Tuesday, 6 January 2015

Active Directory Audit Entries show GUIDs instead of property names

When you're auditing Active Directory using "Directory Service Access" auditing and viewing the corresponding event log entries you may see the property names of the values that have changed as GUIDs.


An operation was performed on an object.

Subject :
    Security ID:        DEMOEX13\DEMO-EX13-01$
    Account Name:        DEMO-EX13-01$
    Account Domain:        DEMOEX13
    Logon ID:        0x1C8791

Object:
    Object Server:        DS
    Object Type:        msExchMDBAvailabilityGroup
    Object Name:        CN=SampleDag,CN=Database Availability Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=demonstrationex13,DC=int
    Handle ID:        0x0

Operation:
    Operation Type:        Object Access
    Accesses:        Write Property
               
    Access Mask:        0x20
    Properties:        Write Property
        {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
            {bce4f595-1613-477e-9a50-4da5368811e5}
    {899c4769-8da3-4248-bd69-a680b876c4d7}



Additional Information:
    Parameter 1:        -
    Parameter 2:       


This can be difficult to determine which properties have actually been changed.

Using the Active Directory GUID resolver you can enter the GUID and the tool connects to the Active Directory Schema and resolves the property name for you.




This tool is available to all CENTREL Solutions customers who use our Active Directory documentation tool, or if not you can still email tools@centrel-solutions.com and we'll give email a download link for free.




1 comment:

  1. Would you like this to be included in our XIA Configuration Server web interface? If you'd find it useful please let us know!

    ReplyDelete