ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled
ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled
First you need to be ready with the Event ID’s of the required activities
Second, based on the Security Events Scheme, because each parameter in the event is written in a specific column in the ACS database tables, not all the events have the same scheme, i.e. User Account Enabled, Disabled, Created and deleted have the same scheme, but the account lockout might be different (need to check it)
So, for the following activities (User Account Enabled, Disabled, Created and deleted) we can create one report
- Open ACS Reporting Web:
https:// <<servername>> /reports
- Open Report Builder
- Open from Report Server | Select Audit Reports | Account Management_-_User_Account_Created | Open
- Design Report: Selected fields>>
- Logon Time as Date/Time
- Event ID as Action (Event ID)
- Right Click Action (Event ID) | Edit Formula as follows:
- Target User as Affected Account
- Primary User as Action By
- Event Machine as Domain Controller
- Open Filter
a) Create New Data Field
b) The report looks for events 624 (Account Created) or 630 (Account Deleted) or 626 (Account Enabled) and 629 (Account Disabled) on (Windows 2003) and 4720 (Account Created)or 4726 (Account Deleted)or 4722 (Account Enabled) and 4725 (Account Disabled) on (Windows Server 2008)
- Save As the report
- Open it from the SQL Server Reporting Services Web
- Sample of the output
#Audit_Report_User_Accounts_Management.rdl
Comments
Anonymous
January 01, 2003
The same could be done for Groups Activities Report, by changing the event ID's and the Event ID action SWITCH..Anonymous
January 01, 2003
Hi, here is a sample of the Account lockout event it is not containing IP Address it is only a computer name in the "Caller Computer Name" field A user account was locked out. Subject: Security ID: SYSTEM Account Name: DC$ Account Domain: DomainName Logon ID: 0x3e7 Account That Was Locked Out: Security ID: DomainNameUserName Account Name: UserName Additional Information: Caller Computer Name:ComputerName the following query will help you determine which culumn is including the "Caller Computer Name" data: SELECT * FROM [OperationsManagerAC].[AdtServer].[dvAll] WHERE [EventID] = '4740'Anonymous
January 01, 2003
Thanks Rohit, appreciate it..Anonymous
January 01, 2003
Great but no help for a newbie on SCOM 2012 R2 and SQL 2012 :)Anonymous
January 01, 2003
Excellent. Thank you very muchAnonymous
January 01, 2003
Mazen, This is awesome blog. Thanks for postingAnonymous
March 08, 2012
Hi, I like to generate a user account locked report with the ip address and the server to which the user had logged in.i would appreciate if you could guide me in generating this report.Anonymous
March 02, 2014
Hi,
How i can remove Domain user parameter ?
Thanks