When an Active Directory account gets locked, there are 2 Domain Controllers that logs the event. In SCOM i created a Rule that checks on the Event ID 4740 (AD account locked) but since it’s logged on 2 Domain Controllers i get 2 alerts.
I only want 1 alert for the 2 domain controllers, how can i fix this?
The problem is that the domain controller where the event is logged can be different. So for example when it’s logged for user 1 it can be on DC1 and DC4. When it’s for user 2 it can be on DC2 and DC3.
Since I can’t predict on which Domain Controller(s) the event is logged I can’t override it.
Ours is a bit different as we capture all event id 4740’s and use Squared Up to display them as a report. The idea behind it is to help identify where accounts are being locked out. We don’t use it for triggering an alert.
If you are only doing this to alert if certain accounts are locked out, it might be easier to create a PowerShell monitor to handle that.