I would like to share this topic in my blog regarding to have an alert on Audit Account Management via SCOM 2007 R2
In my implementation, I would like to monitor the specific event id such as Event ID 4726 – A User Account is deleted.
How would to do that? Later I will describe on other post
1. Enable Audit Account Management via Group Policy (GPO)
2. Create Rule To have Alert on Event ID 4726.
How To Enable Audit Account Management via Group Policy?
By Default, Audit Account Management is not defined. Therefore, I have to enable the Auditing Account Management.
- Open Group Policy Management in domain controller.
- On Domain Controller OU, right-click and choose ‘Create GPO in this domain and link it here’.
- Rename the GPO as Audit Account Management
- Right click on the Audit Account Management GPO, and choose Edit
- Go To Computer Configuration, and expand Windows Settings and then Local Policies, and choose Audit Policy.
- Choose Audit Account Management, check the box define this policy settings, and enable Success and Failure.
later in part 2, I will show you on how to create rule to have alert for event id 4726.