ACS: EventSchema.xml changes for Server 2008 Account Lockout Events

Just realized that I haven’t blogged on this yet.  By default, the “Calling Machine” property of Account Lockout events from Windows Server 2008 servers is not entered in the ACS database….this will affect some of the Account Lockout reports that I have previously posted.  Below are the details and the fix:

For Windows 2000/2003 Account Lockout events (Event ID 644), we store the Target Account Name in the String01 column and the Caller Machine Name in the String02 column (Target Account Name is also stored in the TargetUser column.

For Windows Server 2008 Account Lockout events (Event ID 4740), we do not store anything in String01 or String02.  This doesn't really affect the Target Account Name property, since it is already stored as TargetUser, but we are no longer collecting the Calling Machine Name in the database.

To maintain parity with Server 2000/2003 Account Lockout events, we need make the following changes to the EventSchema.xml (on the ACS Collector Server) to store Target Account Name and Calling ComputerName in string01/string02:

NOTE:

• The EventSchema.xml file is located in the C:\Windows\System32\Security\AdtServer folder on the ACS Collector server
• Be sure to back up the existing EventSchema.xml file before making any changes
• After making the change, restart the ACS Collector service on the Collector Server
• This change will NOT affect any existing events in the database, it will only affect events that are collected AFTER making the change

Before:
        <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
          <Call Name="AppendString" Param1="1" Param2="0" />
          <Call Name="AppendString" Param1="2" Param2="0" />
          <Call Name="AppendString" Param1="3" Param2="0" />
          <Call Name="AppendString" Param1="4" Param2="0" />
          <Call Name="AppendString" Param1="5" Param2="0" />
          <Call Name="AppendString" Param1="6" Param2="0" />
          <Call Name="AppendString" Param1="7" Param2="0" />
          <Param TypeName="typeTargetUser" />
          <Param TypeName="typeTargetDomain" />
          <Param TypeName="typeTargetSid" />
          <Param TypeName="typePrimarySid" />
          <Param TypeName="typePrimaryUser" />
          <Param TypeName="typePrimaryDomain" />
          <Param TypeName="typePrimaryLogonId" />
        </Event>

After:
        <Event SourceId="4740" SourceName="SE_AUDITID_ETW_ACCOUNT_AUTO_LOCKED">
          <Call Name="AppendString" Param1="1" Param2="0" />
          <Call Name="AppendString" Param1="2" Param2="0" />
          <Call Name="AppendString" Param1="3" Param2="0" />
          <Call Name="AppendString" Param1="4" Param2="0" />
          <Call Name="AppendString" Param1="5" Param2="0" />
          <Call Name="AppendString" Param1="6" Param2="0" />
          <Call Name="AppendString" Param1="7" Param2="0" />
          <Call Name="AppendString" Param1="1" Param2="0" />
<Call Name="AppendString" Param1="2" Param2="0" />
          <Param TypeName="typeTargetUser" />
          <Param TypeName="typeTargetDomain" />
          <Param TypeName="typeTargetSid" />
          <Param TypeName="typePrimarySid" />
          <Param TypeName="typePrimaryUser" />
          <Param TypeName="typePrimaryDomain" />
          <Param TypeName="typePrimaryLogonId" />
          <Param TypeName="typeString" />
<Param TypeName="typeString" />
        </Event>