At previous section of set rule on Audit Account Management http://netoverme.wordpress.com/2012/05/19/part-1-set-rule-on-audit-account-management-using-scom-2007-r2/ I was enabling the Audit Account Management in Group Policy Management.
Now, what I want to do is to set the rule to give an alert based on the event ID 4726 which is Delete Account.
Step1: Go to Authoring pane. Under Management Pack Object, you see the rule. right-click the rules and choose Create a New Rule.
step 2: On create rule wizard, on Event Based, select NT Event Log, and click Next.
step 3: On Rule Name and Description, type a Rule Name. Under Rule Category, select Security Health. Make Sure the Rule Target is Windows Domain Controller.
Step 4: On Event Log Name, choose Security.
Step 5: On Build Event Expression, type the Event ID number. In this case, the event id is 4726.
Step 6: On Configure Alert wizard, just click New.
Verify the successful Alert.
-Delete the user in Active Directory.
-Check On Event Viewer and search for Event ID 4726.
-Go to System Center Operation Manager. See at Monitoring Pane.
please see the alert below:
