A customer recently showed me that the built-in ACS report  "Forensic_-_All_Events_For_Specified_User" seemed to be missing some events.  This report queries the Adtserver.dvall5 view in the OperationsManageAC database and looks for values in the PrimaryDomain\PrimaryUser fields that match the user name that is entered for the report. 

The problem that my customer was seeing was that "Group Change" events (event id 632,633,636,637,650,651,655,656,660,661,665,666) were stored a little differently.  The Primary Domain/User fields contain the name of the user that was added to or removed from the group, and the Client Domain/User fields contain the name of the user that made the change.  So, when you enter the domain\username and run the report, any group change event returned is for events where that user was added to (or removed from) a group and not events where that user added other users to a group.  So which one do you want??  Maybe you want both, since they are both technically related to that user.  Every event is defined in the EventSchema.xml file, so are there any others that put the username in something other than the Primary User field (the other fields for usernames are ClientUser, Targetuser, and HeaderUser)?

It would make sense to use the Header Domain/User fields, since that is where we usually store the name of the user that 'caused' the event, but another issue that I've seen is (for reasons I do not know), sometimes security events are logged without the domain name, sometimes they have the NetBIOS domain name, and sometimes the fully-qualified domain name.  In these cases, some events would not be shown since you have to enter "Domain\Username" as a parameter.

So, I put together a custom ACS report that does the following:

  1. Separates the Domain and Username fields in the report parameters, so they can be entered separately
  2. Queries the HeaderDomain, PrimaryDomain, ClientDomain, and TargetDomain fields to get a list of domain names
  3. Includes a <ALL> option in the Domain parameter, which will allow you to include events where the domain name is empty
  4. Queries the Primary User/Domain, Client User/Domain, Target User/Domain and Header User/Domain fields for the Domain/Username

image

So, the end result is a report that will show ALL ACS events that include the specified user name.  This will include events where that user "did something" and events where "something was done" to that user account.

 

NOTE:
The queried domain list may take some time to populate, which makes the report take a while to open.  The code can easily be changed to include a static domain list, or to only contain "<ALL>".