Security log format

  • Thread starter Thread starter Oleg Boldyrev
  • Start date Start date
O

Oleg Boldyrev

I encounter in security log entries with event id 633, 660 records like
DEL:<guid>. I guess these pertain to object accounts valid at the moment the
entry was made but currently deleted. Is it true?
I read a KB article in two parts about the format of security log entries
but this kind of fields is never mentioned there. Where can I read about
this?

Oleg
 
Hello Oleg,

301677 Windows 2000 Security Event Descriptions (Part 2 of 2)
http://support.microsoft.com/?id=301677

These logs relate to the removal of a user from a global or universal group.

Event ID 660
SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE

Event ID 633
SymbolicName=SE_AUDITID_GLOBAL_GROUP_ADD

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thank you dear Curtis Clay III !

Curtis Clay III said:
Hello Oleg,

301677 Windows 2000 Security Event Descriptions (Part 2 of 2)
http://support.microsoft.com/?id=301677

These logs relate to the removal of a user from a global or universal group.

Event ID 660
SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE

Event ID 633
SymbolicName=SE_AUDITID_GLOBAL_GROUP_ADD
Click to expand...

I must have been unclear. Here is what I see in security log (exported to
csv format):

Event Type: Success Audit

Event Source: Security

Event Category: Account Management

Event ID: 660

Date: 10-12-03

Time: 09:59:49

User: SORP_1\stas

Computer: CPQNODE2

Description:

Security Enabled Universal Group Member Added:

Member Name: CN=divx,CN=Users,DC=sorp,DC=ru

Member ID: divx

DEL:81827b2e-eae4-4f99-ad4c-f74f3e483f57

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This record above is what I'm asking about.



Target Account Name: Enterprise Admins

Target Domain: SORP_1

Target Account ID: SORP_1\Enterprise Admins

Caller User Name: stas

Caller Domain: SORP_1

Caller Logon ID: (0x0,0xAAD4224)

Privileges: -



Here is an excerpt from the article you mentioned.
---cut
Event ID: 633 (0x0279)
Type: Success Audit
Description: Security Enabled Global Group Member Removed
Member Name: %1 Member ID: %2
Target Account Name: %3 Target Domain: %4
Target Account ID: %5
Caller User Name: %6 Caller Domain: %7
Caller Logon ID: %8 Privileges: %9
---cut
Nothing about DEL: records

Oleg
 
Back
Top