Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing username in AD UserLockout events #66

Closed
chavvdarrr opened this issue Aug 5, 2021 · 9 comments
Closed

missing username in AD UserLockout events #66

chavvdarrr opened this issue Aug 5, 2021 · 9 comments
Labels
bug Something isn't working

Comments

@chavvdarrr
Copy link

Using PSWinReporting 2.0.0.20
Playing with results and I noticed from time to time I get events with date/time, DC, but no username and affected computer
Found these events - there is no affected computer indeed(probably these are generated from our users when connecting from gsms, or who knows)
But there is username in TargetUserName/Account field.
The event is absolutely normal, just the field "ComputerLockoutOn" /"Caller Computer Name" is empty
user fields - "Account name" and "TargetUserName" hold the affected user.
But in results no user name is returned

Tried to debug, but my knowledge is not enough.
Traced that upto GetEventsTranslation user info is kept.
In line 2148: $MyValue = FindEventsTo .... the info is still there...
myvalue.txt

Somehow, the emptiness of Computer name clears the field for user name - its not returned

I am attaching contents of variable $MyValue[n] at mentioned line 2148 - changed sensitive data only
@PrzemyslawKlys
Copy link
Member

The first issue and the workaround is described here: https://evotec.xyz/active-directory-how-to-track-down-why-and-where-the-user-account-was-locked-out/

I was thinking few times if I would be able to gather this information and track it somehow even if it's missing in events - but no time to investigate.

So the missing computer is normal and it shouldn't affect the report at all - and you're saying it does affect the user. This needs to be investigated.

@PrzemyslawKlys PrzemyslawKlys added the bug Something isn't working label Aug 5, 2021
@chavvdarrr
Copy link
Author

Thanks for the quick answer :)
Yes, missing computer is not an issue - it is missing in the event and we do have things like SSO, phones checking mail, etc. It seems you "map" a field which is empty in the event, while another field which holds the username is unused.

I can attach additional data - maybe the entire xml of such event as written in the log, or maybe the contents of $Events, eg what the script gets?

@PrzemyslawKlys
Copy link
Member

ye, xml would be better. Weird that I link wrong field.

@chavvdarrr
Copy link
Author

here it is /edited domain name&user/
I can send the unedited evtx & xml to contact at evotec.pl, if needed?
userlocked.txt

@PrzemyslawKlys
Copy link
Member

Let me see if I can reproduce it during weekend. I have to resurrect this project a bit, as I've not played with it for longer while. The problem is - i would like to change so much that I am afraid to touch it ;)

@PrzemyslawKlys PrzemyslawKlys mentioned this issue May 17, 2022
Closed
@PrzemyslawKlys
Copy link
Member

Sorry it took a bit longer than expected..

I've tracked it down to PSEventViewer.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5.8.2021 9:17:45
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:       DC2P.dc.bs.bnet
Description:
A user account was locked out.

Subject:
	Security ID:		SYSTEM
	Account Name:		DC2P$
	Account Domain:		DOMAIN
	Logon ID:		0x3E7

Account That Was Locked Out:
	Security ID:		DOMAIN\vst
	Account Name:		vst

Additional Information:
	Caller Computer Name:	
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4740</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2021-08-05T06:17:45.034896500Z" />
    <EventRecordID>85115046</EventRecordID>
    <Correlation />
    <Execution ProcessID="636" ThreadID="10628" />
    <Channel>Security</Channel>
    <Computer> bnet</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">vst</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="TargetSid">S-1-5-21-984582052-2030474099-2552422773-11274</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName"> DC2P$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
  </EventData>
</Event>

It seems that TargetDomainName is missing in the XML you sent me.

And in the logic that creates ObjectAffected it expects both TargetDomainName and TargetUserName to be present.

https://github.com/EvotecIT/PSEventViewer/blob/e10b7b175f43cddc02b414f15ea79aca5984a0a0/Private/ScriptBlock.ps1#L788-L790

When I look at my events:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4738</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>13824</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2022-05-17T19:21:50.725206400Z" /> 
  <EventRecordID>49985729</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="676" ThreadID="2140" /> 
  <Channel>Security</Channel> 
  <Computer>AD1.ad.evotec.xyz</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data Name="Dummy">-</Data> 
  <Data Name="TargetUserName">myname</Data> 
  <Data Name="TargetDomainName">EVOTEC</Data> 
  <Data Name="TargetSid">S-1-5-21-853615985-2870445339-3163598659-4098</Data> 
  <Data Name="SubjectUserSid">S-1-5-21-853615985-2870445339-3163598659-500</Data> 
  <Data Name="SubjectUserName">Administrator</Data> 
  <Data Name="SubjectDomainName">EVOTEC</Data> 
  <Data Name="SubjectLogonId">0x1978cb81</Data> 
  <Data Name="PrivilegeList">-</Data> 
  <Data Name="SamAccountName">-</Data> 
  <Data Name="DisplayName">-</Data> 
  <Data Name="UserPrincipalName">-</Data> 
  <Data Name="HomeDirectory">-</Data> 
  <Data Name="HomePath">-</Data> 
  <Data Name="ScriptPath">-</Data> 
  <Data Name="ProfilePath">-</Data> 
  <Data Name="UserWorkstations">-</Data> 
  <Data Name="PasswordLastSet">%%1794</Data> 
  <Data Name="AccountExpires">-</Data> 
  <Data Name="PrimaryGroupId">-</Data> 
  <Data Name="AllowedToDelegateTo">-</Data> 
  <Data Name="OldUacValue">-</Data> 
  <Data Name="NewUacValue">-</Data> 
  <Data Name="UserAccountControl">-</Data> 
  <Data Name="UserParameters">-</Data> 
  <Data Name="SidHistory">-</Data> 
  <Data Name="LogonHours">-</Data> 
  </EventData>
  </Event>

That's something that is just there. I think I need to fix PSEventViewier with additional logic

@chavvdarrr
Copy link
Author

Thanks :)
perhaps some of the fields are not "mandatory" ?!

@PrzemyslawKlys
Copy link
Member

It's weird, but I've added that additional logic to PSEventViewer, just doing some optimizations and will release it with fixes, along with new version of PSWinReportingV2 which hopefully solves your issue.

@PrzemyslawKlys
Copy link
Member

Released new version which should fix the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chavvdarrr @PrzemyslawKlys