Home
  •  

Miscellaneous SAM Errors

Miscellaneous_SAM_Errors_5_Rule (Rule)

Knowledge Base article:

Summary

This rule is designed to catch all unknown Security Accounts Manager (SAM) errors. Errors that are caught by this rule may have been added to the operating system after this Management Pack was released.

Causes

The most likely cause is that the domain controller has been upgraded with a service pack, hotfix, or operating system upgrade, and the Active Directory Management Pack has not been upgraded.

Resolutions

To upgrade to the latest version of the Active Directory Management Pack, see the Management Pack Catalog at http://go.microsoft.com/fwlink/?LinkId=82131.

External

Element properties:

TargetMicrosoft.Windows.Server.2003.AD.DomainControllerRole
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Miscellaneous SAM Errors
{0}
Event LogSystem
CommentMom2005ID='{00AE0C84-B648-4108-910D-E1D02FB374B6}';MOM2005GroupID=

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
CollectEventData WriteAction Microsoft.SystemCenter.CollectEvent Default
CollectEventDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Miscellaneous_SAM_Errors_5_Rule" Comment="Mom2005ID='{00AE0C84-B648-4108-910D-E1D02FB374B6}';MOM2005GroupID=" Enabled="onEssentialMonitoring" Target="AD2003Core!Microsoft.Windows.Server.2003.AD.DomainControllerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventLevel</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>1</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>SAM</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>DoesNotMatchMOM2005BooleanRegularExpression</Operator>

              <Pattern>^((12(28[89])|(29.)|(30[01234]))|(16(38[456789])|(39.)|(40[012345678]))|(166(4.)|(5[01])))$</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner>$Data/PublisherName$</AlertOwner>

      <AlertMessageId>$MPElement[Name="Miscellaneous_SAM_Errors_5_Rule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

    <WriteAction ID="CollectEventData" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="CollectEventDataWarehouse" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>