locked
Sending alerts to different IT administrators for an OU RRS feed

  • Question

  • Hello

     

    I am evaluating FCS and I'm trying to figure out how deployment will work.  Our company has many sites and many local IT staffers, and only about 3000 machines to manage.  From the numbers, I should be able to have a pretty small central server setup.  I have a test server up and where I think we'll have trouble is something silly like email notifications.

    I have read the article on how to configure notifications and they do work.  However, with a single MOM server setup, and a single management group (specified on the command line during client install), is there any way to send alerts to different operators / notification groups based on some custom attribute?  Let's say the Organizational Unit the local IT staff is in charge of?

    To this end, I pulled the computer's current Active Directory OU (which denotes our various subsites) out of the registry as a computer attribute defined in the MOM administrator console.  If I can send mails to different people based on the value of that data from the registry, I have solved the issue.

     

    Otherwise, to my knowledge, we'd be looking at the FCS enterprise manager, which allows for only 10 FCS sites to be rolled up for reporting.  We have more sites than that, unfortunately, and I don't want to run 10 FCS managment solutions.

     

    The end goal here is clients get infected, emails go out to a subset of operators, not all operators.

     

    Thanks!

    Thursday, July 15, 2010 9:04 PM

Answers

  • Hi,

    There really isn't a supported way to have different alerts sent to different people, but you might be able to do it with the following:

    Hopefully you already have email alerting up and working, see the following for help:

    http://blogs.microsoft.co.il/blogs/yanivf/archive/2008/02/06/configure-e-mail-notifications-for-forefront-client-security-step-by-step-guide.aspx

    You'll have to manually edit the Management Pack, which is the unsupported part (and if we release an update, it might override any changes you make)

    In the MOM Administrator Console

    Create Notification Groups with the emails that you will want to be sent, give each a unique name

    Go into Management Packs - Rule Groups - Microsoft Forefront Client Security

    Under Host Alerts, you'll see the different Alert Levels that correspond to the Alert level you have set in the FCS Policies deployed to clients (default is Alert Level 3)

    Assuming your clients are set to Alert Level 3, click on Event Rules

    Right click on the events that you want to be alerted on and make copies of them, give them distinct names  i.e. Europe - Malware on Network - Failed response (Alert Level 3)

    Go into those newly created Event rules (Don't edit the existing ones, you'll break reporting)

    You'll need to change 2 settings for each Event

    On the Responses tab, change the notification group to the one that you created earlier

    On the Criteria tab, hit Advanced, you'll need to add filters that correspond to the computers that you want that alert to be sent on.

    Here's where it's trial and error, depending on how you have your computers organized, you'll have to use wildcards to set the filter.

    Repeat for each group that you want to be emailed and the Event Rules that you want emailed. i.e 5 notification groups, 8 Event Rules= 40 items to create and edit.

     

    Kemper - MSFT

     

    Tuesday, July 20, 2010 8:53 PM
    Moderator