i realized when someone asked me how to do this that i was totally remiss about posting it. for the purpose of this exercise, i’m going to walk you through creating an event monitor which will check if a high number (subjective) of bad attempts to logon is detected within a finite period of time. so follow along… it’s much easier in opsmgr than mom 2005 (as i described in this much earlier blog post .) here are the steps: create a monitor / unit monitor windows events / repeated event detection at this point, you have three choices: manual, timer, and windows event reset. choose the one most appropriate for the situation. i chose the timer. name it “OH MY GOD! SOMEONE IS TRYING TO HACK ME!” or something else equally shocking! ;) target your windows domain controller or whichever group makes sense for you i put the rule under the parent monitor of security set the event log name to “Security” and move along in the following area, i specified these values: Event ID Equa
notes, ramblings, contemplations, transmutations, and otherwise ... on management and directory miscellanea.