SCOM alert for user account is locked out
http://social.technet.microsoft.com/Forums/ru-RU/mscomops/thread/8dc849b6-dd2d-44c3-9672-d12a3fcfbe93 Hi, I saw prev post and need instruction step-by-step, can any1 helps me ?
October 16th, 2010 10:39am
Hi Mark I am not sitting in front of a console at the moment but it is something like Go to SCOM - Authoring- Rules -New Rule You are looking for rule Alert generating rule - NT event logs Event log = security Source = microsoft windows security Event id = as per the post above. Scope the rule to Microsoft domain controller role Place the rule in an unsealed MP other than the default MP!Paul Keely
October 16th, 2010 11:51am
Be aware that EventIDs 531\532\535\539\644 is for Windows Server 2003. If you're using Windows Server 2008\2008 R2 you'll need another EventIDs. You can find it here: Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista Security Audit Events for Windows 7 and Windows Server 2008 R2 http://OpsMgr.ru/
October 16th, 2010 10:37pm
Hi, I would like to share the following information about how to create event monitor: http://bradstechblog.com/scom/how-to-create-a-scom-windows-events-monitor-and-alert-on-the-description-field Please Note: Since above web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this informationPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 18th, 2010 11:23am
Thnx! I tryed it all, but failed. I have WServer 2k8 for SCOM and DC, SCOM 2007 R2, SQL 2005 and ACS service installed.
October 19th, 2010 12:43pm
Can you provide us with more details? Do you see any errors? Or your custom rule isn't working as you expected?http://OpsMgr.ru/
October 19th, 2010 1:14pm
I didn't see any errors. I create other rules (monitor Print Spooler service for test, monitor EventID 10 (printing)) and it is work fine. But no one event from Security log unavaliable for me.
October 19th, 2010 2:20pm
Can you post your XML here?http://OpsMgr.ru/
October 19th, 2010 2:34pm
Wow, I re-create the rule and now it works! Thnx 2 all :)
October 19th, 2010 4:02pm