Solved: Re: Splunk for AD - Group Policy Changes Query

BP9906 · ‎02-05-2013

Hello,
Has anyone come across an issue where the Group Policy Change Management information wont load?

I discovered its because the "Object_Name" is not a DN value sometimes.

When I run this:
eventtype=msad-ad-access Object_Type="groupPolicyContainer" | eval adminuser=src_nt_domain."\".src_user | eval Object_Name=replace(Object_Name,"}CN","},CN") | stats count values(Object_Name) by host

I get variations like this:
CN={6426A7DE-BDD3-4124-AD09-93782F200DE0},CN=Policies,CN=System,DC=domain
{44e14ec4-6218-40bd-bbc1-bf16d5addb58}

Why would that be?

I confirmed my DS log entries sometimes have either notation even for the same server.

Thank you for your help.

ahall_splunk · ‎02-06-2013

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

View solution in original post

hvandenb · ‎03-14-2013

Do we know when this might be fixed? We have the same issue where the Group Policy is a GUID in the logs but have a full DN. Also this is generating the following error.

External search command 'ldapfetch' returned error code 1. First 1000 (of 2586) bytes of script output: "Object_Name,mv_Object_Name,displayName,mv_displayName,Access_Mask,mv_Access_Mask,Accesses,mv_Accesses,Account_Domain,mv_Account_Domain,Account_Name,mv_Account_Name,Caller_Domain,mv_Caller_Domain,Caller_Machine_Name,mv_Caller_Machine_Name,Caller_User_Name,mv_Caller_User_Name,CategoryString,mv_CategoryString,Client_Address,mv_Client_Address,Client_Domain,mv_Client_Domain,Client_Machine_Name,mv_Client_Machine_Name,Client_User_Name,mv_Client_User_Name,ComputerName,mv_ComputerName,Domain,mv_Domain,EventCode,mv_EventCode,EventType,mv_EventType,Handle_ID,mv_Handle_ID,Image_File_Name,mv_Image_File_Name,Keywords,mv_Keywords,LogName,mv_LogName,Logon_ID,mv_Logon_ID,Message,mv_Message,New_Account_Name,mv_New_Account_Name,New_Domain,mv_New_Domain,Object_Server,mv_Object_Server,Object_Type,mv_Object_Type,OpCode,mv_OpCode,Operation_Type,mv_Operation_Type,Parameter_1,mv_Parameter_1,Parameter_2,mv_Parameter_2,Primary_Domain,__mv_Primary_Do"
ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{927ED781-C19A-4282-9E34-CE6C1116D6E3}

arber · ‎09-18-2014

Is there any fix for this problem ..we have the same issue

selim · ‎03-05-2014

Hello, did anyone got a solution for this? I'm facing the same issue.

BP9906 · ‎07-22-2013

2008 R2 OS, '2003 server' domain and forest level.

jbernt_splunk · ‎07-22-2013

What server Operating System, Platform (x86/x64), domain and forest levels are you seeing this on?

ahall_splunk · ‎02-06-2013

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

mbalasko · ‎04-02-2013

I seem to get the same thing- Trying to figure out a work around as the AD guys would love to see Group Policy Changes.

ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{6504ceb9-3800-474d-b76e-7a4acf73cf4c}'.

Splunk for AD - Group Policy Changes Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation