In this post I will describe the necessary steps that must be followed in order to create a rule targeted against a group in Operations Manager (OpsMgr) 2012 R2. In this particular case I will create a rule that keeps an eye on the Windows Special Logon events. The procedure is as follows:
Open the Operations Manager console -> Authoring -> Management Pack Objects. Right click on Rules -> Create a new rule. Open the Alert Generating Rules -> Event Based and select NT Event Log (Alert) (Figure 1).
Figure 1. Create Rule Wizard, Rule Type.
Select also the proper destination Management Pack (Figure 1) and click Next.
In the General window fill out the name of the rule. Optionally a description can be given as presented in Figure 2.
Select Alert as the Rule Category (Figure 2).
The Rule Target must be Windows Computer (Figure 2).
Make sure to uncheck the box Rule is enabled and click Next (Figure 2).
Figure 2. Create Rule Wizard, General.
Select the security event log and click Next (Figure 3).
Figure 3. Create Rule Wizard, Event Log Type.
In the build event Expression window fill out Event ID as the Parameter Name, Equals as the Operator choose a Value of 4672 and click Next (Figure 4).
Figure 4. Create Rule Wizard, Build Event Expression.
Fill out the Alert name and Alert description. Subsequently, select the priority and severity. In this case I chose to put the severity on the Information level. Next, click on Create (Figure 5). Optionally, custom alert fields can be added to the Alert description. Moreover, it is possible to make use of alert suppression.
Figure 5. Create Rule Wizard, Configure Alerts.
When the rule is created, search for it in the Look for box and open the rule properties (Figure 6).
In the rule properties window select the Overrides tab and select Override… For a group… (Figure 7).
Figure 7. Override for a group window.
Search and select the proper group and click OK.
*Make sure that the selected group is located in the same management pack as the rule. An alternative is to make use of a group that is located in a sealed management pack.
In the Override-controlled parameters check Enabled and make sure that the Override Value is set on True (Figure 8).
Figure 8. Override Properties window.
Figure 9 shows the alert properties in case an account with special logon has been reported. If desired it is possible to create a dedicated alert view to collect all the alerts (Figure 10).
Figure 9. Alert properties, special logon event.
Figure 10. Alert view, special logon events.
Good luck when practicing this kind of cool stuff in your own lab environment.