Share via

Some Custom ACS Reports

  • Article

Here are some ACS reports that I’ve written for various customers recently.  If you have ACS installed in the same Reporting Services instance as OpsMgr Reporting, then you can just import the attached Management Pack (CustomACSReports.xml).  Otherwise, you’ll need to import each .rdl file separately.

Here is a description of each report, along with some screenshots.

Event Search
This report allow the user to search for specific security events (selected from a pre-defined list). The user can select choose a specific server or search from events from all servers. The user can also specify search strings for the UserName or Description in the event. The report returns the top 100 events from the specified date range.

Authentication Failure Summary
This report queries the ACS database for Authentication Failure errors logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the error code, and the error message and count for each error code are listed in a table. When the user clicks on one of the errors, the Authentication Failure Detail report is run for that error message.

Authentication Failure Detail
This report queries the ACS database for Authentication Failure errors with a specific error code logged during a user specified time range (default is 1 week. The Event IDs queried for are Event ID 675 (Windows Server 2003) and Event ID 4771 (Windows Server 2008). The Events are grouped by the IP Address and User Name, and the count for each is displayed in a table.

AD Object Changes
This report will show details of events related to changes in Active Directory. The report will query the ACS database for Event ID 566 / 5136 and show the Event Time, UserName, Domain Controller, Object Type, Object Name, accessed Properties, and the New Value of the property (Win2k8 only). The report also includes options to search for a specific string in the Object Name and/or Property Name.

Exchange AD Object Activity
This report shows events related to changes to Exchange Objects in Active Directory. The report will query the ACS database for Event ID 566 and 5136 within the specified time range, where the object name contains the string "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=". The report groups the events by UserName, and shows the Event Time, Domain Controller, Object Type, Object Name, and accessed Properties. The report also includes an option to exclude changes made by computer accounts.

Account Lockout and Authentication Failure by User
This report accepts a date range, username, and domain and will list all occurrences of the following events for the specified user within the specified date range: Event 644 / 4740 (Account Lockout), Event 529 / 4625 (Unknown Username or Bad Password) , Event 675 / 4771 (Kerberos Pre-Authentication Failure), Event 680 / 4776 (NTLM Authentication Failure)

Account Lockout by User
This report accepts a date range, username, and domain and will list the time and computer name for all account lockout events (Event ID 644 / 4740) for the specified user within the specified date range.

Account Lockout Trends
This report accepts a date range and Domain name and will query for all Account Lockout events (Event ID 644 / 4740) within the specified date range and domain. The report contains charts which show average number of account lockouts for each hour of the day and each day of the week, and a trending chart which will show the number of account lockouts over the specified time range. The report also lists all of the lockouts in a table, grouped by Domain, User, Workstation, and Time.

Top 10 Accounts Failing Authentication
This report will query the ACS database for Authentication Failure events (Event ID 680 and 4776) within the specified time range. The report contains a table which will show the 10 user accounts with the most failures, grouped by Workstation and Error Code.

User Account Management Activity
This report will show the number of various account management events within a specified time range, grouped by domain. The events displayed are Accounts Changed (642,4738), Accounts Created (624,4720), Accounts Enabled (626,4722), Accounts Disabled(629,4725), Accounts Deleted (Event ID 630,4726), Names Changed (685,4781), Password Resets (628,4724), Accounts Unlocked (671,4767). Clicking on any of the numbers on the report will launch the "Automated Account Change Trends" report for more details.

ACS Events for Specified User
This report accepts a Username, Domain, and date range and will display all events where the specified User/Domain is in the TargetUser/TargetDomain, PrimaryUser/PrimaryDomain, ClientUser/ClientDomain, or HeaderUser/HeaderDomain fields. The domain list is pre-populated.

Event_Report_Basic
This report displays the Computer Name and Date/Time for a specific Event ID within a specified date range.

image 

image 

image 

image 

image 

image 

image 

image 

image 

image

image

CustomACSReports.zip

Comments

  • Anonymous
    January 01, 2003
    Sorry, should have disabled that part of the report....I didn't include the "Automated Account Change Trends" report in the blog because it doesn't have a generic way to define "automated", it would be customer-specific.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I haven't used the SecureVantage Archiver, but the error is telling us that it does not have a view named adtserver.dvall5, which is the ACS database view that is being used. You'll need to determine the name of the view or table where the data is stored in the database that you are searching, and change the report query to use it.

  • Anonymous
    January 01, 2003
    Hi James, Thanks for those reports. Regards, Stefan

  • Anonymous
    January 01, 2003
    I don't know from memory what those events are, but all of the reports in this post are Win2k8 compatible, and we have other Win2k8 reports at http://blogs.technet.com/momteam/archive/2009/05/08/acs-reports-for-windows-2008-and-windows-2008-r2.aspx.  

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    This report works with Win2k3 or Win2k8 events.  For Win2k3, it is looking for event ID 566...check to verify if you are collecting this event by running the following query on the ACS Database: select count(*) from adtserver.dvheader where eventid=566

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I actually have a report similar to what you are asking for...I'll try to get it posted later.

  • Anonymous
    January 01, 2003
    Check the date range that you are entering in the report and verify that the events in your query are within that range.  Also, try changing "Include Computer Accounts" to True and see if that makes a difference.

  • Anonymous
    December 10, 2009
    The comment has been removed

  • Anonymous
    January 19, 2010
    The comment has been removed

  • Anonymous
    February 09, 2010
    The comment has been removed

  • Anonymous
    March 11, 2010
    The comment has been removed

  • Anonymous
    August 10, 2010
    The comment has been removed

  • Anonymous
    September 30, 2010
    The comment has been removed

  • Anonymous
    October 04, 2010
    The comment has been removed

  • Anonymous
    December 07, 2010
    The comment has been removed

  • Anonymous
    November 08, 2011
    The comment has been removed

  • Anonymous
    January 20, 2012
    Hi,  This website provides the better source for the Jobs than the other jobs sites. Here employer may take the good job from the site. This site gives us to all types of Job and provide the expert information. Many people gets the Jobs through this website as compare to the other website. This is the place only after satisfactory information has been gathered on the quality. This site gives you dream of working at various jobs. Here you will get all the jobs which is better for you. <a href="www.hound.com/.../">operations manager jobs</a> Regards, Abdiel Technologies.

  • Anonymous
    January 20, 2012
    Hello,      Hound is a job search engine that shows its members jobs from every employer website it can find in the United States and throughout the world.There are no banner ads or pop-up advertising on Hound.The information you see is supported by your membership. <a href="www.hound.com/.../">operations manager jobs</a>

  • Anonymous
    April 04, 2012
    Looking for a report event 5139, who and when someone moved a computer object from one OU to an other.

  • Anonymous
    April 25, 2013
    Have you tested the reports on 2012 SP1. Some of them work fine but other no, e.g. User Account Management Activity. Are you going to make them compatible with 2012 SP1? It would be nice :) Thanks.

  • Anonymous
    June 26, 2013
    The comment has been removed

  • Anonymous
    October 01, 2013
    The comment has been removed

  • Anonymous
    October 03, 2013
    Now i found them. Really don´t know why i don´t see them so far. Thanks, Roland

  • Anonymous
    April 21, 2014
    An update for 2012R2?

  • Anonymous
    June 05, 2014
    The comment has been removed

  • Anonymous
    December 21, 2015
    Im also having a few issues on SCOM 2012, some reports work, others (AD Object Changes) show the below error.

    An error has occurred during report processing. (rsProcessingAborted)
    Cannot read the next data row for the dataset OperationsManagerAC. (rsErrorReadingNextDataRow)
    For more information about this error navigate to the report server on the local server machine, or enable remote errors

    Im just starting out with SCOM and ACS and would really appreciate some insight as to why this happens?

    Thanks for the great work,
    Mike