We help IT Professionals succeed at work.

AD auditing of SELF

albatros99
albatros99 asked
on
I have configured Active Directory to log changes for computer objects. The OS version is updated by the computer under the identity of the computer account whenever the computer starts or anytime the netlogon service is restarted. I would expect to see event 5136 in the security log but there is nothing. Other changes do show up. What's missing?
Comment
Watch Question

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Where have you enabled this Auditing policy? All Auditing Policies need to be configured on the Default Domain Controllers Policy.

If you have not set this up on this policy that would be why it is not working.

Will.

Author

Commented:
That's where it's setup and I can track all other changes. I'm just not getting an event when the computer account updates the OS information, which I would expect.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Is the computer object you modified, showing the correct OS in powershell?

Get-ADComputer -identity <computername> -Properties OperatingSystem | fl

Will.

Author

Commented:
Here's the test setup:
- Clear OS information of computer object with ADSIEdit
- Verify that the OS information is cleared
- Restart the netlogon service on the test system
- Check OS information again in AD (it will be updated)  
- Look in DC log (there is only one DC) for event 5136

The event is not there!
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Are you using the Default Auditing Policy or are you using the Advance Auditing Configuration Policy?

What is the exact policy you configured for this?

I would like to try and reproduce this in my lab.

Will.

Author

Commented:
I used 'Advanced Audit Configuration' and 'Directory Service Changes' 'Success, Failure' and enabled the auditing for SELF and Authenticated users for the OU where the computer object resides.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Ok sounds good. I will test this and see what i can. Also, if you run rsop.msc on the machine you are testing with, can you drill down and see the policies that you applied?

Will.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
I have done exactly the steps that you have in your environment and it works in my lab. I have provided all screenshots of all my changes.

ds1.JPGds2.JPGds3.JPGds4.JPGds5.JPGds6.JPG
Will.

Author

Commented:
Thanks a lot for the screenshots!

I would have expected the event to have either the name of the computer account or SYSTEM as a source.
Is "EXAMPLE\wills" the user account you used to stop/start the netlogon service?
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Is "EXAMPLE\wills" the user account you used to stop/start the netlogon service?
That is correct.

This is the screenshot of the entire event message.
ds7.JPG
Will.

Author

Commented:
I think there's a misunderstanding. I can get this event as well when I manually delete or modify the attribute. But what I'm trying to see is the event when the computer boots and updates the field using the local system identity. Can you try deleting the information again, then reboot your test computer?
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
Ok i have removed the entries again, cleared the security logs on the DC and rebooted the machine.

Results...
- Event Viewer still shows the same event as i posted before
- After rebooting the machine (without logging in) update the values for Operating System, ServicePack etc

Will.
Distinguished Expert 2019

Commented:
once set the attribute doesn't change so there is nothing to update/audit