All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for AD - Group Policy Changes Query

BP9906
Builder
‎02-05-2013 04:35 PM

Hello,
Has anyone come across an issue where the Group Policy Change Management information wont load?

I discovered its because the "Object_Name" is not a DN value sometimes.

When I run this:

eventtype=msad-ad-access Object_Type="groupPolicyContainer" | eval adminuser=src_nt_domain."\".src_user | eval Object_Name=replace(Object_Name,"}CN","},CN") | stats count values(Object_Name) by host

I get variations like this:
CN={6426A7DE-BDD3-4124-AD09-93782F200DE0},CN=Policies,CN=System,DC=domain
{44e14ec4-6218-40bd-bbc1-bf16d5addb58}

Why would that be?

I confirmed my DS log entries sometimes have either notation even for the same server.

Thank you for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎02-06-2013 09:52 AM

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

View solution in original post

Reply
Solved! Jump to solution

hvandenb
Path Finder
‎03-14-2013 07:42 AM

Do we know when this might be fixed? We have the same issue where the Group Policy is a GUID in the logs but have a full DN. Also this is generating the following error.

External search command 'ldapfetch' returned error code 1. First 1000 (of 2586) bytes of script output: "Object_Name,mv_Object_Name,displayName,mv_displayName,Access_Mask,mv_Access_Mask,Accesses,mv_Accesses,Account_Domain,mv_Account_Domain,Account_Name,mv_Account_Name,Caller_Domain,mv_Caller_Domain,Caller_Machine_Name,mv_Caller_Machine_Name,Caller_User_Name,mv_Caller_User_Name,CategoryString,mv_CategoryString,Client_Address,mv_Client_Address,Client_Domain,mv_Client_Domain,Client_Machine_Name,mv_Client_Machine_Name,Client_User_Name,mv_Client_User_Name,ComputerName,mv_ComputerName,Domain,mv_Domain,EventCode,mv_EventCode,EventType,mv_EventType,Handle_ID,mv_Handle_ID,Image_File_Name,mv_Image_File_Name,Keywords,mv_Keywords,LogName,mv_LogName,Logon_ID,mv_Logon_ID,Message,mv_Message,New_Account_Name,mv_New_Account_Name,New_Domain,mv_New_Domain,Object_Server,mv_Object_Server,Object_Type,mv_Object_Type,OpCode,mv_OpCode,Operation_Type,mv_Operation_Type,Parameter_1,mv_Parameter_1,Parameter_2,mv_Parameter_2,Primary_Domain,__mv_Primary_Do"
ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{927ED781-C19A-4282-9E34-CE6C1116D6E3}

Reply
Solved! Jump to solution

arber
Communicator
‎09-18-2014 01:09 AM

Is there any fix for this problem ..we have the same issue

0 Karma
Reply
Solved! Jump to solution

selim
Path Finder
‎03-05-2014 12:42 AM

Hello, did anyone got a solution for this? I'm facing the same issue.

0 Karma
Reply
Solved! Jump to solution

BP9906
Builder
‎07-22-2013 10:00 AM

2008 R2 OS, '2003 server' domain and forest level.

0 Karma
Reply
Solved! Jump to solution

jbernt_splunk
Splunk Employee
Splunk Employee
‎07-22-2013 09:57 AM

What server Operating System, Platform (x86/x64), domain and forest levels are you seeing this on?

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎02-06-2013 09:52 AM

I've not seen the GUID version before. I normally see the full DN - either complete or missing a comma (which is handled by the eval statement). As a result, we'll have to deal with this as a bug and fix it in a future release.

I've filed this in our bug tracking system.

Reply
Solved! Jump to solution

mbalasko
Explorer
‎04-02-2013 02:04 PM

I seem to get the same thing- Trying to figure out a work around as the AD guys would love to see Group Policy Changes.

ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{6504ceb9-3800-474d-b76e-7a4acf73cf4c}'.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...