I currently have some component monitors set on our DC to flag Microsoft Security Auditing for ID 4740 (Account lock) and 4767 (Account Unlock). Quick questions on the configuration though, maybe someone can offer some insight on.
For an account lock the node shows a down component and sends an email alert if event 4740 was encountered during the last 1.5 polling periods. So say JSmith gets locked out, after 3 minutes the component will go back up whether or not JSmith's account was unlocked. Any way to get that component to only show an up-status if there are 0 locked accounts?
For an account unlock it is a very similar situation. If event 4767 was encountered during the last 1.5 polling periods the component enters a down-state and sends an email alert. My team wants still wants the email notifications on unlocked accounts, but we don't want the component to show down in the case of only an account unlock. The only options I see to affect the state of that component changes it to be up if there was an unlock in the last 1.5 polling periods and down otherwise (which then shows a down-status for a majority of the time which is not what we are looking for), or to base the status off of event count or event type. I considered basing the status on event count could work if we just set it to only go down if there was some ridiculous number of unlocks, but I don't see where to set the count it is comparing against. Is there any way we could get email notifications on AD Unlocks without the component monitor showing a down-status?