Closed chavvdarrr closed 2 years ago
The first issue and the workaround is described here: https://evotec.xyz/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out/
I was thinking few times if I would be able to gather this information and track it somehow even if it's missing in events - but no time to investigate.
So the missing computer is normal and it shouldn't affect the report at all - and you're saying it does affect the user. This needs to be investigated.
Thanks for the quick answer :) Yes, missing computer is not an issue - it is missing in the event and we do have things like SSO, phones checking mail, etc. It seems you "map" a field which is empty in the event, while another field which holds the username is unused.
I can attach additional data - maybe the entire xml of such event as written in the log, or maybe the contents of $Events, eg what the script gets?
ye, xml would be better. Weird that I link wrong field.
here it is /edited domain name&user/ I can send the unedited evtx & xml to contact at evotec.pl, if needed? userlocked.txt
Let me see if I can reproduce it during weekend. I have to resurrect this project a bit, as I've not played with it for longer while. The problem is - i would like to change so much that I am afraid to touch it ;)
Sorry it took a bit longer than expected..
I've tracked it down to PSEventViewer.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5.8.2021 9:17:45
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC2P.dc.bs.bnet
Description:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC2P$
Account Domain: DOMAIN
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: DOMAIN\vst
Account Name: vst
Additional Information:
Caller Computer Name:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2021-08-05T06:17:45.034896500Z" />
<EventRecordID>85115046</EventRecordID>
<Correlation />
<Execution ProcessID="636" ThreadID="10628" />
<Channel>Security</Channel>
<Computer> bnet</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">vst</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="TargetSid">S-1-5-21-984582052-2030474099-2552422773-11274</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName"> DC2P$</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
It seems that TargetDomainName is missing in the XML you sent me.
And in the logic that creates ObjectAffected it expects both TargetDomainName and TargetUserName to be present.
When I look at my events:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2022-05-17T19:21:50.725206400Z" />
<EventRecordID>49985729</EventRecordID>
<Correlation />
<Execution ProcessID="676" ThreadID="2140" />
<Channel>Security</Channel>
<Computer>AD1.ad.evotec.xyz</Computer>
<Security />
</System>
<EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">myname</Data>
<Data Name="TargetDomainName">EVOTEC</Data>
<Data Name="TargetSid">S-1-5-21-853615985-2870445339-3163598659-4098</Data>
<Data Name="SubjectUserSid">S-1-5-21-853615985-2870445339-3163598659-500</Data>
<Data Name="SubjectUserName">Administrator</Data>
<Data Name="SubjectDomainName">EVOTEC</Data>
<Data Name="SubjectLogonId">0x1978cb81</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">-</Data>
<Data Name="NewUacValue">-</Data>
<Data Name="UserAccountControl">-</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
That's something that is just there. I think I need to fix PSEventViewier with additional logic
Thanks :) perhaps some of the fields are not "mandatory" ?!
It's weird, but I've added that additional logic to PSEventViewer, just doing some optimizations and will release it with fixes, along with new version of PSWinReportingV2 which hopefully solves your issue.
Released new version which should fix the issue
Using PSWinReporting 2.0.0.20 Playing with results and I noticed from time to time I get events with date/time, DC, but no username and affected computer Found these events - there is no affected computer indeed(probably these are generated from our users when connecting from gsms, or who knows) But there is username in TargetUserName/Account field. The event is absolutely normal, just the field "ComputerLockoutOn" /"Caller Computer Name" is empty user fields - "Account name" and "TargetUserName" hold the affected user. But in results no user name is returned
Tried to debug, but my knowledge is not enough. Traced that upto GetEventsTranslation user info is kept. In line 2148: $MyValue = FindEventsTo .... the info is still there... myvalue.txt
Somehow, the emptiness of Computer name clears the field for user name - its not returned
I am attaching contents of variable $MyValue[n] at mentioned line 2148 - changed sensitive data only