Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)


Scenarios that are discussed in this blog post include:

  • Scenario 1: Computers joined to the domain (names and description)
  • Scenario 2: User passwords expired
  • Scenario 3: User accounts locked out
  • Scenario 4: Group policy changes

Scenario 1: Computers joined to the domain (names and description)

The following Event Id’s will be used in this procedure:

645 - A computer account was created.

646 - A computer account was changed.

647 - A computer account was deleted.

Note: Computer description cannot be reported on as it is not a parameter of the events.

Computer Accounts Created

Step1
Operations Console > Reporting > Audit Reports > Design a new report
image
Step 2
Select fields as shown in the image from ‘Explorer pane, Fields:’ section
image 
Step 3
Rename fields
image
Step 4
Right click inside the ‘Date’ field (i.e. 1/1/2009)
> Format > Select a format to suit your requirements
image
Step 5
Right click inside the ‘Computer’ field > Edit Formula > Enter the formula as indicated in the image
image
Step 6
Select Filter from the toolbar. Add Event Id and select 645

Note
Event Id 645 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.

image
Report example image

Computer Accounts Deleted

Save the report created above as a different name, change the title and simply change the event id in step 6 above to 647 to report on deleted computer accounts.

Report example image

Computer Accounts Changed

Step1
Operations Console > Reporting > Audit Reports > Design a new report
image
Step 2
Select fields as shown in the image from ‘Explorer pane, Fields:’ section
and rename as appropriate
image
Step 3
Right click inside the ‘Date’ field (i.e. 1/1/2009)
> Format > Select a format to suit your requirements
image
Step 4
Right click inside the ‘Action’ field > Edit Formula > Enter the formula as indicated in the image
image
Step 5
Select Filter from the toolbar. Add Event Id and equals 647. Also add  
String 06 and not equal to -

Note
Event Id 647 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.

image
Report example image

Scenario 2: User passwords expired

Event Id 535 (Logon failure. The password for the specified account has expired) will be used in this procedure.

Step1
Operations Console > Reporting > Audit Reports > Design a new report
image
Step 2
Select fields as shown in the image from ‘Explorer pane, Fields:’ section
and rename as appropriate
image
Step 3
Right click inside the ‘Date’ field (i.e. 1/1/2009)
> Format > Select a format to suit your requirements
image
Step 4
Select Filter from the toolbar. Add Event Id and equals 535. Also add  
String 06 and not equal to -

Note
Event Id 535 will not be available if Audit logon events is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or there were no logon attempts by users with expired passwords.

image
Report example image

Scenario 3: User accounts locked out

Event Id 644 (A user account was auto locked) will be used in this procedure.

Step1
Operations Console > Reporting > Audit Reports > Design a new report
image
Step 2
Select fields as shown in the image from ‘Explorer pane, Fields:’ section
and rename as appropriate
image
Step 3
Right click inside the ‘Date’ field (i.e. 1/1/2009)
> Format > Select a format to suit your requirements
image
Step 4
Select Filter from the toolbar. Add Event Id and equals 644.
Note
Event Id 644 will not be available if Audit Account Management is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event or if the Account Lockout Policy is not configured with a threshold for logon attempts.
image
Report example image

Scenario 4: Group policy changes

Event Id 566 (A generic object operation took place) will be used in this procedure.

Step1
Operations Console > Reporting > Audit Reports > Design a new report
image
Step 2
Select fields as shown in the image from ‘Explorer pane, Fields:’ section
and rename as appropriate
image
Step 3
Right click inside the ‘Date’ field (i.e. 1/1/2009)
> Format > Select a format to suit your requirements
image
Step 4
Select Filter from the toolbar. Add Event Id and equals 566. Also add String 01 contains groupPolicyContainer 

Note
Event Id 566 will not be available if Audit Directory Service Access is not enabled or a DC is not configured to forward this event to an ACS collector or ACS is configured to filter out this event.
image
Step 5
Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
image
Step 6
Right click inside the ‘GPO’ field > Edit Formula > Enter the formula as indicated in the image
image
Report example image
Note: I added a text box with the KB URL to convert GPO GUID’s to GPO names.
Skip to main content