Solved

powershell - a required audit event could not be generated for the operation..

Posted on 2014-10-28
12
417 Views
Last Modified: 2014-10-29
Hi guys,

This has been driving me pots. I've got a script running that connects to Forest A, grabs the userID and its SID then (should) connect to Forest B, match the userID and drop the SID (converted to a hex string) into a hex-only AD attribute (msRTCSIP-originatorSID)

I'm getting the error 'a required audit event could not be generated for the operation' when trying to update the attribute.

I've enabled Powershell 'local scripts' and 'remote signed' on the domain controller GPO.. Code below..

param ([string]$SidString)
$sid = New-Object System.Security.Principal.NTAccount("AD", "$logonname")
$sid = $sid.Translate([system.Security.Principal.SecurityIdentifier])
$sidstring = ($sid -as [string])
$sidBytes = New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm( $sidBytes, 0 )
$hexArr = $sidBytes | ForEach-Object { $_.ToString("X2") }
# Join the hex array into a single string for output
# $hexArr -join ''

write-host $hexArr

$SetADmsRTCSIP = set-aduser -identity $username.samaccountname -add @{"msRTCSIP-OriginatorSid" = "$hexArr"}

Open in new window

0
Comment
Question by:Corcoran Smith
  • 7
  • 4
12 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40408730
Did you configure delegate between both domains?: http://technet.microsoft.com/en-us/magazine/jj853299.aspx
0
 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40408741
Hi there's full trust but the connections use credentials from both domains (it's a merger and not a hugely happy one!) so full script asks you to put in creds for both domains..

In the code snip above, it 'goes' write the full hex-string that it's supposed to, but then fails. The script is running in the forest I'm trying to update the attribute on.

corcoran
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40409264
I'm not feeling that this is an error with the script.  I would focus on the error.  Check event logs and see what the audit settings are.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40409376
Hi Foo - yeah similar. Nothing in the event logs on the server I'm hitting. I've set auditing disabled for all DC's in the domain..
0
 
LVL 39

Expert Comment

by:footech
ID: 40409658
Do you get the same error if you run the final command, not as part of the script or using any variables?  For example:
set-aduser -identity jdoe -add @{"msRTCSIP-OriginatorSid" = "0409000000000006320000009367E94D4F3C3A6AA5156B49E00D0000"}

Open in new window

0
 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40410177
Morning Foo, yeah same thing.
0
 
LVL 39

Expert Comment

by:footech
ID: 40411165
I don't have much more to suggest.
I would try setting the attribute using a different method, like through the attribute editor in ADUC, and see if the error still occurs.  Then I would check out existing users that already have the attribute set and look for any differences - maybe try to change the attribute back and forth and see the result.  Are you doing this as a domain admin in the domain where you're trying to set this?
0
 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40411220
Thanks Foo; yeah I'm a domain admin.
I've taken the export-string from the powershell window and pushed it into ADUC without any error - imagine my joy.
0
 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40411223
UPDATE!

It's now working!

When using Powershell, it actually wants the SID in all its original glory NOT a hex string *frown face*.

I've also turned off 'audit account management' on the default domain controller GPO to get past the first error!
0
 
LVL 2

Author Closing Comment

by:Corcoran Smith
ID: 40411227
Love a bit of peer review! :)
0
 
LVL 39

Expert Comment

by:footech
ID: 40411487
Thanks for the points.  Don't know if I helped much though.
Are you saying that turning off "audit account management" got you past the "a required audit event could not be generated for the operation" error, but then you had another error when the attribute wasn't in the format that PS wanted it to be?  If so, what was that second error?
0
 
LVL 2

Author Comment

by:Corcoran Smith
ID: 40411732
When you put the SID into ADUC it camps out. So you have to put in the hex string. The first load of errors in the script also suggested this. There's a couple lines at the top of the script that rip the userSID and converts that into a string. That's what it needed in the end. Gonna gently turn on auditing tomorrow get the system secure again.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question