This is specific to the Microsoft Active Directory and Windows


Some events (only know of 4740 so far) don't include all information
needed for 'IdT' ( to
attach the event to a user (username, domainname, and tenant). In the
case of 4740, the domainname is missing.


The temporary solution is to have the Collector map the available SID to
the TargetUserName(dun) / TargetUserDomain(rv45) until such time NetIQ
provide a permanent solution to the "enhancement request".

So, I've been looking at Norbert's 'Cool Solution'
( for mapping SIDs as a basis.

My question is, if I change dun/rv45 to use my map based on
TargetUserID(tuid), does the original dun/rv45 value pass through if it
doesn't match in the map or is it stripped? I would like to only change
Record.prototype.parse_4740 rather than every single event id....but if
I have to, I have to.

-"Also now available in 'G+'
( and 'Website'
( format".-
ScorpionSting's Profile:
View this thread: