When an Active Directory account gets locked, there are 2 Domain Controllers that logs the event. In SCOM i created a Rule that checks on the Event ID 4740 (AD account locked) but since it’s logged on 2 Domain Controllers i get 2 alerts.
I only want 1 alert for the 2 domain controllers, how can i fix this?
The simplest option is to have the rule disabled by default and only enable it for one of the servers via an override.
The problem is that the domain controller where the event is logged can be different. So for example when it’s logged for user 1 it can be on DC1 and DC4. When it’s for user 2 it can be on DC2 and DC3.
Since I can’t predict on which Domain Controller(s) the event is logged I can’t override it.
If you target 4740 on the PDC, you’ll only get 1 alert. All of the domain controllers send that event to the PDC.
Hi Vance,
Can you tell me if this setting is correct for the Account Lock out Rule to work:
Ours is a bit different as we capture all event id 4740’s and use Squared Up to display them as a report. The idea behind it is to help identify where accounts are being locked out. We don’t use it for triggering an alert.
If you are only doing this to alert if certain accounts are locked out, it might be easier to create a PowerShell monitor to handle that.