The following SCOM 2012 R2 ACS report provides detailed attribute
changes done to any Active Directory user.
The Challenge
There are many reports that provide similar information
included in SCOM Audit reports. One example is located in
Reporting>>Audit Reports>>DAC_-_Object_Attribute_Changes
However, there are thousands of AD Attributes which include
hundreds of AD User-related attributes making the above mentioned report very
convoluted. The use of sometimes cryptic attribute names, values and operation
description adds to the complexity of the report making it hard to read
especially for non-tech people whom are, most of the time, the recipients of
many SCOM reports.
Sample out-of-the-box report
The Solution:
The attached report focuses on AD User attributes displayed
via Outlook which are a representation of LDAP fields and are by far the most
commonly modified.
Most Common User Attributes
In my report I have replaced all AD User attributes with user-friendly
names.
AD User Attribute Name
|
Friendly Name
|
displayname
|
Display Name
|
givenname
|
First Name
|
initials
|
Initials
|
sn
|
Last Name
|
mailNickname
|
Email Alias
|
streetAddress
|
Address
|
description
|
Description
|
title
|
Title
|
company
|
Company
|
department
|
Department
|
physicalDeliveryOfficeName
|
Office
|
msExchAssistantName
|
Assistant
|
telephoneNumber
|
Phone Number
|
L
|
City
|
st
|
State/Province
|
Postal Code
|
Zip/Postal Code
|
co
|
Country/Region
|
thumbnailPhoto
|
Photo
|
Sample Report
Mundo SCOM AD User Attribute
Changes Report
The report takes two variable in between two %% signs: ‘User
Name Contains’ (Affected User) and/or ‘Attribute Name Contains’ (Changed
Attribute) or just enter two %% to get all possible results.
Preparing the AD
environment:
How to enable AD Object Auditing, Audit Policies or Advanced
Audit Policies setup is out of the scope of this post.
However here is quick
description of what is needed in order to produce the report:
On you Domain Controllers, enable ‘Directory Service
Changes’ Audit Policy Subcategory,
which is part of the Directory Service Audit Policy Category. Make sure to enable both.
AD object attribute changes are captured in Event ID 5136: A directory service object was
modified which is part of the above Subcategory.
Enable Auditing to all Users via GPO or manually for a small
number of users.
For a single user go to ‘Advanced’ security setting,
Auditing. Add ‘Write all properties’.
Disclaimer:
All software and the information is provided “AS IS” with no warranties. Use at your own risk! Please test it in a Lab environment first!
All software and the information is provided “AS IS” with no warranties. Use at your own risk! Please test it in a Lab environment first!
No comments:
Post a Comment