Unknown Account name Expand / Collapse
Author
Message
Posted 2/19/2010 11:41:24 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/2/2010 10:16:53 AM
Posts: 2, Visits: 15

I have watched "Auditing File Access with the Windows Server 2008 Security Log - The Good Bad and Ugly". After long search it was best tutorial on this subject I have found.  I have also  found one ugly thing that is driving me crazy.

When I delete file with windows client I get event 4663 like this:

Subject:
Security ID:  KOPRIVA\d.rakita
Account Name:  d.rakita
Account Domain:  KOPRIVA

This is great. I know who has deleted file. But when Machintosh client delete file I get this:

Subject:
Security ID:  SYSTEM
Account Name:  R2$
Account Domain:  KOPRIVA


In this case I do not know who has deleted file.

It is interesting that if file is moved (cut/paste) with Machintosh event log is normal with account name of user. In this case it is not followed by event 4660.
I have tried with windows client that is not AD member and I do not have problem with logs.
There was some advices to try adjust Macintosh, but I think that it is smarter to adjust server, because I can not control clients as I can control my server.

AD controller is Windows 2003
File server – Windows 2008 and Windows 2008 R2
Mac client is OSX 10.4 and 10.5 (connecting by SMB)

 

 

 

 

 


Post #313
Posted 2/22/2010 9:11:22 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That is wierd.  You aren't running some kind of server-side middle-ware for the Mac?
Post #317
Posted 2/22/2010 10:53:35 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/2/2010 10:16:53 AM
Posts: 2, Visits: 15
No. While we were using windows 2003 we used appletalk, but from 2008 nothing extra is enabled. Only SMB.

I have made test domain with default settings and problem is there also. I could try with win2008 domain controler.

Post #318
Posted 2/24/2010 9:49:13 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I'm stumped on that one.  I'll let you know if we come up with something
Post #319
Posted 8/8/2012 11:20:47 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/9/2012 4:53:40 PM
Posts: 1, Visits: 3
Event ID 4663 Showing Client Computer Name(ABC$) as Account Name when Deleting a Folder :

When a Folder with files & Sub Folders is deleted I get an event 4663 which shows the correct Account Name for the FILE deleted Event BUT NOT for folder & sub folders.

The Folder Delete Event shows the Account Name field as the SERVERNAME$ (Where ServerName$ is the name of the client computer from where the share is accessed) in the event 4663.

Any ideas on why it would show the servername and not the user who did it? You help is much appreciated.
Post #1056
Posted 9/12/2012 5:51:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/28/2017 10:04:30 AM
Posts: 6, Visits: 3
Hi Randy,
I checked the SACL settings but still it occurs.Kindly help to resolve.

Account Name field of 4663,4660 displays System Account(FileServer$) instead of userName when Deleting a Folder :

A Folder with files & subfolders are deleted.The following sequence events 4656,4663,4660,4658 are logged for parent folder,subfolders and files in the security event log.For parent folder and subfolders events, the Account Name field of event id 4656 displays the user who deleted the folder,but the Account Name field of event id 4663,4660 diplays the SYSTEM account ie)FileServer Name instead of username.This is not occuring for files inside the subfolders

The above issue happening only for
* parent folder and sub folders and not for files inside them.
* deletion through network share and not locally.
Sample Events of 4656,4663,4660

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11-09-2012 20:03:41
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: FS01.test.com
Description:
A handle to an object was requested.

Subject:
Security ID: S-1-5-21-34352134455-267854504-159913591-49381
Account Name: vijay
Account Domain: test.com
Logon ID: 0x7e95119f

Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume4\ShareA\testFolder
Handle ID: 0x7498

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE

Access Mask: 0x10000
Privileges Used for Access Check: -
Restricted SID Count: 0

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11-09-2012 20:03:41
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: FS01.test.com
Description:
An attempt was made to access an object.

Subject:
Security ID: SYSTEM
Account Name: FS01$
Account Domain: test.com
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume4\Shared\testFolder
Handle ID: 0x7498

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Accesses: DELETE

Access Mask: 0x10000


Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11-09-2012 20:03:41
Event ID: 4660
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: FS01
Description:
An object was deleted.

Subject:
Security ID: SYSTEM
Account Name: FS01$
Account Domain: test.com
Logon ID: 0x3e7

Object:
Object Server: Security
Handle ID: 0x7498

Process Information:
Process ID: 0x4
Process Name:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Post #1080
Posted 9/20/2012 5:26:44 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/28/2017 10:04:30 AM
Posts: 6, Visits: 3
Yes. we don't need look 4656 for folder/file deletions.Actually we correlate 4663,4660 with handle id and process id to make sure the file/ folder is deleted.Using this above correlation we can not able to find out user ,because it shows servername$ for folder deletions not files.So my question is why windows logging servername$ in 4663,4660 events only for folder deletions.
Post #1100
Posted 9/25/2012 8:28:01 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/28/2017 10:04:30 AM
Posts: 6, Visits: 3
Then why it is happening for folder not files.And even when deleting through network not locally.
Post #1106
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:04am