Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADUserChangesDetailed Event ID 5139 reporting issues #68

Closed
ClarkRSD opened this issue May 17, 2022 · 4 comments
Closed

ADUserChangesDetailed Event ID 5139 reporting issues #68

ClarkRSD opened this issue May 17, 2022 · 4 comments

Comments

@ClarkRSD
Copy link

When using Find-Events to generate a report from ADUserChangesDetailed it doesn't report anything in User Object, Field Changed, and Field Value fields.

If I use Get-Events to find the event on the DC manually it generates the fields as it's supposed to, so the data is there it's just not showing in the output table. This is specifically for event 5139.

TimeCreated  : 5/17/2022 10:24:04 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 5139
Message      : A directory service object was moved.

               Subject:
                Security ID:            S-1-5-21-12345678-1234567890-1234567890-1234567
                Account Name:           User01
                Account Domain:         contoso
                Logon ID:               0x1074523af1

               Directory Service:
                Name:           contoso.com
                Type:           Active Directory Domain Services

               Object:
                Old DN:         CN=User02,OU=OldOU,DC=contoso,DC=com
                New DN:         CN=User02,OU=NewOU,DC=contoso,DC=com
                GUID:           {1413d4fe-af6c-4926-8e62-e704b1b927b2}
                Class:          user

               Operation:
                Correlation ID:                 {6eef10c2-9bed-476f-9693-e0686f75d9e7}
                Application Correlation ID:     -

Domain Controller : DC.contoso.com
Action            : A directory service object was moved.
Action Detail     :
Who               : contoso\User01
When              : 5/17/2022 10:23:54 AM
User Object       :
Field Changed     :
Field Value       :
Record ID         : 7057994215
Event ID          : 5139
Gathered From     : DC
Gathered LogName  : Security
@PrzemyslawKlys
Copy link
Member

The definition of 5139 says:

            Fields      = [ordered] @{
                'Computer'                 = 'Domain Controller'
                'Action'                   = 'Action'
                'OperationType'            = 'Action Detail'
                'Who'                      = 'Who'
                'Date'                     = 'When'
                'ObjectDN'                 = 'User Object'
                'AttributeLDAPDisplayName' = 'Field Changed'
                'AttributeValue'           = 'Field Value'
                # Common Fields
                'RecordID'                 = 'Record ID'
                'ID'                       = 'Event ID'
                'GatheredFrom'             = 'Gathered From'
                'GatheredLogName'          = 'Gathered LogName'
            }

The problem comes from expecting ObjectDN when actually for 5139 it's OldObjectDN and NewObjectDN.


Message              : A directory service object was moved.

                       Subject:
                        Security ID:            S-1-5-21-853615985-2870445339-3163598659-500
                        Account Name:           Administrator
                        Account Domain:         EVOTEC
                        Logon ID:               0x1978CB81

                       Directory Service:
                        Name:           ad.evotec.xyz
                        Type:           Active Directory Domain Services

                       Object:
                        Old DN:         CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
                        New DN: CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
                        GUID:           {bdccd325-0dfc-4667-8574-f09c2745e646}
                        Class:          computer

                       Operation:
                        Correlation ID:                 {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
                        Application Correlation ID:     -
Computer             : AD1.ad.evotec.xyz
Date                 : 17.05.2022 21:02:21
OpCorrelationID      : {ad5c45d3-cf8e-4c94-a839-d1b6af8795ab}
AppCorrelationID     :
SubjectUserSid       : S-1-5-21-853615985-2870445339-3163598659-500
SubjectUserName      : Administrator
SubjectDomainName    : EVOTEC
SubjectLogonId       : 0x1978cb81
DSName               : ad.evotec.xyz
DSType               : %%14676
OldObjectDN          : CN=Test4,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
NewObjectDN          : CN=Test4,OU=Test1,OU=Default,OU=Computers,OU=Devices,OU=Production,DC=ad,DC=evotec,DC=xyz
ObjectGUID           : {bdccd325-0dfc-4667-8574-f09c2745e646}
ObjectClass          : computer
MessageSubject       : A directory service object was moved.
Action               : A directory service object was moved.
KeywordDisplayName   : Audit Success
Who                  : EVOTEC\Administrator
GatheredFrom         : ad1
GatheredLogName      : Security
Id                   : 5139
Version              : 0
Qualifiers           :
Level                : 0
Task                 : 14081
Opcode               : 0
Keywords             : -9214364837600034816
RecordId             : 49985116
ProviderName         : Microsoft-Windows-Security-Auditing
ProviderId           : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName              : Security
ProcessId            : 676
ThreadId             : 4032
MachineName          : AD1.ad.evotec.xyz
UserId               :
TimeCreated          : 17.05.2022 21:02:21
ActivityId           : 8cdd7485-3c32-4bff-b5e4-eb6005f373e1
RelatedActivityId    :
ContainerLog         : security
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : Directory Service Changes
KeywordsDisplayNames : {Audit Success}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}

While it's an easy fix for 5139 itself but ADUserChangeesDetailed focuses on 5136, 5137, 5139, 5141 and I wonder how to approach it to not break it for other events that most likely target ObjectDN

PrzemyslawKlys added a commit that referenced this issue May 17, 2022
@PrzemyslawKlys
Should fix issue #68
f38b9c2
@PrzemyslawKlys
Copy link
Member

I believe this fix should do it. Based on the logic of ADOrganizationalUnitChangesDetailed this fix should work for ADUserChangesDetailed and ADComputerChangesDetailed.

@ClarkRSD
Copy link
Author

Awesome, thank you for the quick response! I will give the changes a go and report back later today.

@ClarkRSD
Copy link
Author

Yep, it works perfectly now. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PrzemyslawKlys @ClarkRSD