OpsMgr 2007: How to create a monitor to alert when a network share is created

Here’s a really neat tip sent by Jose Rodas, a real life OpsManager Support Engineer in Charlotte, North Carolina.  If you’ve ever wanted to be altered whenever a new network file share is created or modified or deleted then he can show you how:

========

To create a rule that generates an alert when a network share is being created follow these steps:

1. Within the UI, go to Authoring, select Rules
2. Right click on Rules and go to Create New Rule
3. On the Create Rule Wizard, expand Collection Rules > Event Based > WMI Event and click Next
4. On the Rule Name and Description page, on Rule name, enter a name for your new rule
5. On the Rule Target field, click Select, click on View all Targets, and select Windows Computer
6. On the WMI Configuration window, on WMI Namespace, type root\cimv2
7. On the Query Field, type the following:

SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_Share’

Once this is entered simply finish your rule and now you’ll get an alert any time a new network share is created.  In addition, you can also use __InstanceModificationEvent and/or __InstanceDeletionEvent to detect modification or deletion of shares, respectively.

For more info, please review the following links:

• http://technet.microsoft.com/en-us/magazine/cc160917.aspx
• http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_ukpj.mspx?mfr=true

========

Thanks Jose!

J.C. Hornbeck | Manageability Knowledge Engineer