Guest BillK Posted October 24, 2008 Posted October 24, 2008 Hello, I'm trying to track down who made a change to the default domain audit policy, and the event includes this info (data altered) in an event ID 612: Changed By: User Name: DOMAINCONTROLLER$ Domain Name: OURDOMAIN Logon ID: (0x1,0x4B7) How do I decipher that Logon ID? I've checked a couple of different DC's (including the PDC Emulator) but it still doesn't show me the proper user ID. Quote
Guest S. Pidgorny Posted October 27, 2008 Posted October 27, 2008 You decifer that like this: you have a computer named DOMAINCONTROLLER, from which the change was replicated to where this was logged. -- Svyatoslav Pidgorny, MCSE, RHCE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp BillK wrote:<span style="color:blue"> > Hello, > I'm trying to track down who made a change to the default domain audit > policy, and the event includes this info (data altered) in an event ID 612: > > Changed By: > User Name: DOMAINCONTROLLER$ > Domain Name: OURDOMAIN > Logon ID: (0x1,0x4B7) > > How do I decipher that Logon ID? I've checked a couple of different DC's > (including the PDC Emulator) but it still doesn't show me the proper user ID. > > </span> Quote
Guest BillK Posted October 27, 2008 Posted October 27, 2008 To amend my original post and to respond to S. Pidgorny, here's the answer I have from further research (though I'm not thrilled with it and welcome additional info): The event will always show "Domaincontroller$" as the user name because from the perspective of Windows server, the system makes the change to GPO's, not the administrator. The only way to effectively track down a policy change is to enable file level auditing and audit for writes against the GPO files themselves under SYSVOL (becuase this will reflect the admin's user ID when modifying the object). This webinar shows how to go about it in conjunction with a vendor's log aggregation product: http://www.prismmicrosys.com/Training/Trac...icyChanges.html This is really disappointing but I'd love to know if it's simpler in Windows 2008... - Bill "BillK" wrote: <span style="color:blue"> > Hello, > I'm trying to track down who made a change to the default domain audit > policy, and the event includes this info (data altered) in an event ID 612: > > Changed By: > User Name: DOMAINCONTROLLER$ > Domain Name: OURDOMAIN > Logon ID: (0x1,0x4B7) > > How do I decipher that Logon ID? I've checked a couple of different DC's > (including the PDC Emulator) but it still doesn't show me the proper user ID. > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.