locked
WS2008R2 doesn't write the UserName on the eventlog Windows Security journal; WS2003R2 did. RRS feed

  • Question

  • Hello,

    Hope someone could help me...I posted this question at the WS2008R2 General forum on both the english & french forums 8d ago but no anwser yet.

    We have got 4 domain controllers, 3 of them moved to Windows Server 2008 R2 + 1 still on Windows Server 2003 R2.


    I have a .NET 4.0 application that allows us to track when a given user logs in & out, by using the windows eventLogs  Security journals on our domain controllers.


    My problem is, I can't retrieve the userName on the Windows eventlog journals on my three WS2008R2 servers :


    when I open the Security journal -->Double click on an Open Session event (eventID=4624), the UserName is ALWAYS= N/A (not available I assume). I can't recover the userName of the user logged on or off. However, our last & only domain controller still working on W Server 2003 R2 shows nicely to us the user name.

    Since the Security journal lacks the userName, my .NET app is useless....I can't trace anymore when a given user logs in and out.

    UserName = N/A also on the System journal on W Server 2008 R2, however on W Server 2003 R2 I still recover the userName.

    I have checked many times that the Windows Security Auditing are the same on our only WS2003R2 and on the 3 WS2008R2. On all of them, I have "Auditing log on/out connections"=success, failure.
    (sorry if translation is not accurate, I work with the french versions of Windows server).


    Could someone please tell me wheather there is something special to do on W Server 2008 R2 to allow the username for being recovered?

    Please could someone tell me wheather they can see the real userName (not N/A) on their System or Security Windows journals ?
    (Open Windows security journal --> Properties of an eventID=4624, userName="????")


    Thank you very much !

    Have a nice day,

    Susana


    susana
    Thursday, May 20, 2010 9:46 AM

Answers

  • Hello,

    please open the "Details" part of the event viewer entry or scroll in the "General" part, this should show you also the written username.

    See here:  http://cid-009d8c87dbea5514.skydrive.live.com/self.aspx/MVP-DS/event4624.png

    The event id 4624 Logon you should check for the account name, is listed after the 4768 Kerberos Authentication service / 4769 Kerberos Service Ticket Operations and 4648 Logon entry on the authenticating DC..


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Tim Quan Monday, June 7, 2010 3:50 AM
    Saturday, June 5, 2010 9:50 AM

All replies

  • Hello,

    please open the "Details" part of the event viewer entry or scroll in the "General" part, this should show you also the written username.

    See here:  http://cid-009d8c87dbea5514.skydrive.live.com/self.aspx/MVP-DS/event4624.png

    The event id 4624 Logon you should check for the account name, is listed after the 4768 Kerberos Authentication service / 4769 Kerberos Service Ticket Operations and 4648 Logon entry on the authenticating DC..


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Tim Quan Monday, June 7, 2010 3:50 AM
    Saturday, June 5, 2010 9:50 AM
  • Hello Meinolf,

    Thank you for your anwser, really.

    Yes I know I can see the userName by scrolling the "General" part, I also know I can recover
     the userName from there on my code :

     Dim aLog As New EventLog()
     aLog.Log = "Security" 

     aLog.MachineName ="myIPaddress"

     Dim row As DataRow

    Dim entry As EventLogEntry
       For Each entry In aLog.Entries
     If entry.InstanceId = 4624 Then
       Dim strMessageAll As String = entry.Message


     '' 'I can recover all the text located at the scrolling 'General' on my property entry.Message
      '''so then I have to cut this string into pieces to recover the userName


     End If

     Next

    entry.Message="L’ouverture de session d’un compte s’est correctement déroulée.

    Sujet :
     ID de sécurité :  Système
     Nom du compte :  CI15$
     Domaine du compte :  IYY
     ID d’ouverture de session :  0x5e7

    Type d’ouverture de session :   5

    Nouvelle ouverture de session :
     ID de sécurité :  Système
     Nom du compte :  Système
     Domaine du compte :  AUTORITE NT
     ID d’ouverture de session :  0x3e7
     GUID d’ouverture de session :  {00000000-0000-0000-0000-000000000000}

    Informations sur le processus :
     ID du processus :  0x1f4
     Nom du processus :  C:\Windows\System32\services.exe

    Informations sur le réseau :
     Nom de la station de travail : 
     Adresse du réseau source : -
     Port source :  -

    Informations détaillées sur l’authentification :
     Processus d’ouverture de session :  Advapi 
     Package d’authentification : Negotiate
     Services en transit : -
     Nom du package (NTLM uniquement) : -
     Longueur de la clé :  0

    Cet événement est généré lors de la création d’une ouverture de session. Il est généré sur l’ordinateur sur lequel l’ouverture de session a été effectuée.

    Le champ Objet indique le compte sur le système local qui a demandé l’ouverture de session. Il s’agit le plus souvent d’un service, comme le service Serveur, ou un processus local tel que Winlogon.exe ou Services.exe.

    Le champ Type d’ouverture de session indique le type d’ouverture de session qui s’est produit. Les types les plus courants sont 2 (interactif) et 3 (réseau).

    Le champ Nouvelle ouverture de session indique le compte pour lequel la nouvelle ouverture de session a été créée, par exemple, le compte qui s’est connecté.

    Les champs relatifs au réseau indiquent la provenance d’une demande d’ouverture de session à distance. Le nom de la station de travail n’étant pas toujours disponible, peut être laissé vide dans certains cas.

    Les champs relatifs aux informations d’authentification fournissent des détails sur cette demande d’ouverture de session spécifique.
     - Le GUID d’ouverture de session est un identificateur unique pouvant servir à associer cet événement à un événement KDC .
     - Les services en transit indiquent les services intermédiaires qui ont participé à cette demande d’ouverture de session.
     - Nom du package indique quel est le sous-protocole qui a été utilisé parmi les protocoles NTLM.
     - La longueur de la clé indique la longueur de la clé de session générée. Elle a la valeur 0 si aucune clé de session n’a été demandée.
    "

    On WS2003R2 there was just a property (entry.UserName) that rendered CI15$.

    Anyway Thanks, you anwsered my question, so as I understand it Microsoft engineers just forgot to parameter correctly the WS2008R2 eventLog journals....There is nothing I can do to easily recover the  userName value (entry.userName), I'll have to cut my string (entry.Message) into pieces.....Nice! Even more because I'm not just interested in 4624 events so I have plenty of different string formats to play with. Oh I love it, when major product improvement actually do make our life easy.

    Not your fault, I'm really grateful to you, at least I know now it can't be done the WS2003R2 way. It's important to know that.

    MS doesn't make me happy.....

    Have a good day,
    Susana


    susana
    Monday, June 7, 2010 11:47 AM