Do you have a sample Event? Expand / Collapse
Author
Message
Posted 11/3/2011 10:29:19 PM
Expert from Quest Software

Expert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest SoftwareExpert from Quest Software

Group: Forum Members
Last Login: 2/11/2012 12:15:37 AM
Posts: 18, Visits: 8
Hi Randy,

  Do you have a sample event from this - something from the wild?  I'm curious if this event really exists. 

  Also, if it does exist, what server would we see it on?  I would think SID filtering is a domain-level event, but having it in the logon/logoff policy (instead of Account Logon Policy) confuses me. After all; assigning SIDs to a logon token is part of MS's little loop in Kerberos, and users don't produce logon/logoff events on a DC when connecting to a workstation or member server. 

Thanks for any help!

Post #829
Posted 11/14/2011 8:56:58 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Sorry, B. no sample
Post #851
Posted 2/16/2012 11:16:36 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/13/2012 8:46:26 AM
Posts: 2, Visits: 3
Here are a few samples from one of our Domain controllers (2008R2).

<13>Feb 16 10:34:27 192.168.255.64 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Microsoft-Windows-Security-Auditing    Computer=XXXXX.XXXXX.NET    User=     Domain=     EventID=4675    EventIDCode=4675    EventType=16    EventCategory=12544    RecordNumber=23065964    TimeGenerated=1329406463    TimeWritten=1329406463    Message=SIDs were filtered.  Target Account:  Security ID:  XX\username  Account Name:  -  Account Domain:  -  Trust Information:  Trust Direction: 2  Trust Attributes: 8  Trust Type: 2  TDO Domain SID: HH  Filtered SIDs:    XX\Domain Users

<13>Feb 16 10:33:06 192.168.255.64 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Microsoft-Windows-Security-Auditing    Computer=XXXXX.XXXXX.NET    User=     Domain=     EventID=4675    EventIDCode=4675    EventType=16    EventCategory=12544    RecordNumber=23065938    TimeGenerated=1329406383    TimeWritten=1329406383    Message=SIDs were filtered.  Target Account:  Security ID:  XX\username  Account Name:  -  Account Domain:  -  Trust Information:  Trust Direction: 2  Trust Attributes: 8  Trust Type: 2  TDO Domain SID: HH  Filtered SIDs:    XX\Domain Users

Post #913
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:36pm