Monitoring Account Lockouts using scom can be tricky. The default Event Log Data Source of SCOM cannot perform well especially on security logs on Domain Controllers.
The management pack can be downloaded here and you can click here for Installation steps.
-
Find Out Locking Computer: The management pack not only finds out the LastLockingComputer but also reports all the LockingComputers for the account to support fixing all computers at one operation!.
-
Performance: Scan the event log with the best performing way. The MP can scan 1gb / 1.5 million events in 80 seconds.
The magic here is to use Xpath query of Get-WinEvent. The following is the query used in the script.
$EventLogParams = @{
'LogName' = 'Security'
'FilterXPath' = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$($LockedAccount.SAmAccountName)']]"
}
$Events = @(Get-WinEvent @EventLogPArams)- SCOM Agent must be Installed PDC Emulator Role
- ActiveDirectory Module installed on PDC Emulator Role. If you need to find out PDC Emulator Role on your environment before Installing the Management Pack run the following PowerShell line on any Domain controller.
(Get-ADDomain -ErrorAction stop).PDCEmulator
- Active Directory Management Pack version 10.0.2.2. Download
- Please ensure you meet the Requirements
- Download the management pack and extract the zip file.
- There are 3 versions select the version required by your environment.
- In Operations Manager Console click Administration.
- Right click on Administration and select "Import Management Packs"
- "Add/Add from disks/No" and select the mp desired from the path extracted in the first step.
- Click Install.