B
barabba72
Hi all,
I implemented Directory Service Access Audit Policy within the Domain
Controllers OU in order to monitor group policy changes.
I can see that whenever group policy changes occur, the auditing
process writes into the event viewer the relevant information such as
the user who changed the group policy and the group policy CN (see
below). So far so good.
Now my problem: the information, as is, is of no use as nobody spends
hours digging in the event viewer looking for this information. So I
setup a daily script that finds all events of this type and writes into
a daily text file.
But, this file does not contain the policy CN anymore ! This is
replaced by what looks like a
variable...%{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}.
How do I keep this value ?? without this information all this auditing
work is worth absolutely nothing. Is there a way to preserve this value
? or to map it to the policy CN ?
Thanks for any info on this issue.
Regards
************
EVENT VIEWER
************
Object Open:
Object Server: DS
Object Type: groupPolicyContainer
Object
Name: CN={D9A0D776-589A-4D36-8367-051D48BD8005},CN=Policies,CN=System,DC=LosCoyotes,DC=Local
New Handle ID: 0
Operation ID: {0,143054}
Process ID: 244
Primary User Name: SDC03$
Primary Domain: LOSCOYOTES
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LOSCOYOTES
Client Logon ID: (0x0,0x22EC1)
Accesses Write Property
Privileges -
Properties:
Write Property
General Information
displayName
%{00000000-0000-0000-0000-000000000000}
gPCFileSysPath
versionNumber
gPCFunctionalityVersion
flags
***********
MY LOG FILE
***********
Object Server: DS
Object Type: %{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Object Name: %{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}
New Handle ID: 0
Operation ID: {0,143054}
Process ID: 244
Primary User Name: SDC03$
Primary Domain: LOSCOYOTES
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LOSCOYOTES
Client Logon ID: (0x0,0x22EC1)
Accesses Write Property
Privileges -
Properties:
Write Property
%{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
%{bf967953-0de6-11d0-a285-00aa003049e2}
%{00000000-0000-0000-0000-000000000000}
%{f30e3bc1-9ff0-11d1-b603-0000f80367c1}
%{bf967a76-0de6-11d0-a285-00aa003049e2}
%{f30e3bc0-9ff0-11d1-b603-0000f80367c1}
%{bf967976-0de6-11d0-a285-00aa003049e2}
I implemented Directory Service Access Audit Policy within the Domain
Controllers OU in order to monitor group policy changes.
I can see that whenever group policy changes occur, the auditing
process writes into the event viewer the relevant information such as
the user who changed the group policy and the group policy CN (see
below). So far so good.
Now my problem: the information, as is, is of no use as nobody spends
hours digging in the event viewer looking for this information. So I
setup a daily script that finds all events of this type and writes into
a daily text file.
But, this file does not contain the policy CN anymore ! This is
replaced by what looks like a
variable...%{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}.
How do I keep this value ?? without this information all this auditing
work is worth absolutely nothing. Is there a way to preserve this value
? or to map it to the policy CN ?
Thanks for any info on this issue.
Regards
************
EVENT VIEWER
************
Object Open:
Object Server: DS
Object Type: groupPolicyContainer
Object
Name: CN={D9A0D776-589A-4D36-8367-051D48BD8005},CN=Policies,CN=System,DC=LosCoyotes,DC=Local
New Handle ID: 0
Operation ID: {0,143054}
Process ID: 244
Primary User Name: SDC03$
Primary Domain: LOSCOYOTES
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LOSCOYOTES
Client Logon ID: (0x0,0x22EC1)
Accesses Write Property
Privileges -
Properties:
Write Property
General Information
displayName
%{00000000-0000-0000-0000-000000000000}
gPCFileSysPath
versionNumber
gPCFunctionalityVersion
flags
***********
MY LOG FILE
***********
Object Server: DS
Object Type: %{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Object Name: %{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}
New Handle ID: 0
Operation ID: {0,143054}
Process ID: 244
Primary User Name: SDC03$
Primary Domain: LOSCOYOTES
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LOSCOYOTES
Client Logon ID: (0x0,0x22EC1)
Accesses Write Property
Privileges -
Properties:
Write Property
%{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
%{bf967953-0de6-11d0-a285-00aa003049e2}
%{00000000-0000-0000-0000-000000000000}
%{f30e3bc1-9ff0-11d1-b603-0000f80367c1}
%{bf967a76-0de6-11d0-a285-00aa003049e2}
%{f30e3bc0-9ff0-11d1-b603-0000f80367c1}
%{bf967976-0de6-11d0-a285-00aa003049e2}