SCOM Monitors for Adding/Removing Members in a Security Enabled Local Group

Being able to track events in Active Directory can be useful. One useful trick that SCOM can help with is tracking when users are added or deleted from a security group.

Under Authoring > Management Pack Objects > Monitors in the SCOM console, there are two monitors. One monitor is for adding members to a security group and one for removing members from a security group.

Security Event Log ID 4732

This monitor is in charge of looking into the security event log for occurrences of event ID 4732 on all Windows Computers.

Event ID 4732 in the Security log is the event that goes off when a member is added to a security group.

When this event appears in the log, the Security Event Log ID 4732 will create an alert with the Event Description in the alert description.

This monitor is a timer-reset monitor, so the alert will auto-resolve after a specified period of time. This monitor will reset to a healthy state after one day.

Security Event Log ID 4733

This monitor is in charge of looking into the security event log for occurrences of event ID 4733 on all Windows Computers.

Event ID 4733 in the Security log is the event that goes off when a member is removed from a security group.

When this event appears in the log, the Security Event Log ID 4733 will create an alert with the Event Description in the alert description.

This monitor is a timer-reset monitor, so the alert will auto-resolve after a specified period of time. This monitor will reset to a healthy state after one day.

After these two monitors are created, SCOM will begin populating with alerts whenever a user is added or removed from a security group.

Comments (0)


Leave a comment