Tracing a Logon ID: for a policy change

B

BillK

Hello,
I'm trying to track down who made a change to the default domain audit
policy, and the event includes this info (data altered) in an event ID 612:

Changed By:
User Name: DOMAINCONTROLLER$
Domain Name: OURDOMAIN
Logon ID: (0x1,0x4B7)

How do I decipher that Logon ID? I've checked a couple of different DC's
(including the PDC Emulator) but it still doesn't show me the proper user ID.
 
S

S. Pidgorny

You decifer that like this: you have a computer named DOMAINCONTROLLER,
from which the change was replicated to where this was logged.

--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

BillK wrote:
> Hello,
> I'm trying to track down who made a change to the default domain audit
> policy, and the event includes this info (data altered) in an event ID 612:
>
> Changed By:
> User Name: DOMAINCONTROLLER$
> Domain Name: OURDOMAIN
> Logon ID: (0x1,0x4B7)
>
> How do I decipher that Logon ID? I've checked a couple of different DC's
> (including the PDC Emulator) but it still doesn't show me the proper user ID.
>
>
 
B

BillK

To amend my original post and to respond to S. Pidgorny, here's the answer I
have from further research (though I'm not thrilled with it and welcome
additional info):

*The event will always show "Domaincontroller$" as the user name because
from the perspective of Windows server, the system makes the change to GPO's,
not the administrator.
*The only way to effectively track down a policy change is to enable file
level auditing and audit for writes against the GPO files themselves under
SYSVOL (becuase this will reflect the admin's user ID when modifying the
object). This webinar shows how to go about it in conjunction with a
vendor's log aggregation product:
http://www.prismmicrosys.com/Training/Trac...icyChanges.html

This is really disappointing but I'd love to know if it's simpler in
Windows 2008...

- Bill
"BillK" wrote:

> Hello,
> I'm trying to track down who made a change to the default domain audit
> policy, and the event includes this info (data altered) in an event ID 612:
>
> Changed By:
> User Name: DOMAINCONTROLLER$
> Domain Name: OURDOMAIN
> Logon ID: (0x1,0x4B7)
>
> How do I decipher that Logon ID? I've checked a couple of different DC's
> (including the PDC Emulator) but it still doesn't show me the proper user ID.
>
>
 
You must log in or register to reply here.

Similar threads

R
How do I set active logon hours for a domain in Group Policy Management?
Replies
0
Views
55
Raymond Koren
R
S
A specific user logs in normally and after 30 minutes the user gets locked out.
Replies
0
Views
60
SalmaTamerr
S
C
Windows Hello - A logon was attempted using explicit credentials.
Replies
0
Views
135
Charlie_153
C
E
Windows Hello for Business : at logon windows ask for password instead PIN
Replies
0
Views
66
eli sorow
E
S
Why does GPO to unblock USB device by Device ID works for a short time on some machines? (Windows 10 & 11)
Replies
0
Views
127
Strebito
S
Back
Top Bottom