topic Re: Splunk for AD - Group Policy Changes Query in All Apps and Add-ons

Splunk for AD - Group Policy Changes Query

BP9906 — Mon, 28 Sep 2020 13:14:35 GMT

Hello,
Has anyone come across an issue where the Group Policy Change Management information wont load?

I discovered its because the "Object_Name" is not a DN value sometimes.

When I run this:
eventtype=msad-ad-access Object_Type="groupPolicyContainer" | eval adminuser=src_nt_domain."\".src_user | eval Object_Name=replace(Object_Name,"}CN","},CN") | stats count values(Object_Name) by host

I get variations like this:
CN={6426A7DE-BDD3-4124-AD09-93782F200DE0},CN=Policies,CN=System,DC=domain
{44e14ec4-6218-40bd-bbc1-bf16d5addb58}

Why would that be?

I confirmed my DS log entries sometimes have either notation even for the same server.

Thank you for your help.

Re: Splunk for AD - Group Policy Changes Query

ahall_splunk — Wed, 06 Feb 2013 17:52:18 GMT

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

Re: Splunk for AD - Group Policy Changes Query

hvandenb — Mon, 28 Sep 2020 13:31:01 GMT

Do we know when this might be fixed? We have the same issue where the Group Policy is a GUID in the logs but have a full DN. Also this is generating the following error.

External search command 'ldapfetch' returned error code 1. First 1000 (of 2586) bytes of script output: "Object_Name,mv_Object_Name,displayName,mv_displayName,Access_Mask,mv_Access_Mask,Accesses,mv_Accesses,Account_Domain,mv_Account_Domain,Account_Name,mv_Account_Name,Caller_Domain,mv_Caller_Domain,Caller_Machine_Name,mv_Caller_Machine_Name,Caller_User_Name,mv_Caller_User_Name,CategoryString,mv_CategoryString,Client_Address,mv_Client_Address,Client_Domain,mv_Client_Domain,Client_Machine_Name,mv_Client_Machine_Name,Client_User_Name,mv_Client_User_Name,ComputerName,mv_ComputerName,Domain,mv_Domain,EventCode,mv_EventCode,EventType,mv_EventType,Handle_ID,mv_Handle_ID,Image_File_Name,mv_Image_File_Name,Keywords,mv_Keywords,LogName,mv_LogName,Logon_ID,mv_Logon_ID,Message,mv_Message,New_Account_Name,mv_New_Account_Name,New_Domain,mv_New_Domain,Object_Server,mv_Object_Server,Object_Type,mv_Object_Type,OpCode,mv_OpCode,Operation_Type,mv_Operation_Type,Parameter_1,mv_Parameter_1,Parameter_2,mv_Parameter_2,Primary_Domain,__mv_Primary_Do"
ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{927ED781-C19A-4282-9E34-CE6C1116D6E3}

Re: Splunk for AD - Group Policy Changes Query

mbalasko — Tue, 02 Apr 2013 21:04:16 GMT

I seem to get the same thing- Trying to figure out a work around as the AD guys would love to see Group Policy Changes.

ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{6504ceb9-3800-474d-b76e-7a4acf73cf4c}'.

Re: Splunk for AD - Group Policy Changes Query

jbernt_splunk — Mon, 22 Jul 2013 16:57:26 GMT

What server Operating System, Platform (x86/x64), domain and forest levels are you seeing this on?

Re: Splunk for AD - Group Policy Changes Query

BP9906 — Mon, 22 Jul 2013 17:00:21 GMT

2008 R2 OS, '2003 server' domain and forest level.

Re: Splunk for AD - Group Policy Changes Query

selim — Wed, 05 Mar 2014 08:42:54 GMT

Hello, did anyone got a solution for this? I'm facing the same issue.

Re: Splunk for AD - Group Policy Changes Query

arber — Thu, 18 Sep 2014 08:09:53 GMT

Is there any fix for this problem ..we have the same issue