Share via


Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)

Scenarios that are discussed in this blog post include:

  • Scenario 1: Computers joined to the domain (names and description)
  • Scenario 2: User passwords expired
  • Scenario 3: User accounts locked out
  • Scenario 4: Group policy changes

Scenario 1: Computers joined to the domain (names and description)

The following Event Id’s will be used in this procedure:

645 - A computer account was created.

646 - A computer account was changed.

647 - A computer account was deleted.

Note: Computer description cannot be reported on as it is not a parameter of the events.

Computer Accounts Created

Step1 Operations Console > Reporting > Audit Reports > Design a new report image
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section image 
Step 3 Rename fields image
Step 4 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements image
Step 5 Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image image
Step 6 Select Filter from the toolbar. Add Event Id and select 645 Note Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. image
Report example image

Computer Accounts Deleted

Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.

Report example image

Computer Accounts Changed

Step1 Operations Console > Reporting > Audit Reports > Design a new report image
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate image
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements image
Step 4 Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image image
Step 5 Select Filter from the toolbar. Add Event Id and equals 647. Also add String 06 and not equal to - Note Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. image
Report example image

Scenario 2: User passwords expired

Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report image
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate image
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements image
Step 4 Select Filter from the toolbar. Add Event Id and equals 535. Also add String 06 and not equal to - Note Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords. image
Report example image

Scenario 3: User accounts locked out

Event Id 644 (A user account was auto locked) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report image
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate image
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements image
Step 4 Select Filter from the toolbar. Add Event Id and equals 644. Note Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts. image
Report example image

Scenario 4: Group policy changes

Event Id 566 (A generic object operation took place) will be used in this procedure.

Step1 Operations Console > Reporting > Audit Reports > Design a new report image
Step 2 Select fields as shown in the image from ‘Explorer pane, Fields:’ section and rename as appropriate image
Step 3 Right click inside the ‘Date’ field (i.e. 1/1/2009) > Format > Select a format to suit your requirements image
Step 4 Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer  Note Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event. image
Step 5 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image image
Step 6 Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image image
Report example image Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names.