How Do I Get MOM to Notify of Account Creation/ Deletion?

Can someone tell me how I can have MOM notify me when there is a change in one of the Domain accounts. This change is like Account deletion/creation, password changes, etc?

From the microsoft.public.mom newsgroup
The easiest way to do this is to create a custom event processing rule for a specific set of Windows Security Log events. If the Default collection rules are enabled, MOM will collect the right events from the Windows event log for you.

1. Create a new Event Processing Rule (either in an existing Processing Rules Group or in your own PRG). Choose the "Alert on or Respond...." option to create an event processing rule that creates an alert.
    
2. On the "Criteria" tab, either check the "with event id" check box and fill in the correct event ID (I'll give a list later) or click the "Advanced" button and specify an advanced criteria, such as a regular expression.

This should do it.

The security events you are interested in are (taken straight out of the MOM Operations Guide - Chapter 5,page 31):

Success - 624
User Account Created
This might indicate that an attacker is creating an account to use later.

Success - 628
User Account password set
This might indicate that an attacker has taken control of an existing privileged account.

Success - 630
User Account Deleted
This might indicate that an attacker is locking out a user or attempting to remove evidence of the attack.

Success - 632
Security Enabled Global Group Member Added
This might indicate that an attacker is creating a group to use later.

Success - 632
Security Enabled Global Group Member Removed
This might indicate that an attacker is locking out a group of users or attempting to remove evidence of the attack.

Success - 636
Security Enabled Local Group Member Added: WHERE Target Account ID: Administrators
This might indicate that an attacker has been added to the Administrators group. Additions to this group should be monitored carefully.

Success - 637
Security Enabled Local Group Member Removed: WHERE Target Account ID: Administrators
This might indicate that an attacker is locking out one or more of the administrators or attempting to remove evidence of the attack. Deletions from this group should be monitored carefully.


When you create a User account through the AD Users and Computers MMC Snap-in you might also see an Event ID of 565, but 624 is the one you want to monitor for.