I was wondering if someone could help me understand why I'm seeing what
I'm seeing. In Sentinel, I'm looking for a particular event and
generating reports on it. The event ID is 4732 - A member was added to
a security-enabled local group. When looking in the security logs on
the server itself, the event has the following fields:
Security ID: [domain\user]
Account name: [user account name]
Security ID: [local computer name]\[local user name]
Account name: -
When I look for this same event in Sentinel, I see the correct Initiator
User Name from the 'Subject' section above, but when looking at the
Target information, the Target User ID comes across as a standard SID
value (i.e. S-1-5-xxxxxx), not the same computername\username format as
shown in the 'Member' section. Since there is no account name listed in
the member section, there isn't a Target User Name field in Sentinel
either. This format makes it difficult to quickly see which account was
added to the group in question. I've recently updated my Windows
Collector to version 2011.1r7 thinking that would solve this issue, but
I guess that only pertains to the actual 'Account Name' field.

Why is this happening and is there an easy fix for this to report the
account name that was added to the group instead of the SID itself?

tyl3r32's Profile: https://forums.netiq.com/member.php?userid=11631
View this thread: https://forums.netiq.com/showthread.php?t=56306