Solved: Splunk for AD - Group Policy Changes Query

BP9906 · ‎02-05-2013

Hello,
Has anyone come across an issue where the Group Policy Change Management information wont load?

I discovered its because the "Object_Name" is not a DN value sometimes.

When I run this:
eventtype=msad-ad-access Object_Type="groupPolicyContainer" | eval adminuser=src_nt_domain."\".src_user | eval Object_Name=replace(Object_Name,"}CN","},CN") | stats count values(Object_Name) by host

I get variations like this:
CN={6426A7DE-BDD3-4124-AD09-93782F200DE0},CN=Policies,CN=System,DC=domain
{44e14ec4-6218-40bd-bbc1-bf16d5addb58}

Why would that be?

I confirmed my DS log entries sometimes have either notation even for the same server.

Thank you for your help.

ahall_splunk · ‎02-06-2013

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

View solution in original post

hvandenb · ‎03-14-2013

Do we know when this might be fixed? We have the same issue where the Group Policy is a GUID in the logs but have a full DN. Also this is generating the following error.

External search command 'ldapfetch' returned error code 1. First 1000 (of 2586) bytes of script output: "Object_Name,mv_Object_Name,displayName,mv_displayName,Access_Mask,mv_Access_Mask,Accesses,mv_Accesses,Account_Domain,mv_Account_Domain,Account_Name,mv_Account_Name,Caller_Domain,mv_Caller_Domain,Caller_Machine_Name,mv_Caller_Machine_Name,Caller_User_Name,mv_Caller_User_Name,CategoryString,mv_CategoryString,Client_Address,mv_Client_Address,Client_Domain,mv_Client_Domain,Client_Machine_Name,mv_Client_Machine_Name,Client_User_Name,mv_Client_User_Name,ComputerName,mv_ComputerName,Domain,mv_Domain,EventCode,mv_EventCode,EventType,mv_EventType,Handle_ID,mv_Handle_ID,Image_File_Name,mv_Image_File_Name,Keywords,mv_Keywords,LogName,mv_LogName,Logon_ID,mv_Logon_ID,Message,mv_Message,New_Account_Name,mv_New_Account_Name,New_Domain,mv_New_Domain,Object_Server,mv_Object_Server,Object_Type,mv_Object_Type,OpCode,mv_OpCode,Operation_Type,mv_Operation_Type,Parameter_1,mv_Parameter_1,Parameter_2,mv_Parameter_2,Primary_Domain,__mv_Primary_Do"
ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{927ED781-C19A-4282-9E34-CE6C1116D6E3}

arber · ‎09-18-2014

Is there any fix for this problem ..we have the same issue

selim · ‎03-05-2014

Hello, did anyone got a solution for this? I'm facing the same issue.

BP9906 · ‎07-22-2013

2008 R2 OS, '2003 server' domain and forest level.

jbernt_splunk · ‎07-22-2013

What server Operating System, Platform (x86/x64), domain and forest levels are you seeing this on?

ahall_splunk · ‎02-06-2013

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

mbalasko · ‎04-02-2013

I seem to get the same thing- Trying to figure out a work around as the AD guys would love to see Group Policy Changes.

ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{6504ceb9-3800-474d-b76e-7a4acf73cf4c}'.

Splunk for AD - Group Policy Changes Query

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...