Monitor locked out Domain Accounts with Microsoft SCOM 2012

From The IT Community
Jump to: navigation, search

How to monitor locked out Domain Accounts with Microsoft SCOM 2012:

  • Create a Management Pack (e.g. Active Directory Security Management Pack)

  • go to "Authoring" > "Management Pack Objects" > "Rules" > right click > create a new rule... > Rule Type "Event Based" > "NT Event Log (Alert) > Select the management pack you previously created (Active Directory Security Management Pack)

  • on "General" > Type in a Rule Name, choose as rule category "Custom" and select the rule target "Windows Domain Controller"

  • on "Event Log Type" > Log Name > Browse and select as Computer the "PDC Emulator" of your Domain. Select the "Security" Event log.

  • on "Build Event Expression" select "Event ID as Parameter Name, as Operator choose "Equals" and as Value type in 4740 (this is the event id for "account is locked out")

  • on Configure Alerts > Type in the desired name for the Alert, choose the priority and the severity level and then press "create"

  • Done :-)

Was this article helpful? Then please donate to keep The IT Community alive...

If you found this article helpful please share it, comment and help others by writing your own article.

Translate this page: