Solved

powershell - a required audit event could not be generated for the operation..

Posted on 2014-10-28
12
398 Views
Last Modified: 2014-10-29
Hi guys,

This has been driving me pots. I've got a script running that connects to Forest A, grabs the userID and its SID then (should) connect to Forest B, match the userID and drop the SID (converted to a hex string) into a hex-only AD attribute (msRTCSIP-originatorSID)

I'm getting the error 'a required audit event could not be generated for the operation' when trying to update the attribute.

I've enabled Powershell 'local scripts' and 'remote signed' on the domain controller GPO.. Code below..

param ([string]$SidString)
$sid = New-Object System.Security.Principal.NTAccount("AD", "$logonname")
$sid = $sid.Translate([system.Security.Principal.SecurityIdentifier])
$sidstring = ($sid -as [string])
$sidBytes = New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm( $sidBytes, 0 )
$hexArr = $sidBytes | ForEach-Object { $_.ToString("X2") }
# Join the hex array into a single string for output
# $hexArr -join ''

write-host $hexArr

$SetADmsRTCSIP = set-aduser -identity $username.samaccountname -add @{"msRTCSIP-OriginatorSid" = "$hexArr"}

Open in new window

0
Comment
Question by:Corcoran Smith
  • 7
  • 4
12 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
Comment Utility
Did you configure delegate between both domains?: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
Hi there's full trust but the connections use credentials from both domains (it's a merger and not a hugely happy one!) so full script asks you to put in creds for both domains..

In the code snip above, it 'goes' write the full hex-string that it's supposed to, but then fails. The script is running in the forest I'm trying to update the attribute on.

corcoran
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
I'm not feeling that this is an error with the script.  I would focus on the error.  Check event logs and see what the audit settings are.
0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
Hi Foo - yeah similar. Nothing in the event logs on the server I'm hitting. I've set auditing disabled for all DC's in the domain..
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Do you get the same error if you run the final command, not as part of the script or using any variables?  For example:
set-aduser -identity jdoe -add @{"msRTCSIP-OriginatorSid" = "0409000000000006320000009367E94D4F3C3A6AA5156B49E00D0000"}

Open in new window

0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
Morning Foo, yeah same thing.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 39

Expert Comment

by:footech
Comment Utility
I don't have much more to suggest.
I would try setting the attribute using a different method, like through the attribute editor in ADUC, and see if the error still occurs.  Then I would check out existing users that already have the attribute set and look for any differences - maybe try to change the attribute back and forth and see the result.  Are you doing this as a domain admin in the domain where you're trying to set this?
0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
Thanks Foo; yeah I'm a domain admin.
I've taken the export-string from the powershell window and pushed it into ADUC without any error - imagine my joy.
0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
UPDATE!

It's now working!

When using Powershell, it actually wants the SID in all its original glory NOT a hex string *frown face*.

I've also turned off 'audit account management' on the default domain controller GPO to get past the first error!
0
 
LVL 2

Author Closing Comment

by:Corcoran Smith
Comment Utility
Love a bit of peer review! :)
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
Thanks for the points.  Don't know if I helped much though.
Are you saying that turning off "audit account management" got you past the "a required audit event could not be generated for the operation" error, but then you had another error when the attribute wasn't in the format that PS wanted it to be?  If so, what was that second error?
0
 
LVL 2

Author Comment

by:Corcoran Smith
Comment Utility
When you put the SID into ADUC it camps out. So you have to put in the hex string. The first load of errors in the script also suggested this. There's a couple lines at the top of the script that rip the userSID and converts that into a string. That's what it needed in the end. Gonna gently turn on auditing tomorrow get the system secure again.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now