Closed ClarkRSD closed 2 years ago
The definition of 5139 says:
Fields = [ordered] @{
'Computer' = 'Domain Controller'
'Action' = 'Action'
'OperationType' = 'Action Detail'
'Who' = 'Who'
'Date' = 'When'
'ObjectDN' = 'User Object'
'AttributeLDAPDisplayName' = 'Field Changed'
'AttributeValue' = 'Field Value'
# Common Fields
'RecordID' = 'Record ID'
'ID' = 'Event ID'
'GatheredFrom' = 'Gathered From'
'GatheredLogName' = 'Gathered LogName'
}
The problem comes from expecting ObjectDN when actually for 5139 it's OldObjectDN and NewObjectDN.
Message : A directory service object was moved.
Subject:
Security ID: S-1-5-21-853615985-2870445339-3163598659-500
Account Name: Administrator
Account Domain: EVOTEC
Logon ID: 0x1978CB81
Directory Service:
Name: ad.evotec.xyz
Type: Active Directory Domain Services
Object:
Old DN: CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
New DN: CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
GUID: {bdccd325-0dfc-4667-8574-f09c2745e646}
Class: computer
Operation:
Correlation ID: {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
Application Correlation ID: -
Computer : AD1.ad.evotec.xyz
Date : 17.05.2022 21:02:21
OpCorrelationID : {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
AppCorrelationID :
SubjectUserSid : S-1-5-21-853615985-2870445339-3163598659-500
SubjectUserName : Administrator
SubjectDomainName : EVOTEC
SubjectLogonId : 0x1978cb81
DSName : ad.evotec.xyz
DSType : %%14676
OldObjectDN : CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
NewObjectDN : CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
ObjectGUID : {bdccd325-0dfc-4667-8574-f09c2745e646}
ObjectClass : computer
MessageSubject : A directory service object was moved.
Action : A directory service object was moved.
KeywordDisplayName : Audit Success
Who : EVOTEC\Administrator
GatheredFrom : ad1
GatheredLogName : Security
Id : 5139
Version : 0
Qualifiers :
Level : 0
Task : 14081
Opcode : 0
Keywords : -9214364837600034816
RecordId : 49985116
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 676
ThreadId : 4032
MachineName : AD1.ad.evotec.xyz
UserId :
TimeCreated : 17.05.2022 21:02:21
ActivityId : 8cdd7485-3c32-4bff-b5e4-eb6005f373e1
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Directory Service Changes
KeywordsDisplayNames : {Audit Success}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}
While it's an easy fix for 5139 itself but ADUserChangeesDetailed focuses on 5136, 5137, 5139, 5141 and I wonder how to approach it to not break it for other events that most likely target ObjectDN
I believe this fix should do it. Based on the logic of ADOrganizationalUnitChangesDetailed
this fix should work for ADUserChangesDetailed and ADComputerChangesDetailed.
Awesome, thank you for the quick response! I will give the changes a go and report back later today.
Yep, it works perfectly now. Thank you!
When using Find-Events to generate a report from ADUserChangesDetailed it doesn't report anything in User Object, Field Changed, and Field Value fields.
If I use Get-Events to find the event on the DC manually it generates the fields as it's supposed to, so the data is there it's just not showing in the output table. This is specifically for event 5139.