Jimmy Harper's Operations Manager Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use

Correcting Event ID 644 in the ACS database

Correcting Event ID 644 in the ACS database

  • Comments 2
  • Likes

I ran into an issue the other day where Account Lockout events (Event ID 644) did not display properly in the "All Events With Specified Event ID" ACS report.  I'm looking for the name of the computer that is listed as "Caller Machine Name" in the event (the machine that passed the bad credentials that caused the account to be locked).  According to the following info from http://support.microsoft.com/kb/301677, this should be seen as Parameter 2:

Event ID: 644 (0x0284)
Type: Success Audit
Description: User Account Locked Out
Target Account Name: %1
Target Account ID: %3
Caller Machine Name: %2
Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

 

Here is the event from the Domain Controller:

image

 

Looking at the report, I would expect the String02 column to display this computer name, but instead it is showing a SID....this is the SID for the account that has been locked out:

image

So, I look in the ACS database and see the following for the event (querying the adtserver.dvall5 view):

image

Looks like the TargetSid and String02 columns are reversed.  So, where does the Event Parameter --> Database Column mapping come from?  It comes from the EventSchema.xml file which is located in the %windir%\system32\security\adtserver directory on the ACS collector.  Eric Fitzgerald has a great blog on this at http://blogs.msdn.com/ericfitz/archive/2008/02/27/acs-event-transformation-demystified.aspx.  So, I open the EventSchema.xml file and search on '644' and find four instances of the following (relevant parts in red):

<Event SourceId="644" SourceName="SE_AUDITID_ACCOUNT_AUTO_LOCKED">
    <Call Name="AppendString" Param1="1" Param2="0" />
    <Call Name="AppendString" Param1="3" Param2="0" />
    <Call Name="AppendString" Param1="2" Param2="0" />

    <Call Name="AppendString" Param1="4" Param2="0" />
    <Call Name="AppendString" Param1="5" Param2="0" />
    <Call Name="AppendString" Param1="6" Param2="0" />
    <Call Name="AppendSidFromNames" Param1="4" Param2="5" />
    <Call Name="AppendNamesFromSid" Param1="3" Param2="0" />
    <Param TypeName="typeUserDn" />
    <Param TypeName="typeComputerName" />
    <Param TypeName="typeTargetSid" />
    <Param TypeName="typeClientUser" />
    <Param TypeName="typeClientDomain" />
    <Param TypeName="typeClientLogonId" />
    <Param TypeName="typeClientSid" />
    <Param TypeName="typeTargetUser" />
    <Param TypeName="typeTargetDomain" />
</Event>

Basically, what is happening here is Parameter 3 (Target Account ID) is being converted to SID and stored as String02, and Parameter 2 (Caller Machine Name) is being stored as TargetSID.  We need to fix this so that Parameter 2 (Caller Machine Name) is stored as String02 and the SID for Parameter 3 (Target Account ID) is stored as TargetSID.  To accomplish this, we only need to make the following change to each instance of Event 644 in the EventSchema.xml file:

Original:

    <Param TypeName="typeComputerName" />
    <Param TypeName="typeTargetSid" />

 

Change:

<Param TypeName="typeTargetSid" />
<Param TypeName="typeComputerName" />

 

All we are doing is switching the order so that typeTargetSid is listed second and typComputerName is listed third.  We could probably accomplish the same thing by switching the "Call Name" lines instead.

**Note that there are four instances of event 644 in the EventSchema.xml file....you'll need to change all of them.

So, after modifying and saving the EventSchema.xml file, I restart the Operations Manager Audit Collection Service on the Collector server (to force it to reload the event schema), and generate another account lockout.

Now, the event in the database looks like this:

image

And the report looks like this:

image

 

Perfect!!!

 

NOTE:

This change will NOT have any effect on existing 644 events in the database....it will only affect events that are created AFTER making the change.

Comments
  • Hi there could you please show how i would go about getting disabled or locked information from event id 642 as it seems to be missing information or not be transfromed correctly. i had a look in eventschema.xml but cant be sure it's correct. The Windows OS i m targetting is still Windows 2000 servers.

    thanks

    BD

  • For event 642, look in the adtserver.dvall5 view.  The important columns would be:

    ClientUser - The user that made the change

    TargetUser - The user account that was changed

    String05 - The change that was made

    This is what I am seeing for a Win2k3 server....don't have a Win2k server in my environment, but I think it should be the same.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment