Monday, June 08, 2009 10:39 AMHey All
I have a rule setup on SCOM to monitor adds or deletes to the Domain Admins group. In the rule I use the eventID 632, Source security and Parameter3 = domain admins.
I just created a new rule to say the event ID 5136, source Microsoft Windows security auditing and Paramater 3 = domain admins. But no joy.
When I have a look at the event on my 2008 dc it gives things like object guids etc, etc,
Anyknow how I pull the group from the eventID so it only fires for a specific group?
Thanks a mill
Monday, June 08, 2009 10:53 AMModeratorHi
As a first step this might help for windows 2008 events:
Monday, June 08, 2009 11:00 AMThanks a mill Graham,
I reckon its just what Im looking for.
Ill post back what the actuall rule that works looks like.
Monday, June 08, 2009 6:16 PMHey Graham
I was wondering if you could give this some brain power...
Im just trying to monitor changes to any security group but for this example its the Domin Admins Im looking at.
I looked at Kevins blog and it all looked fine.
I set up a rule in a custom MP targeting the server 2008 domain controller role, the eventid is 5136 and the source is Microsoft Windows security auditing.
Lastly I try and look for the domain admins group or guid and as far as I can see either of them is paramater 9 or 10.
So I put someone in the domain admins group and then remove them and I see the eventvwr log it but nothing happens in SCOM.
So just to check I have an eventcreate rule setup for this exact situation, so I do a eventcreate and it all works just fine and happens in about a min.
I have another group change rule focused on Windows Domain Controller and the rule is in a custom Mp.... I have tried to remove the domain admins parameter and add and remove a user, but still no joy.... hmmmm (I have a server 2003 AD rule focused on this group and it works just fine!!)
Thanks a mill
Tuesday, June 09, 2009 10:03 AMModeratorHi Paul
Are you also getting an event id of 4728 .. that might be the better one to look for.
Tuesday, June 09, 2009 1:47 PMHey Graham
Thanks for the response
Ive just being going through some of the parts of this forum and you really put in a lot of effort..
I have a onenote notebook for scom and found this post on the exact thing Im looking for.
Its a good post on security group monitoring
So I do it and think now Im laughing.
But still now alert when I change the domain admins group....
I am having a look at the DC's SCOM cient folders and have come up with a couple of questions that I am gonna post re rule guids and rule appending.
Thanks again for your great help
Tuesday, June 09, 2009 2:05 PMModeratorHi Paul
I've just tested this and event 4728 does seem to be the event to look for (global group changed) - I get 3 blocks of information:
- Subject (who did it)
- Member (who was added)
- Group (Global Security Group)
If you make sure that detecting 4728 works first then we can look to fine tune it to just domain admins (should be able to look for description contains "domain admins" or similar).
Is the rule correctly scoped for the Windows 2008 domain controllers? You might want to download the effective configuration viewer to make sure your rule is running on the 2008 DC.
- Marked As Answer by StuartRModerator Thursday, August 27, 2009 7:34 PM
Wednesday, June 10, 2009 8:41 AMHey Graham
I followed the post above word perfect. So I am looking for the follwoing events EVENTID 4728, 4729,4732,4737,4733,4735,
I am focused on Windows Domain Controller, the rule is dissabled and then ovredden for active directory 2008.
When trying to troubleshoot it I saw 2 things that I was unsure of, firstly Im sure you remember that the way to do this job in 2003 was to look for eventID 632, source = security and parameter 3 = Domina admins.
But according to the bolg above you can just create an "or" statment, add all the ID's and then get the event discription into the alert. So I read Kevin Holmans blog that you sent me and I understand how to filter it down to domain admins, but in the above post there is no mention of event source?
Just the ID...
The next thing that I was unsure of was that when I go to the scom folder on the DC and look in the management pack folder, I see my MRP.RULES custom MP that I place all my rules in. But then I see 4 lines for the MP and when I look at the XML in each I see the same rules mentioned in each xml file. hmmm
The thing is that it is the only MP in the folder that looks like that, so I chicken out and called PSS just to see what they say about it.
If you have any thoughs on the 4 entries let me know, but Ill post back what PSS have to say about it.
Tuesday, June 16, 2009 3:37 PMGraham
Hows it going.
Spent some time on with PSS and it just looked like the rule targeting either server 2008 DC role or computer group did not get the rule.
Went to effictive config viewer and you could see that it didnt get it.
So just targeted the rule and windows server, dissabled and set an overide for windows 2008 dc, it worked just fine, hmmm
Thanks a mill for you help and effort on this forum.
- Proposed As Answer by Graham DaviesMVP, Moderator Tuesday, June 16, 2009 8:32 PM
Tuesday, June 16, 2009 8:32 PMModeratorHi Paul
All well here - glad you got it sorted. I had mentioned the Effective Configuration Viewer earlier in the thread. I do find it an invaluable tool in determining whether rules \ monitors are actually getting to the agent (effectively, have I targeted correctly).
Friday, June 01, 2012 3:00 PM
I have being to get this setup and monitor not only my Domain Admin group but also are schema admins and enterprise admin groups. This is my expressions but it doesn't seem to be working...
( ( Event IDEquals 4728 ) AND ( ( Parameter 3 Contains Domain Admins ) OR ( Parameter 3 Contains Domain Local Admins ) OR ( Parameter 3 Contains Schema Admins ) OR ( Parameter 3 Contains Enterprise Admins ) ) ) Thanks!
Friday, June 01, 2012 3:22 PMModerator
First check to make sure that you are getting event id 4728 in the security log and that you have SCOM agents on all domain controllers.
Also, make sure you do this as a rule and not a monitor.