Exporting Directory Service Access entries from event viewer

[barabba72]

Hi all,

I implemented Directory Service Access Audit Policy within the Domain
Controllers OU in order to monitor group policy changes.

I can see that whenever group policy changes occur, the auditing
process writes into the event viewer the relevant information such as
the user who changed the group policy and the group policy CN (see
below). So far so good.

Now my problem: the information, as is, is of no use as nobody spends
hours digging in the event viewer looking for this information. So I
setup a daily script that finds all events of this type and writes into
a daily text file.

But, this file does not contain the policy CN anymore ! This is
replaced by what looks like a
variable...%{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}.

How do I keep this value ?? without this information all this auditing
work is worth absolutely nothing. Is there a way to preserve this value
? or to map it to the policy CN ?

Thanks for any info on this issue.
Regards

************
EVENT VIEWER
************
Object Open:
Object Server: DS
Object Type: groupPolicyContainer
Object
Name: CN={D9A0D776-589A-4D36-8367-051D48BD8005},CN=Policies,CN=System,DC=LosCoyotes,DC=Local
New Handle ID: 0
Operation ID: {0,143054}
Process ID: 244
Primary User Name: SDC03$
Primary Domain: LOSCOYOTES
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: LOSCOYOTES
Client Logon ID: (0x0,0x22EC1)
Accesses Write Property

Privileges -

Properties:
Write Property
General Information
displayName
%{00000000-0000-0000-0000-000000000000}
gPCFileSysPath
versionNumber
gPCFunctionalityVersion
flags

***********
MY LOG FILE
***********
Object Server: DS

Object Type: %{f30e3bc2-9ff0-11d1-b603-0000f80367c1}

Object Name: %{36b6bfa5-89b2-4c8d-a0e7-2fd72204d07e}

New Handle ID: 0

Operation ID: {0,143054}

Process ID: 244

Primary User Name: SDC03$

Primary Domain: LOSCOYOTES

Primary Logon ID: (0x0,0x3E7)

Client User Name: Administrator

Client Domain: LOSCOYOTES

Client Logon ID: (0x0,0x22EC1)

Accesses Write Property



Privileges -


Properties:
Write Property

%{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
%{bf967953-0de6-11d0-a285-00aa003049e2}
%{00000000-0000-0000-0000-000000000000}
%{f30e3bc1-9ff0-11d1-b603-0000f80367c1}
%{bf967a76-0de6-11d0-a285-00aa003049e2}
%{f30e3bc0-9ff0-11d1-b603-0000f80367c1}
%{bf967976-0de6-11d0-a285-00aa003049e2}

 

[Joe Richards [MVP]]

Well how are you doing the writing? Make sure your method either maintains the
info or looks it up and writes it itself.

 

[barabba72]

Hey Joe,

thank you for your answer.
I tried to use dumpel and even this tool shows the same behaviour - it
doesn't export the Group Policy cn being modified but it translates it
into a weird number.
I tried to see with a different policy and that number doesn't even
change. It's always the same. I tried to find this number in the
registry and in the file system just in case it would reference
anything but found nothing whatsoever.

Apart from this, I noticed this behaviour in exporting other types of
auditing info pertaining to Account Management Category. Certain
objects names are not exported but replaced with strings of numbers...

 

[Brandon McCombs]

Hey Joe,

thank you for your answer.
I tried to use dumpel and even this tool shows the same behaviour - it
doesn't export the Group Policy cn being modified but it translates it
into a weird number.
I tried to see with a different policy and that number doesn't even
change. It's always the same. I tried to find this number in the
registry and in the file system just in case it would reference
anything but found nothing whatsoever.

Apart from this, I noticed this behaviour in exporting other types of
auditing info pertaining to Account Management Category. Certain
objects names are not exported but replaced with strings of numbers...

ADS gives unique identifiers to group policies. You can see these when
you click on the Details tab for a policy in Group Policy Mgmt snap-in.
Quick and dirty fix would be to have a text file that shows the group
policy name with the UID that it has assigned to it and then use that file
as a lookup in your script to properly fill that data in, or figure out
how to programmatically do the lookup with the windows API.

 

[Joe Richards [MVP]]

The numbers are guids. You simply need to know what it relates to. The
objecttype and properties are almost certainly schemaidguid. The objects
themselves are probably using their objectguid.

 

[barabba72]

Thank you both for your time.
The problem is that the string I get (see above my previous post) is
the same for multiple group policies.

 

[Joe Richards [MVP]]

I just verified what is logged and the first item is the objecttype which is
indeed the schemaidguid and the next item is the object itself and it is indeed
the objectguid.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Thank you both for your time.
The problem is that the string I get (see above my previous post) is
the same for multiple group policies.

Joe Richards [MVP] schrieb:

 

[barabba72]

Hey Joe,
OK. So it makes sense that I cannot track down the policy being
modified by looking up the logs made by me (using WMI) or by Dumpel ?
Because the ObjectGuid it's always the same, no matter which group
policy is referring to.
Pardon but your language is rather hard to follow.l I'm not so expert
;-)

 

[Joe Richards [MVP]]

If the second field is always the same GUID (check close, they could be off by
only a couple of characters) then I would doublecheck the event logs and your
tools you are using to pull the info. I definitely did not see the same values
except when there were the same objects being logged about.

%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{19ebc9cc-5acb-4b97-9e85-6bf62cfe61e6}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{19ebc9cc-5acb-4b97-9e85-6bf62cfe61e6}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{7872009d-1aaf-480a-84d4-9ca7276a97cd}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{7872009d-1aaf-480a-84d4-9ca7276a97cd}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{b1bcf56f-794b-4427-92ec-f91e1017593c}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1} %{b1bcf56f-794b-4427-92ec-f91e1017593c}

These 566 events dumped with dumpel shows 1 objecttype and 3 specific objects.

F:\temp>adfind -schema -binenc -f
schemaidguid={{GUID:f30e3bc2-9ff0-11d1-b603-0000f80367c1}} -dn

AdFind V01.27.00cpp Joe Richards ([email protected]) August 2005

Transformed Filter: schemaidguid=\C2\3B\0E\F3\F0\9F\D1\11\B6\03\00\00\F8\03g\C1
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com

dn:CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=joe,DC=com

1 Objects returned



F:\temp>adfind -gc -b -binenc -f
objectguid={{GUID:19ebc9cc-5acb-4b97-9e85-6bf62cfe61e6}} -dn

AdFind V01.27.00cpp Joe Richards ([email protected]) August 2005

Transformed Filter: objectguid=\CC\C9\EB\19\CBZ\97K\9E\85k\F6\2C\FEa\E6
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joe,DC=com

1 Objects returned

F:\temp>adfind -gc -b -binenc -f
objectguid={{GUID:7872009d-1aaf-480a-84d4-9ca7276a97cd}} -dn

AdFind V01.27.00cpp Joe Richards ([email protected]) August 2005

Transformed Filter: objectguid=\9D\00rx\AF\1A\0AH\84\D4\9C\A7\27j\97\CD
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=joe,DC=com

1 Objects returned

F:\temp>adfind -gc -b -binenc -f
objectguid={{GUID:b1bcf56f-794b-4427-92ec-f91e1017593c}} -dn

AdFind V01.27.00cpp Joe Richards ([email protected]) August 2005

Transformed Filter: objectguid=o\F5\BC\B1Ky\27D\92\EC\F9\1E\10\17Y\3C
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN={998C3460-B01B-4B50-B2E6-1A4ACE54C762},CN=Policies,CN=System,DC=joe,DC=com

1 Objects returned

 

[barabba72]

OK Joe, I will doublecheck my results. I appreciate you spent your time
on this.