{"id":288,"date":"2008-07-22T11:28:31","date_gmt":"2008-07-22T09:28:31","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=288"},"modified":"2008-07-22T11:28:31","modified_gmt":"2008-07-22T09:28:31","slug":"acs-and-windows-server-2008","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=288","title":{"rendered":"ACS and Windows Server 2008"},"content":{"rendered":"<p>Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems.<\/p>\n<p>Operations Manager (Ops Mgr) comes with a number of ACS reports but most of them only work with Windows Server 2003. I have customers who have upgrade to Windows Server 2008 and now experience that ACS no longer is working. That is due to ACS reports are looking for Windows Server 2003 events. For example the \u00e2\u20ac\u0153Usage _-_User_Logon\u00e2\u20ac\u009d report is looking for event ID 540 and 528, but in Windows Server 2008 the logon events are ID 4624 and 4648.<\/p>\n<p>Another problem with ACS reports is that you can\u00e2\u20ac\u2122t schedule them with relates dates, for example \u00e2\u20ac\u0153last week first day\u00e2\u20ac\u009d and \u00e2\u20ac\u0153last week last day\u00e2\u20ac\u009d.<\/p>\n<p>To create a new report to show all logons (event ID 4624) for a domain user, last seven days, you can use the build in SQL Report Builder. These presuppose that you have ACS installed correct. You can read how to deploy ACS <a href=\"http:\/\/contoso.se\/blog\/?p=198\">here<\/a>.<\/p>\n<ol>\n<li>Start the Operations Manager 2007 console and navigate to the Reporting workspace, click \u00e2\u20ac\u0153Design a new report\u00e2\u20ac\u009d<\/li>\n<li>In \u00e2\u20ac\u0153Microsoft Report Builder\u00e2\u20ac\u009d select Audit as source of data for your report, select table report layout and click OK<\/li>\n<li>Click and add a title, for example \u00e2\u20ac\u0153Contoso \u00e2\u20ac\u201c Domain User Logon<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Logon Time\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Target User\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Event Machine\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop\u00c2\u00a0 \u00e2\u20ac\u0153String 13\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153String 02\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153String 12\u00e2\u20ac\u009d to the table<\/li>\n<li>From \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153String 03\u00e2\u20ac\u009d to the table<\/li>\n<li>Click \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d in the tools menu<\/li>\n<li>In the \u00e2\u20ac\u0153Filter Data\u00e2\u20ac\u009d window, from \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Event ID\u00e2\u20ac\u009d to the \u00e2\u20ac\u0153Dv Alls with\u00e2\u20ac\u009d box. Select event ID 4624 in the drop down menu<\/li>\n<li>In the \u00e2\u20ac\u0153Filter Data\u00e2\u20ac\u009d window, from the \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Logon Time\u00e2\u20ac\u009d to the \u00e2\u20ac\u0153Dv Alls with\u00e2\u20ac\u009d box. Select \u00e2\u20ac\u0153Logon Time on or after 7 days ago\u00e2\u20ac\u009d and \u00e2\u20ac\u0153Logon Time on or before today\u00e2\u20ac\u009d<\/li>\n<li>In the \u00e2\u20ac\u0153Filter Data\u00e2\u20ac\u009d window, from the \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Target Domain\u00e2\u20ac\u009d to the \u00e2\u20ac\u0153Dv Alls with\u00e2\u20ac\u009d box. Select \u00e2\u20ac\u0153Target Domain equals \u00e2\u20ac\u009d<\/li>\n<li>In the \u00e2\u20ac\u0153Filter Data\u00e2\u20ac\u009d window, from the \u00e2\u20ac\u0153Fields\u00e2\u20ac\u009d drag and drop \u00e2\u20ac\u0153Target User\u00e2\u20ac\u009d to the \u00e2\u20ac\u0153Dv Alls with\u00e2\u20ac\u009d box. Right-click \u00e2\u20ac\u0153Target User\u00e2\u20ac\u009d and select \u00e2\u20ac\u0153Prompt\u00e2\u20ac\u009d.If you don\u00e2\u20ac\u2122t add a filter to this formula you will get a drop-down menu with all usernames to select from. (Right-click \u00e2\u20ac\u0153Target User\u00e2\u20ac\u009d and select \u00e2\u20ac\u0153Edit As Formula\u00e2\u20ac\u009d, double click \u00e2\u20ac\u0153Parameter: Target User\u00e2\u20ac\u009d, expand, add a simple filter, for example a empty filter)<\/li>\n<li>Rename the table cells, to for example<br \/>\nEvent Machine to \u00e2\u20ac\u0153Computer (Logon on to)<br \/>\nString13 = Auth Package<br \/>\nString02 = Logon Type<br \/>\nString12 = Logon Process<br \/>\nString03 = Computer (Logon on from)<\/li>\n<li>When you are happy with your new report you can test run it with the \u00e2\u20ac\u0153Run Report\u00e2\u20ac\u009d button. You can then save the report to your report server on the File menu.<\/li>\n<\/ol>\n<p>It can also be nice with an information box both what this report does and what all different logon types mean. Also insert a filter description to your report from the Insert menu.<\/p>\n<p>Useful Links<br \/>\nDescription of security events in Windows Vista and in Windows Server 2008, <a href=\"http:\/\/support.microsoft.com\/kb\/947226\">link<\/a><br \/>\nAudit Category: Logon\/Logoff (Vista and Windows Server 2008), <a href=\"http:\/\/www.ultimatewindowssecurity.com\/Wiki\/AuditCategory-Logon-Logoff.ashx\">link<\/a><br \/>\n<img decoding=\"async\" src=\"http:\/\/www.contoso.se\/files\/Capture20080722.JPG\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Audit Connection Service (ACS) is a new function in SCOM 2007 that can collect logs from machines. All logs are saved in a special Audit Collection database. You can then run reports against the database to see trends and do security analyzes. You can also for example trace a user activity over many systems. &hellip; <a href=\"http:\/\/contoso.se\/blog\/?p=288\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[19],"tags":[],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/288"}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=288"}],"version-history":[{"count":0,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/288\/revisions"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=288"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}