I just started to utilize 'Directory Services Changes' events for AD in
Windows Server 2008 R2. One issue that I'm running into is that the new
events, 5136-5141, don't always record a Security ID or Account Name of the
account that makes the modification to AD. For example, they sometimes say
'NULL SID' or are just blank. I can reproduce this behavior by setting an
audited attribute value using ADSI in VBScript. Occasionally, making a
change to an audited attribute in ADUC will result in the same behavior, but
not 100% of the time.
I like the concept of these new events work, but it seems like they're not
working as intended. I had to enable 'Directory Services Access' events and
look at multiple events in the event log in order to determine who changed
what.
Has anyone else ran into this issue or know how to resolve it?
Tim
|
Similar Threads
Linear Mode
