ACS and Windows Server 2008

Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems.

Operations Manager (Ops Mgr) comes with a number of ACS reports but most of them only work with Windows Server 2003. I have customers who have upgrade to Windows Server 2008 and now experience that ACS no longer is working. That is due to ACS reports are looking for Windows Server 2003 events. For example the “Usage _-_User_Logon” report is looking for event ID 540 and 528, but in Windows Server 2008 the logon events are ID 4624 and 4648.

Another problem with ACS reports is that you can’t schedule them with relates dates, for example “last week first day” and “last week last day”.

To create a new report to show all logons (event ID 4624) for a domain user, last seven days, you can use the build in SQL Report Builder. These presuppose that you have ACS installed correct. You can read how to deploy ACS here.

  1. Start the Operations Manager 2007 console and navigate to the Reporting workspace, click “Design a new report”
  2. In “Microsoft Report Builder” select Audit as source of data for your report, select table report layout and click OK
  3. Click and add a title, for example “Contoso – Domain User Logon
  4. From “Fields” drag and drop “Logon Time” to the table
  5. From “Fields” drag and drop “Target User” to the table
  6. From “Fields” drag and drop “Event Machine” to the table
  7. From “Fields” drag and drop  “String 13” to the table
  8. From “Fields” drag and drop “String 02” to the table
  9. From “Fields” drag and drop “String 12” to the table
  10. From “Fields” drag and drop “String 03” to the table
  11. Click “Fields” in the tools menu
  12. In the “Filter Data” window, from “Fields” drag and drop “Event ID” to the “Dv Alls with” box. Select event ID 4624 in the drop down menu
  13. In the “Filter Data” window, from the “Fields” drag and drop “Logon Time” to the “Dv Alls with” box. Select “Logon Time on or after 7 days ago” and “Logon Time on or before today”
  14. In the “Filter Data” window, from the “Fields” drag and drop “Target Domain” to the “Dv Alls with” box. Select “Target Domain equals ”
  15. In the “Filter Data” window, from the “Fields” drag and drop “Target User” to the “Dv Alls with” box. Right-click “Target User” and select “Prompt”.If you don’t add a filter to this formula you will get a drop-down menu with all usernames to select from. (Right-click “Target User” and select “Edit As Formula”, double click “Parameter: Target User”, expand, add a simple filter, for example a empty filter)
  16. Rename the table cells, to for example
    Event Machine to “Computer (Logon on to)
    String13 = Auth Package
    String02 = Logon Type
    String12 = Logon Process
    String03 = Computer (Logon on from)
  17. When you are happy with your new report you can test run it with the “Run Report” button. You can then save the report to your report server on the File menu.

It can also be nice with an information box both what this report does and what all different logon types mean. Also insert a filter description to your report from the Insert menu.

Useful Links
Description of security events in Windows Vista and in Windows Server 2008, link
Audit Category: Logon/Logoff (Vista and Windows Server 2008), link