AD Auditing Issue

Discussion in 'Server Security' started by Tim Chin, May 7, 2010.

  1. Tim Chin

    Tim Chin Guest

    I just started to utilize 'Directory Services Changes' events for AD in
    Windows Server 2008 R2. One issue that I'm running into is that the new
    events, 5136-5141, don't always record a Security ID or Account Name of the
    account that makes the modification to AD. For example, they sometimes say
    'NULL SID' or are just blank. I can reproduce this behavior by setting an
    audited attribute value using ADSI in VBScript. Occasionally, making a
    change to an audited attribute in ADUC will result in the same behavior, but
    not 100% of the time.

    I like the concept of these new events work, but it seems like they're not
    working as intended. I had to enable 'Directory Services Access' events and
    look at multiple events in the event log in order to determine who changed
    what.

    Has anyone else ran into this issue or know how to resolve it?
    Tim
     
    Tim Chin, May 7, 2010
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.