Jimmy Harper's Operations Manager Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use

ACS: EventSchema.xml changes for Server 2008 Account Lockout Events

ACS: EventSchema.xml changes for Server 2008 Account Lockout Events

  • Comments 10
  • Likes

Just realized that I haven’t blogged on this yet.  By default, the “Calling Machine” property of Account Lockout events from Windows Server 2008 servers is not entered in the ACS database….this will affect some of the Account Lockout reports that I have previously posted.  Below are the details and the fix:

 

For Windows 2000/2003 Account Lockout events (Event ID 644), we store the Target Account Name in the String01 column and the Caller Machine Name in the String02 column (Target Account Name is also stored in the TargetUser column.

For Windows Server 2008 Account Lockout events (Event ID 4740), we do not store anything in String01 or String02.  This doesn't really affect the Target Account Name property, since it is already stored as TargetUser, but we are no longer collecting the Calling Machine Name in the database.

To maintain parity with Server 2000/2003 Account Lockout events, we need make the following changes to the EventSchema.xml (on the ACS Collector Server) to store Target Account Name and Calling ComputerName in string01/string02:

 

NOTE:

  • The EventSchema.xml file is located in the C:\Windows\System32\Security\AdtServer folder on the ACS Collector server
  • Be sure to back up the existing EventSchema.xml file before making any changes
  • After making the change, restart the ACS Collector service on the Collector Server
  • This change will NOT affect any existing events in the database, it will only affect events that are collected AFTER making the change

 

Before:
        <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
          <Call Name="AppendString" Param1="1" Param2="0" />
          <Call Name="AppendString" Param1="2" Param2="0" />
          <Call Name="AppendString" Param1="3" Param2="0" />
          <Call Name="AppendString" Param1="4" Param2="0" />
          <Call Name="AppendString" Param1="5" Param2="0" />
          <Call Name="AppendString" Param1="6" Param2="0" />
          <Call Name="AppendString" Param1="7" Param2="0" />
          <Param TypeName="typeTargetUser" />
          <Param TypeName="typeTargetDomain" />
          <Param TypeName="typeTargetSid" />
          <Param TypeName="typePrimarySid" />
          <Param TypeName="typePrimaryUser" />
          <Param TypeName="typePrimaryDomain" />
          <Param TypeName="typePrimaryLogonId" />
        </Event>


After:
        <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
          <Call Name="AppendString" Param1="1" Param2="0" />
          <Call Name="AppendString" Param1="2" Param2="0" />
          <Call Name="AppendString" Param1="3" Param2="0" />
          <Call Name="AppendString" Param1="4" Param2="0" />
          <Call Name="AppendString" Param1="5" Param2="0" />
          <Call Name="AppendString" Param1="6" Param2="0" />
          <Call Name="AppendString" Param1="7" Param2="0" />
          <Call Name="AppendString" Param1="1" Param2="0" />
          <Call Name="AppendString" Param1="2" Param2="0" />

          <Param TypeName="typeTargetUser" />
          <Param TypeName="typeTargetDomain" />
          <Param TypeName="typeTargetSid" />
          <Param TypeName="typePrimarySid" />
          <Param TypeName="typePrimaryUser" />
          <Param TypeName="typePrimaryDomain" />
          <Param TypeName="typePrimaryLogonId" />
          <Param TypeName="typeString" />
          <Param TypeName="typeString" />

        </Event>

Comments
  • If memory serves, I believe 2003 account lockout security event is 644 not 640 as noted in the 2nd paragraph

  • You're right....typo in the blog...I will correct it.

  • Jim, sounds like Microsoft should hire YOU!!!!

    nice pick!

  • Can you publish the custom account report file (rdl) for this solution? - Not able to make it work!

  • I have the reports posted at blogs.technet.com/.../some-custom-acs-reports.aspx.  

  • I tried the same - not sure why my caller computer names are not showing!

  • I tried the exact modifications listed above without success. The SQL entries for event 4740 look identical to previous entries (with NO Caller Machine in String02 (or anywhere else).

    I did restart the Collection Service after the modifications.

    I've tried a number of other variations based on my limited understanding of the EventSchema.xml to no avail. Any suggestions?

    My current entry for 4740 looks like this (however it does NOT provide the Caller Machine either, so I'm at a loss).

           <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">

             <Call Name="AppendString" Param1="1" Param2="0" />

             <Call Name="AppendString" Param1="2" Param2="0" />

             <Call Name="AppendString" Param1="3" Param2="0" />

             <Call Name="AppendString" Param1="4" Param2="0" />

             <Call Name="AppendString" Param1="5" Param2="0" />

             <Call Name="AppendString" Param1="6" Param2="0" />

             <Call Name="AppendString" Param1="7" Param2="0" />

             <Param TypeName="typeTargetUser" />

             <Param TypeName="typeString" />

             <Param TypeName="typeTargetSid" />

             <Param TypeName="typePrimarySid" />

             <Param TypeName="typePrimaryUser" />

             <Param TypeName="typePrimaryDomain" />

             <Param TypeName="typePrimaryLogonId" />

           </Event>

    Thanks for any help you can provide.

  • Check the EventSchema.xml file to see if you have multiple entries for event 4740....if you do, make the above change to both of them, then restart the Collector service and check the new events.  Also, check to verify that the Caller Machine Name field is populated in the actual event that is logged on the server.  If this doesn't help, email me a copy of your EventSchema.xml file and I will take a look.

  • There were indeed multiple entries for 4740. Modifying them both solved the issue.

    Lesson learned :)

    Thanks so much for the help.

  • Thanks this worked a treat!!!  life saver!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment