Here are some ACS reports that I’ve written for various customers recently. If you have ACS installed in the same Reporting Services instance as OpsMgr Reporting, then you can just import the attached Management Pack (CustomACSReports.xml). Otherwise, you’ll need to import each .rdl file separately.
Here is a description of each report, along with some screenshots.
Event Search This report allow the user to search for specific security events (selected from a pre-defined list). The user can select choose a specific server or search from events from all servers. The user can also specify search strings for the UserName or Description in the event. The report returns the top 100 events from the specified date range.
Authentication Failure Summary This report queries the ACS database for Authentication Failure errors logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the error code, and the error message and count for each error code are listed in a table. When the user clicks on one of the errors, the Authentication Failure Detail report is run for that error message.
Authentication Failure Detail This report queries the ACS database for Authentication Failure errors with a specific error code logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the IP Address and User Name, and the count for each is displayed in a table.
AD Object Changes This report will show details of events related to changes in Active Directory. The report will query the ACS database for Event ID 566 / 5136 and show the Event Time, UserName, Domain Controller, Object Type, Object Name, accessed Properties, and the New Value of the property (Win2k8 only). The report also includes options to search for a specific string in the Object Name and/or Property Name.
Exchange AD Object Activity This report shows events related to changes to Exchange Objects in Active Directory. The report will query the ACS database for Event ID 566 and 5136 within the specified time range, where the object name contains the string "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=". The report groups the events by UserName, and shows the Event Time, Domain Controller, Object Type, Object Name, and accessed Properties. The report also includes an option to exclude changes made by computer accounts.
Account Lockout and Authentication Failure by User This report accepts a date range, username, and domain and will list all occurrences of the following events for the specified user within the specified date range: Event 644 / 4740 (Account Lockout), Event 529 / 4625 (Unknown Username or Bad Password) , Event 675 / 4771 (Kerberos Pre-Authentication Failure), Event 680 / 4776 (NTLM Authentication Failure)
Account Lockout by User This report accepts a date range, username, and domain and will list the time and computer name for all account lockout events (Event ID 644 / 4740) for the specified user within the specified date range.
Account Lockout Trends This report accepts a date range and Domain name and will query for all Account Lockout events (Event ID 644 / 4740) within the specified date range and domain. The report contains charts which show average number of account lockouts for each hour of the day and each day of the week, and a trending chart which will show the number of account lockouts over the specified time range. The report also lists all of the lockouts in a table, grouped by Domain, User, Workstation, and Time.
Top 10 Accounts Failing Authentication This report will query the ACS database for Authentication Failure events (Event ID 680 and 4776) within the specified time range. The report contains a table which will show the 10 user accounts with the most failures, grouped by Workstation and Error Code.
User Account Management Activity This report will show the number of various account management events within a specified time range, grouped by domain. The events displayed are Accounts Changed (642,4738), Accounts Created (624,4720), Accounts Enabled (626,4722), Accounts Disabled(629,4725), Accounts Deleted (Event ID 630,4726), Names Changed (685,4781), Password Resets (628,4724), Accounts Unlocked (671,4767). Clicking on any of the numbers on the report will launch the "Automated Account Change Trends" report for more details.
ACS Events for Specified User This report accepts a Username, Domain, and date range and will display all events where the specified User/Domain is in the TargetUser/TargetDomain, PrimaryUser/PrimaryDomain, ClientUser/ClientDomain, or HeaderUser/HeaderDomain fields. The domain list is pre-populated.
Event_Report_Basic This report displays the Computer Name and Date/Time for a specific Event ID within a specified date range.
Thanks so much. Great reports they are.
Thanks for those reports.
THANCK FOR THOSE REPORTS
Do you know about reports for acs, about the event id's 4728, 4729, 4730, 4732, 4733, 4734,
4735, 4737, 4755, 4756, 4757, 4758. We don't find something about these events.
I don't know from memory what those events are, but all of the reports in this post are Win2k8 compatible, and we have other Win2k8 reports at http://blogs.technet.com/momteam/archive/2009/05/08/acs-reports-for-windows-2008-and-windows-2008-r2.aspx.
Hi Jimmy. Thanks for sharing these reports. Quick question - On the User Account Management Activity report it says "Clicking on any of the numbers on the report will launch the "Automated Account Change Trends" report for more details."
When I run this report, I cannot click on any of the numbers on the report, and the Automated Account Change Trends report does not run. Any ideas?
Sorry, should have disabled that part of the report....I didn't include the "Automated Account Change Trends" report in the blog because it doesn't have a generic way to define "automated", it would be customer-specific.
Hi Jimmy, I have Windows 2003 AD domain and Your report Active Directory Object Changes in SCOM 2007 R2 is empty in my enviroment. Is this report only for Windows 2008 domain controllers?
Thanks for help.
This report works with Win2k3 or Win2k8 events. For Win2k3, it is looking for event ID 566...check to verify if you are collecting this event by running the following query on the ACS Database:
select count(*) from adtserver.dvheader where eventid=566
Hi Jimmy, query select count(*) from adtserver.dvheader where eventid=566 returns 1468 rows but my report is empty. Should I check something else?
Check the date range that you are entering in the report and verify that the events in your query are within that range. Also, try changing "Include Computer Accounts" to True and see if that makes a difference.
Thanks for the great post! I would like to know, for the 'Event Search' report, it's stipulated to return the top 100 result. Is there a specific reason for it to be top 100 instead of a infinite number?
If i need the report to return all the value, would it be possible?
Lastly, do you happen to have any custom report for non ACS events that functions like the 'Event Search' report?
Cheers and great week ahead!
thanks for great portion of inspiration!
These reports are really good.
We use them daily on our live ACS data
We have the secure vantage archiver.
Would it be possible to run these reports against archived data, that we have loaded into another datbase.
I get the below message when i run your report:-
An error occurred during client rendering.
An error has occurred during report processing.
Query execution failed for dataset 'OperationsManagerAC'.
Invalid object name 'adtserver.dvall5'.
I tried changing the dataset within your reports and now get:-
Query execution failed for dataset 'SecureVantageACDW'.
I'm able to get the standard ACS reports working on archived data.
I haven't used the SecureVantage Archiver, but the error is telling us that it does not have a view named adtserver.dvall5, which is the ACS database view that is being used.
You'll need to determine the name of the view or table where the data is stored in the database that you are searching, and change the report query to use it.