The security team have a new audit requirement to monitor changes to critical AD groups (Domain Admins etc). Does the AD MP monitor this, and if not does anyone know how I could configure SCOM to do so?
We’ve been using a simple Eventlog Rule for critical groups adds / removes. Targeted at Active Directory Domain Controller Computer Role (or a specific DC):
EventID Equals 4728 (for Adds — 4729 for Removes)
Parameter 3 Equals Group1
Parameter 3 Equals Group2
A bit more info regarding the event rule monitor solution:
You should check out this: https://blogs.technet.microsoft.com/nathangau/2017/05/01/introducing-the-security-monitoring-management-pack-for-scom/. This includes security group monitoring and other security checks.