DX Infrastructure Management

Expand all | Collapse all

User monitoring in AD server

  • 1.  User monitoring in AD server

    Posted 10-05-2017 07:37 AM

    Hey all,

     

    I need an alarm to be triggered in nimsoft as soon as a user is deactivated on AD server.

    Is there any metric under the probes available to do the same ?

     

    thanks

    Anmol



  • 2.  Re: User monitoring in AD server

    Posted 10-05-2017 07:52 AM

    We currently do not have a probe for this.

    Might want to check with MS and see if this can be written to an event log

    or some type of notification generated and then you could monitor for that.



  • 3.  Re: User monitoring in AD server

    Posted 10-05-2017 07:59 AM

    Hi Anmol,

     

    I advice you to check with your AD team for event ID being generated when a user is disconnected or whatever situation you want to monitor. There is one ADEVL probe which you can use to configure for AD related event ID or you can use ntevl probe according to the logs being written in windows event log. Check with Wintel\AD team for details of event ID and configure is accordingly. Also do the testing if multiple ID's are generated then how many alerts you are receiving on your console. I would be happy to help you in this. Let me know if any query further.



  • 4.  Re: User monitoring in AD server

    Posted 10-05-2017 09:43 AM

    There is a probe for monitoring Active Directory events - adevl.  Supposedly, it does the same event log monitoring that the ntevl probe does, but with special things in it for Active Directory.  HOWEVER...  the AD probe does not seem to get updated with the same frequency that the ntevl probe does and it suffers from lagging behind.  As a result, I have taken the things I care about in AD and just added them to my ntevl probe.  This works every time where my results with the AD probe have been... unreliable.

     

    Here is a list of event codes for user management in AD.  I think the one you want would be 4725.

     

     

    User Account Management

    The following table document lists the event IDs of the user account management category.
    Event IDReason
    4720A user account was created.
    4722A user account was enabled.
    4723An attempt was made to change an account's password.
    4724An attempt was made to reset an accounts password.
    4725A user account was disabled.
    4726A user account was deleted.
    4738A user account was changed.
    4740A user account was locked out.
    4767A user account was unlocked.
    4780The ACL was set on accounts which are members of administrators groups.
    4781The name of an account was changed.
    4794An attempt was made to set the Directory Services Restore Mode administrator password
    5376Credential Manager credentials were backed up.
    5377Credential Manager credentials were restored from a backup.

     

    HTH,

    Chris