Some Custom ACS Reports


Here are some ACS reports that I’ve written for various customers recently.  If you have ACS installed in the same Reporting Services instance as OpsMgr Reporting, then you can just import the attached Management Pack (CustomACSReports.xml).  Otherwise, you’ll need to import each .rdl file separately.


Here is a description of each report, along with some screenshots.


Event Search
This report allow the user to search for specific security events (selected from a pre-defined list). The user can select choose a specific server or search from events from all servers. The user can also specify search strings for the UserName or Description in the event. The report returns the top 100 events from the specified date range.


Authentication Failure Summary
This report queries the ACS database for Authentication Failure errors logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the error code, and the error message and count for each error code are listed in a table. When the user clicks on one of the errors, the Authentication Failure Detail report is run for that error message.


Authentication Failure Detail
This report queries the ACS database for Authentication Failure errors with a specific error code logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the IP Address and User Name, and the count for each is displayed in a table.


AD Object Changes
This report will show details of events related to changes in Active Directory. The report will query the ACS database for Event ID 566 / 5136 and show the Event Time, UserName, Domain Controller, Object Type, Object Name, accessed Properties, and the New Value of the property (Win2k8 only). The report also includes options to search for a specific string in the Object Name and/or Property Name.


Exchange AD Object Activity
This report shows events related to changes to Exchange Objects in Active Directory. The report will query the ACS database for Event ID 566 and 5136 within the specified time range, where the object name contains the string “CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=”. The report groups the events by UserName, and shows the Event Time, Domain Controller, Object Type, Object Name, and accessed Properties. The report also includes an option to exclude changes made by computer accounts.


Account Lockout and Authentication Failure by User
This report accepts a date range, username, and domain and will list all occurrences of the following events for the specified user within the specified date range: Event 644 / 4740 (Account Lockout), Event 529 / 4625 (Unknown Username or Bad Password) , Event 675 / 4771 (Kerberos Pre-Authentication Failure), Event 680 / 4776 (NTLM Authentication Failure)


Account Lockout by User
This report accepts a date range, username, and domain and will list the time and computer name for all account lockout events (Event ID 644 / 4740) for the specified user within the specified date range.


Account Lockout Trends
This report accepts a date range and Domain name and will query for all Account Lockout events (Event ID 644 / 4740) within the specified date range and domain. The report contains charts which show average number of account lockouts for each hour of the day and each day of the week, and a trending chart which will show the number of account lockouts over the specified time range. The report also lists all of the lockouts in a table, grouped by Domain, User, Workstation, and Time.


Top 10 Accounts Failing Authentication
This report will query the ACS database for Authentication Failure events (Event ID 680 and 4776) within the specified time range. The report contains a table which will show the 10 user accounts with the most failures, grouped by Workstation and Error Code.


User Account Management Activity
This report will show the number of various account management events within a specified time range, grouped by domain. The events displayed are Accounts Changed (642,4738), Accounts Created (624,4720), Accounts Enabled (626,4722), Accounts Disabled(629,4725), Accounts Deleted (Event ID 630,4726), Names Changed (685,4781), Password Resets (628,4724), Accounts Unlocked (671,4767). Clicking on any of the numbers on the report will launch the “Automated Account Change Trends” report for more details.


ACS Events for Specified User
This report accepts a Username, Domain, and date range and will display all events where the specified User/Domain is in the TargetUser/TargetDomain, PrimaryUser/PrimaryDomain, ClientUser/ClientDomain, or HeaderUser/HeaderDomain fields. The domain list is pre-populated.


Event_Report_Basic
This report displays the Computer Name and Date/Time for a specific Event ID within a specified date range.


image 


image 


image 


image 


image 


image 


image 


image 


image 


image


image

CustomACSReports.zip

Comments (30)

  1. Anonymous says:

    Sorry, should have disabled that part of the report….I didn’t include the "Automated Account Change Trends" report in the blog because it doesn’t have a generic way to define "automated", it would be customer-specific.

  2. Anonymous says:

    Hi Jimmy,

    great work.

    As far as auditing Exchange AD Object Changes report is concern, what, if any, auditing permissions should be enabled in order for a DC to generated event ID 5136 and %CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=%’ under string05 in the adtserver.dvall
    view.

    thanks in advance

    Hector

  3. Anonymous says:

    Hi Jimmy, I have Windows 2003 AD domain and Your report Active Directory Object Changes in SCOM 2007 R2 is empty in my enviroment. Is this report only for Windows 2008 domain controllers?

    Thanks for help.

    Best regards,

    Dubravko

  4. Anonymous says:

    I haven't used the SecureVantage Archiver, but the error is telling us that it does not have a view named adtserver.dvall5, which is the ACS database view that is being used.

    You'll need to determine the name of the view or table where the data is stored in the database that you are searching, and change the report query to use it.

  5. Anonymous says:

    Hi James,

    Thanks for those reports.

    Regards,

    Stefan

  6. Anonymous says:

    I don’t know from memory what those events are, but all of the reports in this post are Win2k8 compatible, and we have other Win2k8 reports at http://blogs.technet.com/momteam/archive/2009/05/08/acs-reports-for-windows-2008-and-windows-2008-r2.aspx.  

  7. Anonymous says:

    Hello Jimmy,

    Can you provide me with any report for counting all events by computer?

    Thanks

  8. Anonymous says:

    This report works with Win2k3 or Win2k8 events.  For Win2k3, it is looking for event ID 566…check to verify if you are collecting this event by running the following query on the ACS Database:

    select count(*) from adtserver.dvheader where eventid=566

  9. Anonymous says:

    Hi Jimmy, query select count(*) from adtserver.dvheader where eventid=566 returns 1468 rows but my report is empty. Should I check something else?

    Thanks.

    Best regards,

    Dubravko.

  10. Anonymous says:

    I actually have a report similar to what you are asking for…I'll try to get it posted later.

  11. Anonymous says:

    Check the date range that you are entering in the report and verify that the events in your query are within that range.  Also, try changing "Include Computer Accounts" to True and see if that makes a difference.

  12. Marnix Wolf says:

    Hi Jimmy.

    Thanks so much. Great reports they are.

    Cheers,

    Marnix

  13. LLUCH says:

    HI JIMMY,

    THANCK FOR THOSE REPORTS

    cheers

    greg

  14. PatRick says:

    Hi Jimmy

    Do you know about reports for acs, about the event id’s 4728, 4729, 4730, 4732, 4733, 4734,

    4735, 4737, 4755, 4756, 4757, 4758. We don’t find something about these events.

  15. LayneR says:

    Hi Jimmy.  Thanks for sharing these reports.  Quick question – On the User Account Management Activity report it says "Clicking on any of the numbers on the report will launch the "Automated Account Change Trends" report for more details."

    When I run this report, I cannot click on any of the numbers on the report, and the Automated Account Change Trends report does not run.  Any ideas?

    Thanks again.

  16. ming says:

    Hi Jimmy,

    Thanks for the great post! I would like to know, for the 'Event Search' report, it's stipulated to return the top 100 result. Is there a specific reason for it to be top 100 instead of a infinite number?

    If i need the report to return all the value, would it be possible?

    Lastly, do you happen to have any custom report for non ACS events that functions like the 'Event Search' report?

    Cheers and great week ahead!

  17. Stanislav (ITLog.cz) says:

    Hi Jimmy,

    thanks for great portion of inspiration!  

  18. Andrew says:

    Hello

    These reports are really good.

    We use them daily on our live ACS data

    We have the secure vantage archiver.

    Would it be possible to run these reports against archived data, that we have loaded into another datbase.

    I get the below message when i run your report:-

    An error occurred during client rendering.

    An error has occurred during report processing.

    Query execution failed for dataset 'OperationsManagerAC'.

    Invalid object name 'adtserver.dvall5'.

    I tried changing the dataset within your reports and now get:-

    An error occurred during client rendering.

    An error has occurred during report processing.

    Query execution failed for dataset 'SecureVantageACDW'.

    Invalid object name 'adtserver.dvall5'.

    I'm able to get the standard ACS reports working on archived data.

    Thanks Andrew

  19. avv says:

    Didn't work event search for event 560/4656: Object open.

    Error:

    An error occurred during client rendering.

    An error has occurred during report processing.

    Query execution failed for dataset 'OperationsManagerAC'.

    String or binary data would be truncated. The statement has been terminated.

    All other events works fine.

    How fix it?

  20. Dharmendra Kumar says:

    Hi,

    i have checked Account Lockout Trends but its gave me worng date range on TrandeLine Graph.

    I export the RDL file and  checked the dataset property and execute the query ,dates between 01/01/2011 and 10/27/2011 and I getting the data between the given date range(its only 16 days data of Current month). But on the Trendline Graph its showing me different date Range.

    its showing me 1/1/1914, 1/1/1936/,1/1/1958,1/1/1980,1/1/2002 on Trendline Graph

    Please advise.

  21. Ganesh says:

    Hi,

     This website provides the better source for the Jobs than the other jobs sites. Here employer may take the good job from the site. This site gives us to all types of Job and provide the expert information. Many people gets the Jobs through this website as compare to the other website. This is the place only after satisfactory information has been gathered on the quality. This site gives you dream of working at various jobs. Here you will get all the jobs which is better for you.

    <a href="http://www.hound.com/…/">operations manager jobs</a>

    Regards,

    Abdiel Technologies.

  22. abdielt03 says:

    Hello,

         Hound is a job search engine that shows its members jobs from every employer website it can find in the United States and throughout the world.There are no banner ads or pop-up advertising on Hound.The information you see is supported by your membership.

    <a href="http://www.hound.com/…/">operations manager jobs</a>

  23. EBratter says:

    Looking for a report event 5139, who and when someone moved a computer object from one OU to an other.

  24. Vassil says:

    Have you tested the reports on 2012 SP1.

    Some of them work fine but other no, e.g. User Account Management Activity.

    Are you going to make them compatible with 2012 SP1?

    It would be nice 🙂

    Thanks.

  25. Raymond says:

    Hi Jimmy,

    A little (or verry) late to the party but I'm loving these reports!  I'm having the same issue that "Dharmendra Kumar" is having. Is there something in reporting services that's askew or it is it that I'm using SCOM 2012 as opposed to 2007 which I'm assuming these were written for.

  26. roland says:

    Hello Jimmy,

    I really searched for them …

    Sorry can´t find the reports for download?

    Rgds Roland

  27. roland says:

    Now i found them.

    Really don´t know why i don´t see them so far.

    Thanks, Roland

  28. An update for 2012R2?

  29. Abhijeet Gore says:

    Hi Jimmy,

    This is really great. However if you could share me "Account Lockout and Authentication Failure by User" SQL query that would be really great for me…

  30. MichaelJBliss says:

    Im also having a few issues on SCOM 2012, some reports work, others (AD Object Changes) show the below error.

    An error has occurred during report processing. (rsProcessingAborted)
    Cannot read the next data row for the dataset OperationsManagerAC. (rsErrorReadingNextDataRow)
    For more information about this error navigate to the report server on the local server machine, or enable remote errors

    Im just starting out with SCOM and ACS and would really appreciate some insight as to why this happens?

    Thanks for the great work,
    Mike