The other day I was asked to assist with implementing the scenarios below:

  • Scenario 1: Alert for changes to the ‘Domain Admin’ group membership
  • Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)
  • Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours
  • Scenario 4: Account locked out x number of times in a 24 hour period

I’ve decided to blog about it as I am likely to need it again in the future and it may help someone else as well!

Scenario 1: Alert for changes to the ‘Domain Admin’ group membership

Prerequisites
  1. OpsMgr agent installed on domain controllers (more info...)
  2. Notification Channel, Subscriber & Subscription configured (more info...)
  3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)
Step-by-Step

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)
 
Note: Rules are used here instead of monitors as monitors will affect Parent Monitors while rules will not.

    Operations Console > Authoring > Rules > Create a new rule

    Note

    Create a new destination management pack if required.

    Next

    image

    Select > ‘Windows Domain Controller’

    Note
    Un-tick the ‘Rule is enabled’ checkbox. 


    Next

    image

    Select Security as the log name.


    Next

    image

    Configure the event expression as depicted in the image.

    Next

     

    We will use the following event id’s in this section:

    632 – A member was added to a global group.

    633 – A member was removed from a global group.

    image

    Note there are two ways to do this:

    1. Use Parameter 3 in screenshot above (more info here and here) or;
    2. ‘Use parameter name not specified above’ and ‘EventDescription’.

    Method 1 is preferred.

    Change the severity and priority settings as required.


    Create
    image
     

    Next steps:

    1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
    2. Create a notification subscription for the rule. (more info...)

           

           

           

           

          Alert example

           

           

          image

          Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)

          Prerequisites
          1. OpsMgr agent installed on domain controllers (more info...)
          2. Notification Channel, Subscriber & Subscription configured (more info...)
          3. Enable ‘Audit Policy Change’ for ‘Default Domain Policy’ (more info... and how to)
          Step-by-Step

          Create an ‘Alert Generating Rule’ as below:
          (more info... and how to)

          Operations Console > Authoring > Rules > Create a new rule

          Note

          Create a new destination management pack if required.

          Next

          image
          Select > ‘Windows Domain Controller’

          Note
          Un-tick the ‘Rule is enabled’ checkbox. 


          Next
          image
          Select Security as the log name.


          Next
          image

          Configure the event expression as depicted in the image.

           

          Next

          We will use the following event id in this section:

          612 – An audit policy was changed.
          image

          Change the severity and priority settings as required.


          Create
          image
           

          Next steps:

          1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
          2. Create a notification subscription for the rule. (more info...)

           

           

           

           

          Alert example
          image

          Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours

          Disclaimer: This is a complex scenario and I am not sure that my proposed solution is the simplest...it works though! :-)

          The following is relatively easy to do though:

          · Create an alert for each Unsuccessful Logon.

          · Create an alert for each Unsuccessful Logon for a specific user.

          · Create one suppressed alert (i.e. repeat count is increased) for all Unsuccessful Logons.

          · Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx. I documented only this scenario below.

          Prerequisites
          1. OpsMgr agent installed on domain controllers (more info...)
          2. Notification Channel, Subscriber & Subscription configured (more info...) – not strictly speaking necessary for the proposed solution.
          3. Enable ‘Audit Account Logon Events’ for ‘Default Domain Controller Policy’ (more info... and how to)
          Step-By-Step

          (Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

          Create an ‘Alert Generating Rule’ as below:
          (more info... and how to)

          Operations Console > Authoring > Rules > Create a new rule

           

          Note

          Create a new destination management pack if required.

           

          Next

          image
          Select > ‘Windows Domain Controller’

          Note
          Un-tick the ‘Rule is enabled’ checkbox. 


          Next
          image
          Select Security as the log name.


          Next
          image

          Configure the event expression as depicted in the image.

           

          Next

          We will use the following event id in this section:
          675 - Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
          image
           
          Change the severity and priority settings as required.


          Alert Suppression
          image
          Configure the alert suppression fields as depicted in the image.


          Ok
          image
          Create image
           

          Next steps:

          Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)

           

           

           

           

           

           

          Alert example
          image
          Create a rule to resolve all unsuccessful logon alerts on a daily basis

          Operations Console > Authoring > Rules > Create a new rule

           

          Note

          Create a new destination management pack if required.

          Next

          image
          Select > ‘Root Management Server’ as the rule target.

          Note
          Un-tick the ‘Rule is enabled’ checkbox. 


          Next
          image
          Define the schedule as required. image
          Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory.

          Note
          Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.
          # ResolveUL.ps1
          # Author: Johan Vosloo
          # Date: 29-10-2009
          # Note: The name i.e. "Custom

          Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.

          # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.

          add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";

          Set-Location "c:\Program Files\System Center Operations Manager 2007";

          .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;

          get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0")} | resolve-alert -comment "CLOSE daily informational alerts" | out-Null;

          Configure command line execution settings as depicted in the image.


          Create
          image
           

          Next steps:

          Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

           

           

           

           

          Create a rule to send notification when alert ‘RepeatCount’ equal xx within nn hours

          Operations Console > Authoring > Rules > Create a new rule

           

          Note

          Create a new destination management pack if required.

          Next

          image
          Select > ‘Root Management Server’ as the rule target.

          Note
          Un-tick the ‘Rule is enabled’ checkbox. 


          Next
          image
          Define the schedule as required. image
          Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory.

          Note
          Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.

          # NotifyULogon.ps1
          # Author: Johan Vosloo
          # Date: 29-10-2009
          # Credit: Adapted from http://contoso.se/blog/?p=290 # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required.
          # Change the Notification Recipient below.
          $Recipient = security@paris.com;
          add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client";
          Set-Location "c:\Program Files\System Center Operations Manager 2007";
          .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1;
          # The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert.
          $alertdata = get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0") -and ($_.RepeatCount -gt "3") -and ($_.CustomField1 -lt 0)} |
          Foreach
          {
              $_.Id;
              $alert_id = $_.Id;
              $alert_name = $_.Name;
              $alert_TimeRaised = $_.TimeRaised;
              $alert_Desc = $_.Description;
              $alert_RepeatCount = $_.RepeatCount;
              $alert_Severity = $_.Severity;
              $alert_priority = $_.Priority;
              $alert_MonitoringObjectDisplayName = $_.MonitoringObjectDisplayName;
              If ($alert_RepeatCount -gt 3)
              {
                  # Send Email
                  If ($alert_ID -eq $NULL)
                  {"Alert ID is NULL, dont send e-mail";}
                  ELSEIF ($recipient -eq $NULL)
                  {"Recipient is NULL, dont send e-mail";}
                  ELSE
                  {
                      # Change the from address and the mailserver below
                      $smtpServer = "mailserver.paris.com";
                      $smtpClient = new-object system.net.mail.smtpClient($smtpServer);
                      $From = notification@paris.com;
                      $To = $recipient;
                      $Title = "Notification from Ops Mgr. $alert_name $alert_Severity";
                      $Body = @"
                      Notification from Operations Manager 2007
                      RepeatCount: $alert_RepeatCount
                      Raised: $alert_TimeRaised
                      Name: $alert_name
                      Object: $alert_MonitoringObjectDisplayName
                      Priority: $alert_Priority
                      Severity: $alert_Severity
                      Description: $alert_description
          "@
                      $SmtpClient.Send($From,$To,$Title,$Body);
                      # Update Custom Field 1 on the alert. Else the script will send multiple e-mails for the same alert
                      $alert = Get-Alert | where {$_.Id -eq $Alert_ID};
                      $alert.Customfield1 = "Ops Mgr has sent e-mail to $recipient";
                      $alert.Update("");
                  };
              };
          };

          Configure command line execution settings as depicted in the image.


          Create
          image
           

          Next steps:

          Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

           

           

           

          Scenario 4: Account locked out x number of times in a 24 hour period

          Disclaimer: This is another complex scenario and I am again not sure that my proposed solution is the simplest...it works though! J

          Prerequisites
          1. OpsMgr agent installed on domain controllers (more info...)
          2. Notification Channel, Subscriber & Subscription configured (more info...)
          3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)
          Step-By-Step

          (Create one suppressed alert per locked out user account. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

          Create an ‘Alert Generating Rule’ as below:
          (more info... and how to)

          Operations Console > Authoring > Rules > Create a new rule

           

          Note

          Create a new destination management pack if required.

          Next

          image
          Select > ‘Windows Domain Controller’

          Note
          Un-tick the ‘Rule is enabled’ checkbox. 


          Next
          image
          Select Security as the log name.


          Next
          image

          Configure the event expression as depicted in the image.

           

          Next

          We will use the following event id in this section:
          644 - A user account was auto locked.
          image
           
          Change the severity and priority settings as required.


          Alert Suppression
          image
          Configure the alert suppression fields as depicted in the image.


          Ok
          image
          Create image
           

          Next steps:

          1. Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)
          2. Repeat ‘Create a rule to resolve all Unsuccessful Logon Alerts on a daily basis’ section in scenario 3 above.
          3. Repeat ‘Create a rule to send notification when RepeatCount equal xx within nn hours’ in scenario 3 above.