000013788 - Windows - Computer Account changes report doesn't show detail of the changes

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013788
Applies ToEnvision 3.5.x, 3.7.x
IssueYou wish to generate report that show the detail information of the changes for computer account
You generate the report "Windows - computer Account changes" to look for what changes occur on the computer account. However, in the report you only see the action as "Computer Account Changed". You wish to know what changes occur instead. E.g: Account being created, deleted etc
CauseThe default report only look looks at some specific Windows event, in particular, event ID, 645, 646 and 647.

These event IDs doesn?t give details information of what exactly are those changes.

 

If you like to look at the detail information of the changes, you will need to modify the existing report to look at other event ID. In specific, you need to look at event ID 624, 628 and 630. For your reference,

 

Event 624 is for user account created,

Event 628 is for user account password being set

Event 630 is for user account deleted

 

Resolution

To modify the report to look at these event

1. select the ?Windows ? Computer Account changes? report, then click copy, then modify.

2. After that, leave everything as default until you see SQL query.

3. Change the last part of the query from

'Security_645_Security','Security_646_Security','Security_647_Security'

 

To

 

'Security_624_Security','Security_628_Security','Security_630_Security'

 

Then the rest can stay default. After that the report will show specifically for users account add, delete or password being set

Legacy Article IDa42546

Attachments

    Outcomes