2 Replies Latest reply on Aug 15, 2017 11:55 AM by jabrobst

    Monitoring of BuiltIn\Administrators returns user's SID


      We're doing a demo...just installed the environment and are learning how to setup the monitoring.  We have the integration with AD setup and I can login with my domain id with no issues.  We setup a rule to watch for a change to any group with *admin* in the name.  IF a domain group is changed, we get the user who was changed and the user who changed it.  IF a local server group is changed, we get the user's SID from active directory that was changed...but we get the domain ID name of the user who changed it.


      here is what I get in email


      What Changed:  member "%{s-1-5-12-1234567-123456789-123456789-12345}" removed from "builtin\administrators"

      Was changed by: DOMAINX \ USERX

      On:  servernam.domain.com

      At:  2017-08-11 19:03:12.0


      for What changed, we're using EventInfo, and for Was Changed By we're using SourceAccount


      Can anyone tell me if we missed something or need a different connector setup?  This only happens on a member server and the server has the agent installed and fully functional...we just can't seem to get us to not return a SID..

      Thanks in advance for any help!

        • Re: Monitoring of BuiltIn\Administrators returns user's SID

          This information is based on the information provided by the logs directly on the server.  There isn't likely to be another connector that will read the data as this is what's being presented in the logs.  You can find the event in the Event Viewer of the machine to verify.


          That being said, there may be another event that does a better job of capturing what you want.  Can you tell which Windows Event ID is giving you the information you provided above?


          From a quick search it looks like you'll want event ID 4733 for removing a user from a group which should show up in the LEM as DeleteGroupMember.


          When I tested with a domain and then again with a local user account it presents the username in the event so either there may be another setting for your machine/policy to work with or something else is going on.  Is the user account being deleted instead of simply removed from the local group?


          Additionally you may be able to get the information for the username from a different field, such as DestinationAccount or MemberID.

          • Re: Monitoring of BuiltIn\Administrators returns user's SID



            You are correct, it is event 4733.  The event shows the correct information in the log:  Member:  Security ID:  domain\userid; however, when LEM sends the error it turns it into a SID.  If I look at the Friendly View of the XML, I can see the MemberSid is listed instead of Security ID.  With that in mind, I think the server Event Viewer is doing the conversion from SID to ID when you look at it there; however, when it sends the alert to LEM, it sends the XML data instead (which contains the SID and no ID)...  LEM can't do the Active Directory lookup to give you the appropriate user id...