A customer of mine always had an issue with an ACS Audit report called "Sensitive Security Groups Changes". The information shown there didn't make a lot of sense. It would show the same user as the one being added to the group and the one being the one adding the user. Just some crazy stuff that could be fixed in report builder. But I was hired to upgrade the 2007 R2 structure to 2012, hoping that it would be fixed and maybe improved.
Nothing like that. In the end, it was even worse. For some reason, the information shown was completely wrong.
To fix the issue, I've opened an Incident with Microsoft, which didn't fix the problem, but lead me to fix it in the end.
It happens that the C:\Windows\System32\security\adtserver\eventschema.xml seems to be broken from the installation media.
The section for event 4728 seems to be broken:
<Event SourceId="4728" SourceName="SE_AUDITID_ETW_GLOBAL_GROUP_ADD">
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Call Name="AppendString" Param1="3" Param2="0" />
<Call Name="AppendString" Param1="4" Param2="0" />
<Call Name="AppendString" Param1="5" Param2="0" />
<Call Name="AppendString" Param1="6" Param2="0" />
<Call Name="AppendString" Param1="7" Param2="0" />
<Call Name="AppendString" Param1="8" Param2="0" />
<Call Name="AppendString" Param1="9" Param2="0" />
<Call Name="AppendNamesFromSid" Param1="2" Param2="0" />
<Param TypeName="typeUser" />
<Param TypeName="typePrimarySid" />
<Param TypeName="typeTargetUser" />
<Param TypeName="typeTargetDomain" />
<Param TypeName="typeTargetSid" />
<Param TypeName="typeClientSid" />
<Param TypeName="typeClientUser" />
<Param TypeName="typeClientDomain" />
<Param TypeName="typeClientLogonId" />
<Param TypeName="typePrivileges" />
<Param TypeName="typePrimaryUser" />
<Param TypeName="typePrimaryDomain" />
</Event>
The correct code (copied from 4729):
<Event SourceId="4728" SourceName="SE_AUDITID_ETW_GLOBAL_GROUP_ADD">
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Call Name="AppendString" Param1="3" Param2="0" />
<Call Name="AppendString" Param1="4" Param2="0" />
<Call Name="AppendString" Param1="5" Param2="0" />
<Call Name="AppendString" Param1="6" Param2="0" />
<Call Name="AppendString" Param1="7" Param2="0" />
<Call Name="AppendString" Param1="8" Param2="0" />
<Call Name="AppendString" Param1="9" Param2="0" />
<Call Name="AppendString" Param1="10" Param2="0" />
<Call Name="AppendNamesFromSid" Param1="2" Param2="0" />
<Param TypeName="typeUser" />
<Param TypeName="typePrimarySid" />
<Param TypeName="typeTargetUser" />
<Param TypeName="typeTargetDomain" />
<Param TypeName="typeTargetSid" />
<Param TypeName="typeClientSid" />
<Param TypeName="typeClientUser" />
<Param TypeName="typeClientDomain" />
<Param TypeName="typeClientLogonId" />
<Param TypeName="typePrivileges" />
<Param TypeName="typePrimaryUser" />
<Param TypeName="typePrimaryDomain" />
</Event>
Make sure you make a copy of the file before changing. When you're done editing the file, restart the Collector service and you should be ok.
Nenhum comentário:
Postar um comentário