In this blog post I am going to take you thru the steps I took to monitor changes made to the Domain Administrators Group inside a Active Directory.
First step is to create a management pack where we store the WMI-Discovery, the Monitors and the Views. A manual on how to create a management pack using the system center operations manager console can be found here
- Start the “System Center Operations Manager Console” and navigate to “Authoring”
- In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Attributes”
- In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New Attribute”
- In the “Create Attribute Wizard”in the “General Properties” section give the attribute the name “Running Domain Controller Service” and click “Next”
- In the “Create Attribute Wizard” in the “Discovery Method” section, change the following settings:
- Change the "Discovery Type" to "WMI Query"
- Change the "Target" to "Windows Server"
- Change the "Management Pack" to "Group Member Changes"
In the “Create Attribute Wizard” in the “Discovery Method” section click “Next”. The result should look something like this:
- In the “Create Attribute Wizard” in the “WMI Configuration” section change the following settings:
- Change the "WMI Namespace" to "root\cimv2"
- Change the "Query" to "select * from Win32_OperatingSystem where (ProductType = "2""
- Change the "Property Name" to "ProductType"
- change the "Frequency" to "900"
In the “Create Attribute Wizard” in the “WMI Configuration” section click “Finish”. The result should look something like this:
Now that we created the attribute we need to create a Group.
- Start the “System Center Operations Manager Console” and navigate to “Authoring”
- In the “System Center Operations Manager Console” in the “Authoring” section select “Groups”
- In the “System Center Operations Manager Console” in the “Authoring” section right click “Groups” and click “Create a New Group”
- In the “Create Group Wizard” in the “General Properties” section change the following settings:
- Change the "Name" to "Servers Running Domain Controller Service"
- Change the "Management Pack" to "Group Member Changes"
In the “Create Group Wizard” in the “General Properties” section click "Next". The result should look something like this.
- In the “Create Group Wizard” in the “Explicit Members” section click “Next”
- In the “Create Group Wizard” in the “Dynamic Members” section click “Create/Edit Rules”
- In the “Create Group Wizard - Query Builder” wizard, set the following settings:
- Change the "Select the Desired class and click add button to begin building the formule" to "Windows Server_Extended" click "Add"
- From the Pull down list select "Running Domain Controller Service"
- Set the Operator to "Greater"
- Change the Value to "2" and click "Ok"
In the “Create Group Wizard” in the “Dynamic Members” section click "Next". The result should look something like this.:
- In the “Create Group Wizard” in the “Subgroups” section click "Next".
- In the “Create Group Wizard” in the “Excluded Members” section click "Create".
When you look at which servers are managed by the above created groups
Now its time to create a custom rule to monitor the changes made to the Domain Admins Groups
- Start the "System Center Operations Manager Console" and navigate to “Authoring”
- In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Rules”
- In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New Rule”
- In the “Create Rules Wizard” in the “Rule Type” section, set the following settings:
- In the "Select the type of rule to create" expand "Alert Generating Rules", "Event Based" and select "NT Event Log (Alert)"
- In the "Management pack" section select the "Group Member Changes" management pack
In the “Create Rule Wizard” in the “Rule Type” section click "Next". The result should look something like this.:
- In the “Create Rule Wizard”, in the “General” section, set the following settings:
- Enter the "Rule Name" "Security Group Alert – User Added to Group"
- Change the "Rule Category" to "Alert"
- Change the "Rule Target" to "Windows Server"
- Uncheck "Rule is enabled"
In the “Create Rule Wizard” in the “General” section click "Next". The result should look something like this.:
- In the “Create Rule Wizard” in the “Event Log Type” section change the log name to “Security” and click “Next”
- In the “Create Rule Wizard” in the “Build event Expression” section., change Event-ID Value to “4782”, change the event source to “Parameter 3” whit the value “Domain Admins”. Click “Next” The result should look something like this:
- In the “Create Rule Wizard” in the “Configure Alerts” section. Click “Create.”
When you now add a user to the Domain Admins group the following alert is generated.
I created a management pack which is also monitoring the “Domain Admins”, “Schema Admins”, “Enterprise Admins”. The only difference. is that a warning is generated and that the rules are enabled. You can download the management pack from here