none
monitor the domain admins group in AD 2008

    Question

  • Hey All
    I have a rule setup on SCOM to monitor adds or deletes to the Domain Admins group.  In the rule I use the eventID 632, Source security and Parameter3 = domain admins.

    I just created a new rule to say the event ID 5136, source Microsoft Windows security auditing and Paramater 3 = domain admins.  But no joy.
    When I have a look at the event on my 2008 dc it gives things like object guids etc, etc,

    Anyknow how I pull the group from the eventID so it only fires for a specific group?

    Thanks a mill

    Paul
    paulk
    Monday, June 08, 2009 10:39 AM

Answers

  • Hi Paul

    I've just tested this and event 4728 does seem to be the event to look for (global group changed) - I get 3 blocks of information:
    - Subject (who did it)
    - Member (who was added)
    - Group (Global Security Group)

    If you make sure that detecting 4728 works first then we can look to fine tune it to just domain admins (should be able to look for description contains "domain admins" or similar).

    Is the rule correctly scoped for the Windows 2008 domain controllers? You might want to download the effective configuration viewer to make sure your rule is running on the 2008 DC.
    http://www.microsoft.com/downloads/details.aspx?FamilyID=A9DB4DCA-6716-478D-89B9-42F27EBC76A8&displaylang=en

    Cheers

    Graham
    Tuesday, June 09, 2009 2:05 PM

All replies

  • Hi

    As a first step this might help for windows 2008 events:
    http://blogs.technet.com/kevinholman/archive/2009/02/25/authoring-rules-for-windows-2008-events-and-how-to-cheat.aspx

    Cheers

    Graham
    Monday, June 08, 2009 10:53 AM
  • Thanks a mill Graham,
    I reckon its just what Im looking for.
    Ill post back what the actuall rule that works looks like.

    Thanks again

    Paul
    paulk
    Monday, June 08, 2009 11:00 AM
  • Hey Graham
    I was wondering if you could give this some brain power...
    Im just trying to monitor changes to any security group but for this example its the Domin Admins Im looking at.
    I looked at Kevins blog and it all looked fine.

    I set up a rule in a custom MP targeting the server 2008 domain controller role, the eventid is 5136 and the source is Microsoft Windows security auditing.
    Lastly I try and look for the domain admins group or guid and as far as I can see either of them is paramater 9 or 10.

    So I put someone in the domain admins group and then remove them and I see the eventvwr log it but nothing happens in SCOM. 
    So just to check I have an eventcreate rule setup for this exact situation, so I do a eventcreate and it all works just fine and happens in about a min.

    I have another group change rule focused on Windows Domain Controller and the rule is in a custom Mp....  I have tried to remove the domain admins parameter and add and remove a user, but still no joy....   hmmmm   (I have a server 2003 AD rule focused on this group and it works just fine!!)

    Any ideas?

    Thanks a mill

    Paul
    paulk
    Monday, June 08, 2009 6:16 PM
  • Hi Paul

    Are you also getting an event id of 4728 .. that might be the better one to look for.
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728

    Cheers

    Graham
    Tuesday, June 09, 2009 10:03 AM
  • Hey Graham
    Thanks for the response
    Ive just being going through some of the parts of this forum and you really put in a lot of effort.. 
    I have a onenote notebook for scom and found this post on the exact thing Im looking for.
    http://blogs.technet.com/wchomak/archive/2009/01/07/general-security-auditing-group-membership-change-notification.aspx
    Its a good post on security group monitoring
    So I do it and think now Im laughing.
    But still now alert when I change the domain admins group....
    I am having a look at the DC's SCOM cient folders and have come up with a couple of questions that I am gonna post re rule guids and rule appending.

    Thanks again for your great help

    Best wishes

    Paul
    paulk
    Tuesday, June 09, 2009 1:47 PM
  • Hi Paul

    I've just tested this and event 4728 does seem to be the event to look for (global group changed) - I get 3 blocks of information:
    - Subject (who did it)
    - Member (who was added)
    - Group (Global Security Group)

    If you make sure that detecting 4728 works first then we can look to fine tune it to just domain admins (should be able to look for description contains "domain admins" or similar).

    Is the rule correctly scoped for the Windows 2008 domain controllers? You might want to download the effective configuration viewer to make sure your rule is running on the 2008 DC.
    http://www.microsoft.com/downloads/details.aspx?FamilyID=A9DB4DCA-6716-478D-89B9-42F27EBC76A8&displaylang=en

    Cheers

    Graham
    Tuesday, June 09, 2009 2:05 PM
  • Hey Graham
    I followed the post above word perfect. So I am looking for the follwoing events EVENTID 4728, 4729,4732,4737,4733,4735,
    I am focused on Windows Domain Controller, the rule is dissabled and then ovredden for active directory 2008.

    When trying to troubleshoot it I saw 2 things that I was unsure of, firstly Im sure you remember that the way to do this job in 2003 was to look for eventID 632, source = security and parameter 3 = Domina admins.

    But according to the bolg above you can just create an "or" statment, add all the ID's and then get the event discription into the alert.  So I read Kevin Holmans blog that you sent me and I understand how to filter it down to domain admins, but in the above post there is no mention of event source?
    Just the ID...

    The next thing that I was unsure of was that when I go to the scom folder on the DC and look in the management pack folder, I see my MRP.RULES custom MP that I place all my rules in.  But then I see 4 lines for the MP and when I look at the XML in each I see the same rules mentioned in each xml file.    hmmm

    The thing is that it is the only MP in the folder that looks like that, so I chicken out and called PSS just to see what they say about it.


    If you have any thoughs on the 4 entries let me know, but Ill post back what PSS have to say about it.

    Thanks again

    Paul
    paulk
    Wednesday, June 10, 2009 8:41 AM
  • Graham
    Hows it going.
    Spent some time on with PSS and it just looked like the rule targeting either server 2008 DC role or computer group did not get the rule.
    Went to effictive config viewer and you could see that it didnt get it.
    So just targeted the rule and windows server, dissabled and set an overide for windows 2008 dc, it worked just fine, hmmm
    Thanks a mill for you help and effort on this forum.

    Paul
    paulk
    Tuesday, June 16, 2009 3:37 PM
  • Hi Paul

    All well here - glad you got it sorted. I had mentioned the Effective Configuration Viewer earlier in the thread. I do find it an invaluable tool in determining whether rules \ monitors are actually getting to the agent (effectively, have I targeted correctly).

    Cheers

    Graham
    Tuesday, June 16, 2009 8:32 PM
  • I have being to get this setup and monitor not only my Domain Admin group but also are schema admins and enterprise admin groups.  This is my expressions but it doesn't seem to be working...

    ( ( Event ID

    Equals 4728 ) AND ( ( Parameter 3 Contains Domain Admins ) OR ( Parameter 3 Contains Domain Local Admins ) OR ( Parameter 3 Contains Schema Admins ) OR ( Parameter 3 Contains Enterprise Admins ) ) ) Thanks!
    Friday, June 01, 2012 3:00 PM
  • Hi Matt

    First check to make sure that you are getting event id 4728 in the security log and that you have SCOM agents on all domain controllers.

    Also, make sure you do this as a rule and not a monitor.

    Cheers

    Graham


    Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

    Friday, June 01, 2012 3:22 PM