Configure SCOM to monitor changes to security groups

The security team have a new audit requirement to monitor changes to critical AD groups (Domain Admins etc). Does the AD MP monitor this, and if not does anyone know how I could configure SCOM to do so?

1 Like

We’ve been using a simple Eventlog Rule for critical groups adds / removes. Targeted at Active Directory Domain Controller Computer Role (or a specific DC):

Log: Security



EventID Equals 4728 (for Adds β€” 4729 for Removes)


Parameter 3 Equals Group1

Parameter 3 Equals Group2



A bit more info regarding the event rule monitor solution:

You should check out this: This includes security group monitoring and other security checks.

I’m struggling with how to present this data in Squared UP. Has anyone figured out the right criteria in a tile to display for example when someone gets added to the domain admins group? I’ve confirmed the alerts are in the SCOM DW using a SQL query as eventids 4728. I tried this but it’s showing nothing:


AlertParams LIKE β€˜%CORPORATE\Domain Admins%’ OR Description LIKE β€˜%CORPORATE\Domain Admins%’


even tried:


(AlertParams LIKE β€˜%CORPORATE\Domain Admins%’ OR Description LIKE β€˜%CORPORATE\Domain Admins%’) AND (AlertParams LIKE β€˜%4728%’ OR Description LIKE β€˜%4728%’ )