Those are GUIDs and SIDs. You can use adfind to translate those into text names. (It's pretty easy to do in script, but adfind has it built-in. Just do "adfind --help" for the syntax.)
Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 12:37 PM To: NT System Admin Issues Subject: RE: Question on Directory Services Auditing Thanks, I found a few of these and I believe event ID 565,556 is the one I am looking for, but need to turn on the Success of Directory Service Access for my Networking and Helpdesk and Domain Administrators groups and see if all access is tracked accordingly. Right now I am getting the following from EventComb for the failures, which really doesn't mean a hill of beans to me ( figure I would have seen CN=XXX,OU=XXX,Domain=XXX,Domain=OXX, 566,AUDIT FAILURE,Security,Wed Dec 19 07:19:07 2007,Domain\User,Object Operation: Operation Type DS Object Type: Object Access Object Name: %{bf967a86-0de6-11d0-a285-00aa003049e2} Handle ID: %{6d2ce8d9-5877-40ad-9b0d-0e78cb5db32a} Primary User Name: - Primary Domain: DC1$ Primary Logon ID: Domain Client User Name: (0x0,0x3E7) Client Domain: User Client Logon ID: LSMASTER Accesses (0x0,0x6BCB7A2D) Properties: Control Access Additional Info: --- %{771727b1-31b8-4cdf-ae62-4fe39fadf89e} %{612cb747-c0e8-4f92-9221-fdd5f15b550d} %{bf967a86-0de6-11d0-a285-00aa003049e2} Anything additional you can lend on this, it looks like I am going to have a long-painful AD lockdown project in front of me. Z -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 12:01 PM To: NT System Admin Issues Subject: RE: Question on Directory Services Auditing http://www.windowsitpro.com/Articles/ArticleID/15361/15361.html?Ad=1 or http://support.microsoft.com/kb/174074 And this one, for good measure: http://support.microsoft.com/kb/814595 Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 11:37 AM To: NT System Admin Issues Subject: Question on Directory Services Auditing Hey List, I got a quick question, I need to start auditing for Active Directory Success actions accordingly, since someone did something silly and moved an OU when they shouldn't have. I know I have to enable the Directory Service Access under the Audit Policy in the Domain Controllers OU Group Policy, but what Event ID's should I be looking for in the Domain Controller logs afterwards. Anyone that can point me in the right directory I would be grateful, Z ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
