins

Security Group Alert - User Removed from Domain Admins
Event ID = 4729
Parameter 3 = Domain Admins

Schema Admins
Security Group Alert - User Added to Schema Admins
Event ID = 4756
Parameter 3 = Schema Admins

Security Group Alert - User Removed from Schema Admins
Event ID = 4757
Parameter 3 = Schema Admins

Enterprise Admins
Security Group Alert - User Added to Enterprise Admins
Event ID = 4756
Parameter 3 = Enterprise Admins

Security Group Alert - User Removed from Enterprise Admins
Event ID = 4757
Parameter 3 = Enterprise Admins

In the next segment I will show you how to protect the security groups using SCORCH.

More to come!


If you like this blog, give it a g+1

10 comments:

  1. Hi there

    This Rule Works AMAZING. Thank You.
    Wanted to check if I have to Create a rule for each DC I have as each DC has their own Event Log?

    regards

    ReplyDelete
    Replies
    1. Heinrich, I am glad this worked out for you. No you do not need to set it up for each DC. SCOM will automatically find the security log on each DC and start monitoring them individually.

      Delete
  2. can i create one rule for all these Events??

    ReplyDelete
    Replies
    1. Houda, unfortunately there isn't a way to make one rule covering all of these events so they will need to be separate. The good news is they are quick to create so it won't take you that long to do.

      Delete
  3. Amazing this works

    ReplyDelete
  4. I followed your guide and waited a while.. I then added a member.. 4782 gets logged no the DC but I never get an alert nor do I see the alert in SCOM console..
    I'm very green to SCOM so maybe I'm missing something I need to configure that's not in this article?

    I did get this alert after I setup the rule.. Any ideas what I'm missing? Thanks

    Alert: Processing Backlogged Events Taking a Long Time
    Source: DC1.domain.local
    Path: DC1.domain.local
    Last modified by: domain\user.adm
    Last modified time: 9/14/2017 7:57:57 AM Alert description: The Windows Event Log Provider monitoring the Security Event Log is 30 minutes behind in processing events. This can occur when the provider is restarted after being offline for some time, or there are too many events to be handled by the workflow.


    One or more workflows were affected by this.


    Workflow name: MomUIGeneratedRule443b8dd60635469484bdc3e403ee9591

    Instance name: DC1.domain.local

    Instance ID: {DB11EA62-D0F6-36C3-6A6C-07386266C345}

    Management group: Applications this

    ReplyDelete
    Replies
    1. Hi Tom,

      My guess is you may have missed a step when creating the Rule. Go back and delete it and give it another go. Make sure in the third step that you have a Domain Controller selected and you pull the Security log, as that's really the only place you can go sideways when creating it. Once applied it usually takes 10-15 minutes to get applied to the Domain Controllers.

      Jim

      Delete
    2. I don't know if it was a typo or not but if you are looking for event 4782 you need to change that to 4728

      Delete
  5. It was a typo.. Thanks, I deleted and recreated and it worked.. Thanks so much!

    ReplyDelete
  6. I just had to say you are the man! I've been messing with this for days and this helped.

    ReplyDelete