Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)
Scenarios that are discussed in this blog post include:
- Scenario 1: Computers joined to the domain (names and description)
- Scenario 2: User passwords expired
- Scenario 3: User accounts locked out
- Scenario 4: Group policy changes
Scenario 1: Computers joined to the domain (names and description)
The following Event Id’s will be used in this procedure:
645 - A computer account was created.
646 - A computer account was changed.
647 - A computer account was deleted.
Note: Computer description cannot be reported on as it is not a parameter of the events.
Computer Accounts Created
| Step1 Operations Console > Reporting > Audit Reports > Design a new report |  |
| Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section |  |
| Step 3 Rename fields |  |
| Step 4 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements |  |
| Step 5 Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image |  |
| Step 6 Select Filter from the toolbar. Add Event Id and select 645 Note Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. |  |
| Report example |  |
Computer Accounts Deleted
Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.
| Report example |  |
Computer Accounts Changed
| Step1 Operations Console > Reporting > Audit Reports > Design a new report | |
| Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate |  |
| Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements | |
| Step 4 Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image |  |
| Step 5 Select Filter from the toolbar. Add Event Id and equals 647. Also add String 06 and not equal to - Note Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. |  |
| Report example |  |
Scenario 2: User passwords expired
Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.
| Step1 Operations Console > Reporting > Audit Reports > Design a new report | |
| Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate |  |
| Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements | |
| Step 4 Select Filter from the toolbar. Add Event Id and equals 535. Also add String 06 and not equal to - Note Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords. |  |
| Report example |  |
Scenario 3: User accounts locked out
Event Id 644 (A user account was auto locked) will be used in this procedure.
| Step1 Operations Console > Reporting > Audit Reports > Design a new report | |
| Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate |  |
| Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements | |
| Step 4 Select Filter from the toolbar. Add Event Id and equals 644. Note Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts. |  |
| Report example |  |
Scenario 4: Group policy changes
Event Id 566 (A generic object operation took place) will be used in this procedure.
| Step1 Operations Console > Reporting > Audit Reports > Design a new report | |
| Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate |  |
| Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements | |
| Step 4 Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer Note Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. |  |
| Step 5 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image |  |
| Step 6 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image |  |
| Report example |  Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names. |