SCCM – Build Active Directory Dashboard from CM Discovery

In this post I will show you how you can use informations from sccm discoveries to build a dashboard for Active Directory users states. This can be helpfull, for active directory auditing purpose or for identity management. Before you can proceed, you must have the sccm dashboard installed, a linked server in SQL, which points to one of your DC and a sccm users discoveries enable.

Ok so Here’s an overview of the dashboard;

Main dashboard view

sample of Detailled report

Now let’s move on with the steps

1- Go to your sccm dashboard site and from the edit mode,  Enter a Dataset Configuration name(UserAccountStates.xml) then configurre the data refresh rate, database Server Name\instance, database name (your sccm database name), time zone.

2- Copy/paste the following query; SQLQuery

3- Validate the query, then create a column charts named User Accounts status

4- From the data grid section, add a column for each of those who are available.

5- Repeat these steps for all the web parts you want to add in your dashboard, based on these queries

SQL Queries


SCOM – Audit Active Directory Without ACS

In some situation you may want to audit your Active Directory  but didn’t have the ressource to install the Audit Collection Services (ACS). Scom provide the ability to do a lot by using rules/monitor based on eventID.  For most of the alerts,  I’ve  follow the recommandation of the Randy Franklin Smith’s ( 11 ways to detect System Intrusions with security log).  So Basically, these alerts are based on Event Description and Keep in mind that these event will be store in the same Database vs ACS, which  has his own DB… so be carefull in the sizing.

Also, if you want to make  better rules, you should install log parser and look at the log parameters ( which are delimited by a “|”) and parser the event you want to monitor to get the appropriate information

So Here what I’ve find usefull to monitor.

  • Users added/removed to privileged groups, ex;  domain admin, enterprise admin, schema admin, and their nested groups ( pay attention to the scope of the group, because depending on this it will not generate the same eventid). If you want you could  even monitor when members are removed.
  • Local and Domain Administrator –  Login failed / success ( read this to avoid false positive… )
  • New Domain and Local account (you could filter this based on some user attribut ex; office)
  • New Computer Account in the Domain
  • Password  Changed for Domain and Local Administrator
  • Passwords set to never expired, Event 642
  • Services / scheduled task creation, Event 601 and 602
  • Systems Restarted , Event 512,  allow you to check if this match with your maintenance windows
  •  Audit policy Change, Event 612
  • Security Logs Cleared, Event 517
  • Unknow user account or bad password, Event 529
Beware,  Ideally activated these rules one by one to give you the time to filter and analyze the performance

Now, I’ll show you a example on how you could create some rule (Make sure to not add it to the default MP, because it will cause you some hard time when you’ll try to update MP) and get result like this

First, ,create new rule from scom console, and select the MP the add the rule. In my case I’ve create a MP “CompagnyName – Auditing”.

Then select the appropriate Log Type and Build the Event Expression.



– 11 ways to detect System Intrusions with security log

– Using Event Description as criteria for a rules

– OpsMgr2007: Parameters explained