Go into authoring and go to monitors.  Scope the list to Windows Servers ( the more I think about it, I may revise this to apply only to dc’s since they’re the ones that notate a computer account creation).

Create a new Unit Monitor the monitor type will be Windows Events->Simple Event Detection-> Timer Reset.  I chose this because I want it to log an alert but not remain in a warning state ( i hate yellow and red marks all over my gui =) )

Leave the management pack at default.

Name the monitor whatever you like, give it a description if you want and the parent monitor I set to Security.  – seems appropriate

Log name is Security

Event ID equals 645 and Event Source equals Security.

Leave the timer default at 15 seconds, again all we want to do is generate an alert, not annoy us to death.

Monitor conditions shouldn’t need to change, it’ll warn when the event is raised and go back to healthy after the timer expires.

The alert settings, you want to check the box to generate an alert, when it’s in a health state, and uncheck automatically resolve the alert, (otherwise it auto-resolves and unless you catch it in the 15 seconds, you won’t know what happened).

Name the alert, priority, severity and description however you want.  you’re done with creating the monitor.

The only thing you have left to do is look at the properties of the monitor, and add a recovery task (the auto-discovery) and you’re done.  You can get some ideas about how the discovery script works by going to Authoring->Tasks and search for discovery  you may have to rescope your search to include Root Management Server, then you’ll see Essential Computer Discovery task and can view the properties to see how it works.

Advertisements