Active Directory User Auditing – SCOM 2012

In my last chapter I was talking about User AD account audit with power shell scripting and Task Scheduler. I also provided an list of Event IDs.
This time I will show you how to create those notification through System Center Operations Manager.

In OM  Console open Authoring,
 image

the next thing is to go to rules and create new one.
image

These events are Security Events in NT Events, so we choose Alert Generating Rules, then Event Based, then NT Event Log
image

/*************/
My suggestion is to create an Custom AD User Events Management pack in which to store those rules. It is easier to edit, or change some things if you have your own packs.
image
/***********/

Now select Default Management Pack, or newly created AD Custom Pack,

After this, name your Rule, set Category and target.
Targets are Domain Controllers, which you defined when
image

Next, set logon type as security, because it is a security based rule.
 image

Create expression for Event ID 4740 from Security Auditing
image

On the next screen, you have an option the design your own alert description, with Priority and Severity. I suggest you set for locked account to Low Warning.
Now in description you have an option to use already configured placeholders, or you can create your own.
image 
When you create it, then you can test it by locking some account.

As you see, I have two Domain controllers, and account is locked on both, which is ok, since the DCs are synced.
image

Now you can create these rules for all the event IDs you like.

Good Luck

Uninistall of SC agents from Core OS

I deinstalled VMM 2012 from one server. But its agents remained on my Hyper-V core installation servers. How to uninstall them if no Add/Remove programs exist, or you dont have original agent.msi package?

On Core OS (2008 or 2012) runĀ regedit
Go to HKLM\Software\Microsoft\Windows\Current Version\Uninstall
Expand Uninstall, then search in subfolders for string in DisplayName =”System Center Virtual Machine Manager Agent (x64)”, then you know this is a folder for VMM agent.
Now from that same folder copy entire string (example: MsiExec.exe /I{5142AB0B-73E3-4AD3-9D0F-65B3D9026769}) from UninstallString to CMD window in CoreOS and press Enter.

Good Luck