The other day I was asked to assist with implementing the scenarios below:

• Scenario 1: Alert for changes to the ‘Domain Admin’ group membership
• Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)
• Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours
• Scenario 4: Account locked out x number of times in a 24 hour period

I’ve decided to blog about it as I am likely to need it again in the future and it may help someone else as well!

Scenario 1: Alert for changes to the ‘Domain Admin’ group membership

Prerequisites

1. OpsMgr agent installed on domain controllers (more info...)
2. Notification Channel, Subscriber & Subscription configured (more info...)
3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)

Step-by-Step

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)
 
Note: Rules are used here instead of monitors as monitors will affect Parent Monitors while rules will not.

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Select Security as the log name. Next
Configure the event expression as depicted in the image. Next	We will use the following event id’s in this section: 632 – A member was added to a global group. 633 – A member was removed from a global group. Note there are two ways to do this: Use Parameter 3 in screenshot above (more info here and here) or; ‘Use parameter name not specified above’ and ‘EventDescription’. Method 1 is preferred.
Change the severity and priority settings as required. Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Create a notification subscription for the rule. (more info...)

Alert example

Scenario 2: Alert when the Audit Policy is changed (Default Domain or Domain Controller)

Prerequisites

1. OpsMgr agent installed on domain controllers (more info...)
2. Notification Channel, Subscriber & Subscription configured (more info...)
3. Enable ‘Audit Policy Change’ for ‘Default Domain Policy’ (more info... and how to)

Step-by-Step

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Select Security as the log name. Next
Configure the event expression as depicted in the image.   Next	We will use the following event id in this section: 612 – An audit policy was changed.
Change the severity and priority settings as required. Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Create a notification subscription for the rule. (more info...)

Alert example

Scenario 3: Alert when xx number of unsuccessful logons occur within nn hours

Disclaimer: This is a complex scenario and I am not sure that my proposed solution is the simplest...it works though! :-)

The following is relatively easy to do though:

· Create an alert for each Unsuccessful Logon.

· Create an alert for each Unsuccessful Logon for a specific user.

· Create one suppressed alert (i.e. repeat count is increased) for all Unsuccessful Logons.

· Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx. I documented only this scenario below.

Prerequisites

1. OpsMgr agent installed on domain controllers (more info...)
2. Notification Channel, Subscriber & Subscription configured (more info...) – not strictly speaking necessary for the proposed solution.
3. Enable ‘Audit Account Logon Events’ for ‘Default Domain Controller Policy’ (more info... and how to)

Step-By-Step

(Create one suppressed alert per user account that attempted an unsuccessful logon. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule   Note Create a new destination management pack if required.   Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Select Security as the log name. Next
Configure the event expression as depicted in the image.   Next	We will use the following event id in this section: 675 - Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
Change the severity and priority settings as required. Alert Suppression
Configure the alert suppression fields as depicted in the image. Ok
Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...)

Alert example

Create a rule to resolve all unsuccessful logon alerts on a daily basis

Operations Console > Authoring > Rules > Create a new rule   Note Create a new destination management pack if required. Next
Select > ‘Root Management Server’ as the rule target. Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Define the schedule as required.
Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory. Note Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.	# ResolveUL.ps1 # Author: Johan Vosloo # Date: 29-10-2009 # Note: The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert. # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required. add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; Set-Location "c:\Program Files\System Center Operations Manager 2007"; .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1; get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0")} | resolve-alert -comment "CLOSE daily informational alerts" | out-Null;
Configure command line execution settings as depicted in the image. Create
	Next steps: Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

Create a rule to send notification when alert ‘RepeatCount’ equal xx within nn hours

Operations Console > Authoring > Rules > Create a new rule   Note Create a new destination management pack if required. Next
Select > ‘Root Management Server’ as the rule target. Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Define the schedule as required.
Create a directory on the root management server i.e. c:\scripts > Save the following powershell script in the directory. Note Change the script as required i.e. path to OpsMgr startup.ps1 and rule name.	# NotifyULogon.ps1 # Author: Johan Vosloo # Date: 29-10-2009 # Credit: Adapted from http://contoso.se/blog/?p=290 # Script requires Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1 to be in "c:\Program Files\System Center Operations Manager 2007" - Change as required. # Change the Notification Recipient below. $Recipient = security@paris.com; add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"; Set-Location "c:\Program Files\System Center Operations Manager 2007"; .\Microsoft.EnterpriseManagement.OperationsManager.ClientShell.Startup.ps1; # The name i.e. "Custom Rule - Count Unsuccessful Logons" below must match the rule name that is used to create the surpressed alert. $alertdata = get-alert | where {($_.Name -eq "Custom Rule - Count Unsuccessful Logons") -and ($_.ResolutionState -eq "0") -and ($_.RepeatCount -gt "3") -and ($_.CustomField1 -lt 0)} | Foreach {     $_.Id;     $alert_id = $_.Id;     $alert_name = $_.Name;     $alert_TimeRaised = $_.TimeRaised;     $alert_Desc = $_.Description;     $alert_RepeatCount = $_.RepeatCount;     $alert_Severity = $_.Severity;     $alert_priority = $_.Priority;     $alert_MonitoringObjectDisplayName = $_.MonitoringObjectDisplayName;     If ($alert_RepeatCount -gt 3)     {         # Send Email         If ($alert_ID -eq $NULL)         {"Alert ID is NULL, dont send e-mail";}         ELSEIF ($recipient -eq $NULL)         {"Recipient is NULL, dont send e-mail";}         ELSE         {             # Change the from address and the mailserver below             $smtpServer = "mailserver.paris.com";             $smtpClient = new-object system.net.mail.smtpClient($smtpServer);             $From = notification@paris.com;             $To = $recipient;             $Title = "Notification from Ops Mgr. $alert_name $alert_Severity";             $Body = @"             Notification from Operations Manager 2007             RepeatCount: $alert_RepeatCount             Raised: $alert_TimeRaised             Name: $alert_name             Object: $alert_MonitoringObjectDisplayName             Priority: $alert_Priority             Severity: $alert_Severity             Description: $alert_description "@             $SmtpClient.Send($From,$To,$Title,$Body);             # Update Custom Field 1 on the alert. Else the script will send multiple e-mails for the same alert             $alert = Get-Alert | where {$_.Id -eq $Alert_ID};             $alert.Customfield1 = "Ops Mgr has sent e-mail to $recipient";             $alert.Update("");         };     }; };
Configure command line execution settings as depicted in the image. Create
	Next steps: Enable newly created rule for ‘all objects of class: Root Management Server’ by using an override. (more info...)

Scenario 4: Account locked out x number of times in a 24 hour period

Disclaimer: This is another complex scenario and I am again not sure that my proposed solution is the simplest...it works though! J

Prerequisites

1. OpsMgr agent installed on domain controllers (more info...)
2. Notification Channel, Subscriber & Subscription configured (more info...)
3. Enable ‘Audit Account Management’ for the ‘Default Domain Controllers Policy’ (more info... and how to)

Step-By-Step

(Create one suppressed alert per locked out user account. Add 1 to the ‘RepeatCount’ for each subsequent occurrence in a 24 hour period. Create a rule to auto-resolve all related active alerts. Create a rule to send hourly notifications when the ‘RepeatCount’ exceeds xx.)

Create an ‘Alert Generating Rule’ as below:
(more info... and how to)

Operations Console > Authoring > Rules > Create a new rule   Note Create a new destination management pack if required. Next
Select > ‘Windows Domain Controller’ Note Un-tick the ‘Rule is enabled’ checkbox.  Next
Select Security as the log name. Next
Configure the event expression as depicted in the image.   Next	We will use the following event id in this section: 644 - A user account was auto locked.
Change the severity and priority settings as required. Alert Suppression
Configure the alert suppression fields as depicted in the image. Ok
Create
	Next steps: Enable newly created rule for ‘all objects of class: Windows Domain Controller’ by using an override. (more info...) Repeat ‘Create a rule to resolve all Unsuccessful Logon Alerts on a daily basis’ section in scenario 3 above. Repeat ‘Create a rule to send notification when RepeatCount equal xx within nn hours’ in scenario 3 above.

Scenarios that are discussed in this blog post include:

• Scenario 1: Computers joined to the domain (names and description)
• Scenario 2: User passwords expired
• Scenario 3: User accounts locked out
• Scenario 4: Group policy changes

Scenario 1: Computers joined to the domain (names and description)

The following Event Id’s will be used in this procedure:

645 - A computer account was created.

646 - A computer account was changed.

647 - A computer account was deleted.

Note: Computer description cannot be reported on as it is not a parameter of the events.

Computer Accounts Created

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section
Step 3 Rename fields
Step 4 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 5 Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image
Step 6 Select Filter from the toolbar. Add Event Id and select 645 Note Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Report example

Computer Accounts Deleted

Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.

Report example

Computer Accounts Changed

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image
Step 5 Select Filter from the toolbar. Add Event Id and equals 647. Also add   String 06 and not equal to - Note Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Report example

Scenario 2: User passwords expired

Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 535. Also add   String 06 and not equal to - Note Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords.
Report example

Scenario 3: User accounts locked out

Event Id 644 (A user account was auto locked) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 644. Note Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts.
Report example

Scenario 4: Group policy changes

Event Id 566 (A generic object operation took place) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements
Step 4 Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer  Note Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
Step 5 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
Step 6 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
Report example	Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names.

1. Manually enable the ‘Operations Manager Audit Forwarding Service’ (AdtAgent.exe).
2. Regedit > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AdtAgent\Parameters] > New > Multi-String Value > AdtServers > ‘CollectorFQDN’

Note: Step 2 resolved Event ID 4369 (with a blank list of collectors) for me.

Hopefully this configuration of roles will only ever be used in a lab environment!