Active Directory Audit Entries show GUIDs instead of property names

When you're auditing Active Directory using "Directory Service Access" auditing and viewing the corresponding event log entries you may see the property names of the values that have changed as GUIDs.


An operation was performed on an object.

Subject :
    Security ID:        DEMOEX13\DEMO-EX13-01$
    Account Name:        DEMO-EX13-01$
    Account Domain:        DEMOEX13
    Logon ID:        0x1C8791

Object:
    Object Server:        DS
    Object Type:        msExchMDBAvailabilityGroup
    Object Name:        CN=SampleDag,CN=Database Availability Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=demonstrationex13,DC=int
    Handle ID:        0x0

Operation:
    Operation Type:        Object Access
    Accesses:        Write Property
               
    Access Mask:        0x20
    Properties:        Write Property
        {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
            {bce4f595-1613-477e-9a50-4da5368811e5}
    {899c4769-8da3-4248-bd69-a680b876c4d7}



Additional Information:
    Parameter 1:        -
    Parameter 2:       


This can be difficult to determine which properties have actually been changed.

Using the Active Directory GUID resolver you can enter the GUID and the tool connects to the Active Directory Schema and resolves the property name for you.




This tool is available to all CENTREL Solutions customers who use our Active Directory documentation tool, or if not you can still email tools@centrel-solutions.com and we'll give email a download link for free.




Comments

  1. Would you like this to be included in our XIA Configuration Server web interface? If you'd find it useful please let us know!

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Enable function lock for F1-F12 on HP ZBook mobile workstations