Tyler, In my experience, often these identifiers are GUIDs. GUIDs are names dynamically generated for objects that are instantiated in memory from an object class, so it is not always searchable. There are some well-known GUIDS that correspond to Windows system objects. I usually just punch the GUID into google and the answer is there pretty quick as to whether it's well known or not. >From http://www.webopedia.com/TERM/G/GUID.html Short for Globally Unique Identifier, a unique 128-bit <bit.html> number that is produced by the Windows OS <operating_system.html> or by some Windows applications <application.html> to identify a particular component, application, file, database <database.html> entry, and/or user. For instance, a Web site may generate a GUID and assign it to a user's browser <browser.html> to record and track the session. A GUID is also used in a Windows registry to identify COM <COM.html> DLLs <DLL.html>. Knowing where to look in the registry and having the correct GUID yields a lot information about a COM object (i.e., information in the type library, its physical location, etc.). Windows also identifies user accounts by a username (computer/domain and username) and assigns it a GUID. Some database administrators even will use GUIDs as primary key values in databases. GUIDs can be created in a number of ways, but usually they are a combination of a few unique settings based on specific point in time (e.g., an IP address <IP_address.html>, network MAC address <MAC_address.html>, clock date/time, etc.). http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_wellknownobjects.asp provides a list, but again, Google is your friend for access into many web-based lists like this. In your example, the Object name came up with nothing (which makes sense because this should be unique and specific to domain). The type did get a hit (which makes sense because a type is more of a property of an object class than unique to an object instance). http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=GUID+list+19195a5b-6da0-11d0-afd3-00c04fd930c9 "Window NT Domain with DNS-based (DC=) naming." It seems that this is an object name that corresponds to a particular AD domain. I bet you can create a map of your domains to GUIDs over time if you care to. I am sure there are other Windows experts out there that can elaborate in more depth... Wynn Tyler, Grayling wrote: > I've been searching for information relating to auditing of Active > directory (AD) access. When Directory service access auditing is > turned on, various events are produced (e.g. 563, 565 etc) to log the > action taken by the account making the call. To-date I have been > unable to locate any information regarding the "Object Type" and > "Object Name" fields reported in the logs (see sample below). So I > thought I'd ask the list just in case anyone has ran across this type > of information. If you have I'd appreciate an email. > > SEC,6/1/2004,23:55:30,Security,565,Success,Directory Service Access > ,TDomain\administrator,DC01,Object Open:^` Object Server: DS^` > Object Type: \{19195a5b-6da0-11d0-afd3-00c04fd930c9\}^` > Object Name: \{aa687b49-3737-4053-ab8b-c6216ff20e04\}^` New > Handle ID: 0^` Operation ID: \{0 7375296\}^` Process ID: > 308^` Primary User Name: DC01$^` Primary Domain: > TDomain^` Primary Logon ID: (0x0 0x3E7)^` Client User > Name: administrator^` Client Domain: DC01^` Client > Logon ID: (0x0 0xE4BF)^` Accesses Control > Access ^` ^` Privileges -^`^` > Properties:^`Control Access ^` > \{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2\}^`^`\par > > } > > > Thanks > >------------------------------------------------------------------------ > >_______________________________________________ >LogAnalysis mailing list >LogAnalysis@private >http://lists.shmoo.com/mailman/listinfo/loganalysis > > -- Wynn Fenwick, GCIH, GCIA Senior Consultant, Information Security COE CGI Information Systems & Management Consultants _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jun 03 2004 - 11:52:32 PDT