ACS: EventSchema.xml changes for Server 2008 Account Lockout Events
Just realized that I haven’t blogged on this yet. By default, the “Calling Machine” property of Account Lockout events from Windows Server 2008 servers is not entered in the ACS database….this will affect some of the Account Lockout reports that I have previously posted. Below are the details and the fix:
For Windows 2000/2003 Account Lockout events (Event ID 644), we store the Target Account Name in the String01 column and the Caller Machine Name in the String02 column (Target Account Name is also stored in the TargetUser column.
For Windows Server 2008 Account Lockout events (Event ID 4740), we do not store anything in String01 or String02. This doesn't really affect the Target Account Name property, since it is already stored as TargetUser, but we are no longer collecting the Calling Machine Name in the database.
To maintain parity with Server 2000/2003 Account Lockout events, we need make the following changes to the EventSchema.xml (on the ACS Collector Server) to store Target Account Name and Calling ComputerName in string01/string02:
NOTE:
- The EventSchema.xml file is located in the C:\Windows\System32\Security\AdtServer folder on the ACS Collector server
- Be sure to back up the existing EventSchema.xml file before making any changes
- After making the change, restart the ACS Collector service on the Collector Server
- This change will NOT affect any existing events in the database, it will only affect events that are collected AFTER making the change
Before:
<Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Call Name="AppendString" Param1="3" Param2="0" />
<Call Name="AppendString" Param1="4" Param2="0" />
<Call Name="AppendString" Param1="5" Param2="0" />
<Call Name="AppendString" Param1="6" Param2="0" />
<Call Name="AppendString" Param1="7" Param2="0" />
<Param TypeName="typeTargetUser" />
<Param TypeName="typeTargetDomain" />
<Param TypeName="typeTargetSid" />
<Param TypeName="typePrimarySid" />
<Param TypeName="typePrimaryUser" />
<Param TypeName="typePrimaryDomain" />
<Param TypeName="typePrimaryLogonId" />
</Event>
After:
<Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Call Name="AppendString" Param1="3" Param2="0" />
<Call Name="AppendString" Param1="4" Param2="0" />
<Call Name="AppendString" Param1="5" Param2="0" />
<Call Name="AppendString" Param1="6" Param2="0" />
<Call Name="AppendString" Param1="7" Param2="0" />
<Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
<Param TypeName="typeTargetUser" />
<Param TypeName="typeTargetDomain" />
<Param TypeName="typeTargetSid" />
<Param TypeName="typePrimarySid" />
<Param TypeName="typePrimaryUser" />
<Param TypeName="typePrimaryDomain" />
<Param TypeName="typePrimaryLogonId" />
<Param TypeName="typeString" />
<Param TypeName="typeString" />
</Event>
Comments
Anonymous
January 01, 2003
Check the EventSchema.xml file to see if you have multiple entries for event 4740....if you do, make the above change to both of them, then restart the Collector service and check the new events. Also, check to verify that the Caller Machine Name field is populated in the actual event that is logged on the server. If this doesn't help, email me a copy of your EventSchema.xml file and I will take a look.Anonymous
January 01, 2003
You're right....typo in the blog...I will correct it.Anonymous
January 01, 2003
I have the reports posted at blogs.technet.com/.../some-custom-acs-reports.aspx.Anonymous
May 19, 2011
If memory serves, I believe 2003 account lockout security event is 644 not 640 as noted in the 2nd paragraphAnonymous
May 19, 2011
Jim, sounds like Microsoft should hire YOU!!!! nice pick!Anonymous
June 27, 2011
Can you publish the custom account report file (rdl) for this solution? - Not able to make it work!Anonymous
June 28, 2011
I tried the same - not sure why my caller computer names are not showing!Anonymous
November 02, 2011
I tried the exact modifications listed above without success. The SQL entries for event 4740 look identical to previous entries (with NO Caller Machine in String02 (or anywhere else). I did restart the Collection Service after the modifications. I've tried a number of other variations based on my limited understanding of the EventSchema.xml to no avail. Any suggestions? My current entry for 4740 looks like this (however it does NOT provide the Caller Machine either, so I'm at a loss). <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED"> <Call Name="AppendString" Param1="1" Param2="0" /> <Call Name="AppendString" Param1="2" Param2="0" /> <Call Name="AppendString" Param1="3" Param2="0" /> <Call Name="AppendString" Param1="4" Param2="0" /> <Call Name="AppendString" Param1="5" Param2="0" /> <Call Name="AppendString" Param1="6" Param2="0" /> <Call Name="AppendString" Param1="7" Param2="0" /> <Param TypeName="typeTargetUser" /> <Param TypeName="typeString" /> <Param TypeName="typeTargetSid" /> <Param TypeName="typePrimarySid" /> <Param TypeName="typePrimaryUser" /> <Param TypeName="typePrimaryDomain" /> <Param TypeName="typePrimaryLogonId" /> </Event> Thanks for any help you can provide.Anonymous
November 03, 2011
There were indeed multiple entries for 4740. Modifying them both solved the issue. Lesson learned :) Thanks so much for the help.Anonymous
June 06, 2012
Thanks this worked a treat!!! life saver!