I've been trying to get AD to log changes to groups like the Domain Admins group. I have it working fine in a sense but it's not the correct event id that I need for SCOM. The event id i'm getting is 5136 and all the directions i have point to it being more like 4728. I'm unable to extrapolate any of the data with SCOM with the event being 5136 because i'm not sure how to parse it. Is 5136 the only way to have it reported or can i change some settings to get the 47xx codes back?

Hi, Thanks for posting in Microsoft TechNet forums. I suggest we check the information in the thread below to see if it can be helpful: monitor the domain admins group in AD 2008 http://social.technet.microsoft.com/Forums/en-US/operationsmanagerauthoring/thread/0171bc67-b68e-46c8-8c2d-1df02550071d/ Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Thanks Kevin, I've read that over a couple times but can't see anything on getting the correct evenid's. I am able to get logging working using the 5136 but i can't parse it, I'm not able to get the EVENTID 4728, 4729,4732,4737,4733,4735 to display in the event log at all on my DC and can't see to figure that out for a 2008 r2 DC. Is it not possible to get those eventid's any longer on 2008r2?

I was finally able to configure this. For those not able to find it, i configured it under computer config->policies->windows settings->security setting->advanced audit policy configuration->account management Mainly the advanced audit policy config was the key, not the local polices for me.

Hi, Thank you for sharing your experience and solution with us. They can be helpful to other community members who face similar problems. Please feel free to create new thread if you encounter other problem in the future. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.