No announcement yet.

SCOM for AD auditing

  • Filter
  • Time
  • Show
Clear All
new posts

  • SCOM for AD auditing

    I want to know that : Is SCOM able to meet following AD auditing requirements?
    1. logon activities of users
    2. enable and disable users
    3. locked accounts
    4. creation, deletion and modifications of AD accounts
    5. Membership changes
    6. Passwords changes
    7. change in administrative rights

    I have SCOM 2012 installed but not configured.

  • #2
    Re: SCOM for AD auditing

    SCOM is a great tool to monitor your server but for some particular AD Auditing requirements SCOM is not sufficient to tell you all what you enumerate
    For this you should go with powershell or any commercial product for AD Monitoring like this
    [MOD EDIT] Poster banned for repeatedly pushing commercial products [/MOD EDIT]
    Last edited by Ossian; 7th November 2013, 20:51.


    • #3
      Re: SCOM for AD auditing

      You *could* use SCOM for that. Much of it is in the AD management packs already, anything else can be created.

      Now, "should" you use SCOM for it? I wouldnt. Unless you have someone watching the console continuously, you will lose the critical and time sensitive stuff. Also, if you are capturing audit data, you will want a history. SCOM isnt going to be the best way to keep that history. You would need to set your aggregation to such a level your database growth would be a concern.

      You can use something like Splunk to ingest your logs, then create alerts on certain events... Other than that, I dont know what else is out there without knowing exactly what you are trying to accomplish...
      Rules of life:
      1. Never do anything that requires thinking after 2:30 PM
      2. Simplicity is godliness
      3. Scale with extreme prejudice

      I occasionally post using a savantphone, so please don't laugh too hard at the typos...


      • #4
        Re: SCOM for AD auditing

        Hi there,

        All of your needs is AD Auditing related. Events you are looking for are stored in the Security Log on DCs.

        Well, in SCOM 2012, you have the feature ACS, Audit Collection Service.

        Depending on the forest/scope/auditing, these events can grow pretty fast.

        ACS stores events in SQL, on a new DB, it uses by default 14 days retention (1 table for each day). So you have to plan the backup/archive of this DB on a 14 days window, if you want to keep old events.

        Don't extent that more, if you want more "retention", it would be very heavy for the SQL engine, and for the space storage ; use backups/read-only archived DB...

        Another point, you can't filter on the source (on the DC) which event you want to send to the ACS collector; the collector will have every events from the security log, but you can filter what events would be stored in the DB. Here is a network/bandwith consideration ...

        link :


        You have another option, which doesnt rely on SCOM, it's WinRM ... and events forwarding.