Condividi tramite


Enumerating Stuff in AD when all you see is GUIDs in Audit Records

A lot of things in Active Directory audit events show up as GUIDs but are not translated.  Why is that?

Well, the Event Viewer in Windows only translate one kind of AD guid, the objectGUID.  However AD uses GUIDs in several ways.  For instance, group policy objects have a common name (CN) which is a string-ized GUID.  Control Access Rights have a rightsGuid.

If you, my intrepid log analyzer, want to build your own reference charts so that you can translate these, you can use the "LDP" tool.  This utility is in the Windows 2000 Server Resource Kit and the Support Tools for Windows XP and Windows Server 2003, and it's built into Windows Server 2008.

Complete instructions on how to use LDP are beyond the scope of this post.  However the basic procedure is this:

1. "Connect" to a domain controller.
2. "Bind" to the DC by entering your credentials (in WS08, LDP.EXE lets you bind with your current logged-on account's identity without providing credentials).  For our purposes an ordinary user account is fine, we're just going to query.
3.  Use "Search" from the browse menu to find the stuff you're interested in; it will print out in the right-hand pane.

Here are some things you can enumerate, and the Search settings you'll use in LDP.

Control Access Rights
Base DN: CN=Configuration,DC=yourdomain,DC=com
Filter: objectClass=controlaccessright
Scope: subtree
Options/Attributes: name;rightsGuid;

Then just click the "Run" button- Voila!  You can cut & paste the results into a text file that you can use whenever you need to look up a CAR.

Schema Objects (properties, etc.)
There are too many schema attributes to enumerate them all (well you can with a lot of custom search settings like increasing buffer sizes and timeouts but I'm not going to advise you to beat up your AD). So here is how to look up a particular property.
Base DN: CN=Schema,CN=configuration,DC=yourdomain,DC=com
Filter: schemaIDGUID=bf967a8d-0de6-11d0-a285-00aa003049e2   <-- your property GUID goes here
Scope: subtree
Options/Attributes: name;schemaIDGUID;

Group Policy Objects
For some reason group policy objects have a common name which is a GUID, even though all AD objects already have GUIDs. This seems really weird to me (I would use a different word than weird but our company values include being respectful). Anyway if you want to find out the "friendly" name of a GPO, here's what you do.
Base DN: DC=yourdomain,DC=com
Filter: CN={6ac1786c-016f-11d2-945f-00c04fb984f9} <-- your GPO name goes here, complete with curly braces
Scope: subtree
Options/Attributes: displayName;cn;distinguishedName;

Anyway with these examples you should be well on your way. You can always change the attribute list that the search returns to "*;" (yes, add the semicolon) to tell you all the properties of each object, but I've tried to show you how to list only the most interesting ones. Microsoft Press has a book on Active Directory schema that's part of the MSDN Active Directory Developer's Reference Library, but it's dated (pre-Windows 2000 RTM) and all the material is available on MSDN if you do a little searching.

[2009-06-12 Updated to describe LDP in Windows Server 2008 and clarification of GUID translation]