http://social.technet.microsoft.com/Forums/ru-RU/mscomops/thread/8dc849b6-dd2d-44c3-9672-d12a3fcfbe93 Hi, I saw prev post and need instruction step-by-step, can any1 helps me ?

Hi Mark I am not sitting in front of a console at the moment but it is something like Go to SCOM - Authoring- Rules -New Rule You are looking for rule Alert generating rule - NT event logs Event log = security Source = microsoft windows security Event id = as per the post above. Scope the rule to Microsoft domain controller role Place the rule in an unsealed MP other than the default MP!Paul Keely

Be aware that EventIDs 531\532\535\539\644 is for Windows Server 2003. If you're using Windows Server 2008\2008 R2 you'll need another EventIDs. You can find it here: Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista Security Audit Events for Windows 7 and Windows Server 2008 R2 http://OpsMgr.ru/

Hi, I would like to share the following information about how to create event monitor: http://bradstechblog.com/scom/how-to-create-a-scom-windows-events-monitor-and-alert-on-the-description-field Please Note: Since above web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this informationPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thnx! I tryed it all, but failed. I have WServer 2k8 for SCOM and DC, SCOM 2007 R2, SQL 2005 and ACS service installed.

Can you provide us with more details? Do you see any errors? Or your custom rule isn't working as you expected?http://OpsMgr.ru/

I didn't see any errors. I create other rules (monitor Print Spooler service for test, monitor EventID 10 (printing)) and it is work fine. But no one event from Security log unavaliable for me.

Can you post your XML here?http://OpsMgr.ru/

Wow, I re-create the rule and now it works! Thnx 2 all :)