Active Directory; SCOM2012; SCOM2016; WMI; Security

SCOM 2016 – Monitor Changes to the Domain Administrators Group

Standard

In this blog post I am going to take you thru the steps I took to monitor changes made to the Domain Administrators Group inside a Active Directory.

First step is to create a management pack where we store the WMI-Discovery, the Monitors and the Views. A manual on how to create a management pack using the system center operations manager console can be found here

  1. Start the “System Center Operations Manager Console” and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Attributes
  3. In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New AttributeAttribute01 
  4. In the “Create Attribute Wizard”in the “General Properties” section  give the attribute the name  “Running Domain Controller Service” and click “Next
    Attribute02
  5. In the “Create Attribute Wizard” in the “Discovery Method” section, change the following settings:
    • Change the "Discovery Type" to "WMI Query"
    • Change the "Target" to "Windows Server"
    • Change the "Management Pack" to "Group Member Changes"

    In the “Create Attribute Wizard” in the “Discovery Method” section click “Next”. The result should look something like this:
    Attribute03

  6. In the “Create Attribute Wizard” in the “WMI Configuration” section change the following settings:
    • Change the "WMI Namespace" to "root\cimv2"
    • Change the "Query" to "select * from Win32_OperatingSystem where (ProductType = "2""
    • Change the "Property Name" to "ProductType"
    • change the "Frequency" to "900"

    In the “Create Attribute Wizard” in the “WMI Configuration” section click “Finish”. The result should look something like this:
    Attribute04

Now that we created the attribute we need to create a Group.

  1. Start the “System Center Operations Manager Console” and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section select “Groups
  3. In the “System Center Operations Manager Console” in the “Authoring” section right click “Groups” and click “Create a New Group
    Group01
  4. In the “Create Group Wizard” in the “General Properties” section change the following settings: 
    • Change the "Name" to "Servers Running Domain Controller Service"
    • Change the "Management Pack" to "Group Member Changes"

    In the “Create Group Wizard” in the “General Properties” section click "Next". The result should look something like this.
    Group02

  5. In the “Create Group Wizard” in the “Explicit Members” section click “Next
  6. In the “Create Group Wizard” in the “Dynamic Members” section click “Create/Edit Rules
  7. In the “Create Group Wizard -  Query Builder” wizard, set the following settings: 
    • Change the "Select the Desired class and click add button to begin building the formule" to "Windows Server_Extended" click "Add"
    • From the Pull down list select "Running Domain Controller Service"
    • Set the Operator to "Greater"
    • Change the Value to "2" and click "Ok"

    In the “Create Group Wizard” in the “Dynamic Members” section click "Next". The result should look something like this.:
    Group04

  8. In the “Create Group Wizard” in the “Subgroups” section click "Next".
  9. In the “Create Group Wizard” in the “Excluded Members” section click "Create".

When you look at which servers are managed by the above created groups

Group05

Now its time to create a custom rule to monitor the changes made to the Domain Admins Groups

  1. Start the "System Center Operations Manager Console" and navigate to “Authoring
  2. In the “System Center Operations Manager Console” in the “Authoring” section expand “Management Pack Object” and select “Rules
  3. In the “System Center Operations Manager Console” in the “Attributes” section right click “Attributes” and click “Create a New Rule
    Rule01
  4. In the “Create Rules Wizard” in the “Rule Type” section, set the following settings:
    • In the "Select the type of rule to create" expand "Alert Generating Rules", "Event Based" and select "NT Event Log (Alert)"
    • In the "Management pack" section select the "Group Member Changes" management pack

    In the “Create Rule Wizard” in the “Rule Type” section click "Next". The result should look something like this.:
    Rule02

  5. In the “Create Rule Wizard”, in the “General” section, set the following settings:
    • Enter the "Rule Name" "Security Group Alert – User Added to Group"
    • Change the "Rule Category" to "Alert"
    • Change the "Rule Target" to "Windows Server"
    • Uncheck "Rule is enabled"

    In the “Create Rule Wizard” in the “General” section click "Next". The result should look something like this.:
    Rule03

  6. In the “Create Rule Wizard” in the “Event Log Type” section change the log name to “Security” and click “Next
  7. In the “Create Rule Wizard” in the “Build event Expression” section., change Event-ID Value to “4782”, change the event source to “Parameter 3” whit the value “Domain Admins”. Click “Next” The result should look something like this:
    Rule04
  8. In the “Create Rule Wizard” in the “Configure Alerts” section. Click “Create.
    Rule05

When you now add a user to the Domain Admins group the following alert is generated.

Warning

I created a management pack which is also monitoring the “Domain Admins”, “Schema Admins”, “Enterprise Admins”. The only difference. is that a warning is generated and that the rules are enabled. You can download the management pack from here