Using System Center Operations Manager 2007, you want to get an alert for any change in the domain admin group or any other group for that matter. If this is something you think you might want to configure then here are the steps to set this up:
Note: Before we continue - let me stress that using event parameters is the correct way to match on specific lines in an event description wherever possible. If we try and search the entire event description there is a substantial cost to doing this, from an agent design/performance perspective, as matching on parameter is the lowest impact. If you match on an event description - this description is localized text and won’t work in all locales. By writing a rule that matches on event description, if you didn't specify several other criteria, there is a risk that every single event description would be searched, across all agents. Very bad. So keep this in mind if you decide to use this.
1. Domain controller normally generates Event IDs like 632 if Member is added to the group and 633 if member is removed from the group.
2. Domain controller should be working SCOM 2007 Agent.
3. In SCOM Console, go to Authoring, Under Management Pack Objects, click on Rules.
4. From View Menu in console select Scope and then from the list select check box only for 'Windows Domain Controller' and click OK.
5. Now right click on 'Type: Windows Domain Controller' and select 'Create a new rule'.
6. Select 'Alert Generating Rules - Event Based - NT Event Log (Alert)' under Type of rule to create, and select your choice of destination Management Pack, click Next.
7. Give Rule name of your choice, and give description if required, select Rule Category as 'Alert' from drop down, and verify that Rule target is shown as Windows Domain Controller, make sure check box for 'Rule is enabled' is selected, click Next.
8. Select Log name as Security, click Next.
9. In the Build the expression, choose options as below:
a. Delete current list by clicking Delete button twice.
b. Click on Insert AND group.
c. Under Parameter name click on button with 3 dots, then select Use parameter name not specified above radio button and type 'Event Description' and click OK.
d. Under Operator select 'Matches regular expression' from drop down list.
e. In the Value field type 'Domain Admins' and hit the Tab key twice so your selection will shift to Insert button.
f. Now click on Insert button and select Insert OR group.
g. Under Parameter name click on button with 3 dots, then select Event ID from drop down under Select from a list of common event properties and click OK.
h. Under Operator select 'Equals' from drop down list.
i. Under Value type 632, and hit the Tab key twice so your selection will shift to Insert button.
j. Now click on Insert button and select Insert Expression.
k. Under Parameter name click on button with 3 dots, then select Event ID from drop down under Select from a list of common event properties and click OK.
l. Under Operator select 'Equals' from drop down list.
m. Under Value type 633, and hit the Tab key twice so your selection will shift to Insert button.
10. Now click on Next.
11. Give name to Alert of your choice and configure other parameters of alert of your choice.
12. Click on Create button.
This will create the rule and start sending alerts ONLY when members are added or removed only from Domain Admins group.
If you want to get alerts for any domain group, you can remove expression where we specified Domain Admins group in step 9c,9d,9e and have only expressions for EventID 632 and 633.