I read a question this week about presenting a state based on if a service account was logged on to a machine or not. There are a couple of different ways to do that. We will need a monitor in both of them, as we want to present a state. You could solve it with a monitor running a script, checking current logged on users. You could also solve it with a monitor checking log-on and log-out events.

If you want to do it with two events and running server 2008 you could look at even 4624 (an account was successfully logged on) and 4647 (User initiated log-off). To configure a monitor like that you follow the steps below. This example will configure a monitor to generate an alert if not the CONTOSO\svc-contoso-service account is logged on.

  1. In the console, navigate to Authoring/Management Pack Objects
  2. Right-click monitors and create a new Simple Event Detection/Windows Event Reset monitor
  3. Choose a suitable management pack, not the default management pack. Click Next
  4. Input a name, a target and choose a parent monitor. Click Next
  5. Event Log (Unhealthy Event). Select Security as event log name. Click Next
  6. Event Expression (Unhealthy Event). Select Event ID equals 4647 and EventDescription Contains CONTOSO\svc-contoso-service. Click Next
  7. Event Log (Healthy Event). Select Security as event log name. Click Next
  8. Event Expression (Healthy Event). Select Event ID equals 4624 and EventDescription Contains CONTOSO\svc-contoso-service. Click Next
  9. Configure Health. Click Next
  10. Configure Alert. Check the “Generate alerts for this monitor” check box. Click Create
  11. By default this new monitor will be forced to healthy state first. This mean we will not get an alert until the account log off. In other words, if there is a machine where this account is not logged on right now, Operations Manager will not notice it. It is only looking for the log-in and log-off event. To generate an alert we first need to log-on with the account, in this example CONTOSO\svc-contoso-service, then log-out again. The monitor will then go into unhealthy state.

    The second way to solve this is with a script. To configure a monitor like that you follow the steps below

  1. In the console, navigate to Authoring/Management Pack Objects
  2. Right-click monitors and create a new Scripting/Generic/Timed Script Two State Monitor
  3. Choose a suitable management pack, not the default management pack. Click Next
  4. Input a name, a target and choose a parent monitor. Click Next
  5. Schedule. Configure how often you want the script to run, to see if the account is logged on. Dont configure it to run to often, check your organization requirements. Click Next
  6. Script. Input a script name, for example accountcheck.vbs. Paste the script into the script text field. You can download the script here. One of the first lines in the script configure which account to check. Don’t forget to update it. Click Next
  7. Unhealthy Expression. Input
    Property[@Name=’Status’] Does not equal OK
    Click Next
  8. Healthy Expression. Input
    Property[@Name=’Status’] Equals OK
    Click Next
  9. Health. Click Next
  10. Configure Alert. Check the “Generate alerts for this monitor” check-box and input a alert description. Click Create

If you need to display the account status in a distributed application it is easiest if you can target the monitor to a new customer class. The health model of the class will then be only this monitor, in other words the class instance health it will only show the status of the account.  

Thanks to Guy Thomas for his script that I adapted.