ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled

  • Article

ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled

 

First you need to be ready with the Event ID’s of the required activities

Second, based on the Security Events Scheme, because each parameter in the event is written in a specific column in the ACS database tables, not all the events have the same scheme, i.e. User Account Enabled, Disabled, Created and deleted have the same scheme, but the account lockout might be different (need to check it)

So, for the following activities (User Account Enabled, Disabled, Created and deleted) we can create one report

  • Open ACS Reporting Web:

https:// <<servername>> /reports

  • Open Report Builder

 

  • Open from Report Server | Select Audit Reports | Account Management_-_User_Account_Created | Open

 

  • Design Report: Selected fields>>
  • Logon Time as Date/Time
  • Event ID as Action (Event ID)
    • Right Click Action (Event ID) | Edit Formula as follows:

 

  • Target User as Affected Account
  • Primary User as Action By
  • Event Machine as Domain Controller

  

  • Open Filter

a) Create New Data Field

 

b) The report looks for events 624 (Account Created) or 630 (Account Deleted) or 626 (Account Enabled) and 629 (Account Disabled) on (Windows 2003) and 4720 (Account Created)or 4726 (Account Deleted)or 4722 (Account Enabled) and 4725 (Account Disabled) on (Windows Server 2008)

 

 

  • Save As the report
  • Open it from the SQL Server Reporting Services Web

 

 

  • Sample of the output

 

#Audit_Report_User_Accounts_Management.rdl

Comments

  • Anonymous
    January 01, 2003
    The same could be done for Groups Activities Report, by changing the event ID's and the Event ID action SWITCH..

  • Anonymous
    January 01, 2003
    Hi, here is a sample of the Account lockout event it is not containing IP Address it is only a computer name in the  "Caller Computer Name" field A user account was locked out. Subject: Security ID: SYSTEM Account Name: DC$ Account Domain: DomainName Logon ID: 0x3e7 Account That Was Locked Out: Security ID: DomainNameUserName Account Name: UserName Additional Information: Caller Computer Name:ComputerName the following query will help you determine which culumn is including the "Caller Computer Name" data: SELECT * FROM [OperationsManagerAC].[AdtServer].[dvAll] WHERE [EventID] = '4740'

  • Anonymous
    January 01, 2003
    Thanks Rohit, appreciate it..

  • Anonymous
    January 01, 2003
    Great but no help for a newbie on SCOM 2012 R2 and SQL 2012 :)

  • Anonymous
    January 01, 2003
    Excellent. Thank you very much

  • Anonymous
    January 01, 2003
    Mazen, This is awesome blog. Thanks for posting

  • Anonymous
    March 08, 2012
    Hi, I like to generate a user account locked report with the ip address and the server to which the user had logged in.i would appreciate if you could guide me in generating this report.

  • Anonymous
    March 02, 2014
    Hi,
    How i can remove Domain user parameter ?

    Thanks