Event ID 4732 sensor (account added to local admin group) does not show user ID

Hi there,

I'm not sure if I get you correctly. Where exactly is SID and UserID stated? Within the event message itself?

Kind regards,
Stephan Linke, Tech Support Team

Correct, within the event message that PRTG shows, it correctly shows (besides the SID) the user who added an account to the local Admin group (depicted below as (anonymized by me) SOMEONESUSERID, where it correctly states the user account), but the account that was actually added, is show as a SID only (here: S-1-5-21-606537616-3266435759-3061854575-109903) and not the user ID (only "Account Name:-" ).

This is what it looks like in the message:

A member was added to a security-enabled local group. Subject: Security ID:S-1-5-21-606507616-3466433759-3051850375-104317 Account Name:SOMEONESUSERID Account Domain:OURCORP Logon ID:0x2d8449 Member: Security ID:S-1-5-21-606537616-3266435759-3061854575-109903 Account Name:- Group: Security ID:S-1-5-32-555 Group Name:Administrators Group Domain:Builtin Additional Information: Privileges:-

We were hoping it would not show Account Name:- but Account Name:ANOTHERUSERID somehow.

Well, since the actual SAM account name is not disclosed in the message, there's no use to monitor that actual event. You might want to add a scheduled task that is executed everytime that event comes in and create a new event log entry that contains both username and the administrator who added it. The following PowerShell script should get you started:

$objSID = New-Object System.Security.Principal.SecurityIdentifier 
("<user's security ID>")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

$objUser.Value should contain the username that can be used for the new event name. If you need more specific event log monitoring, please check out monitoring historic windows events.

Kind regards,
Stephan Linke, Tech Support Team

What I mean is that PRTG seems to leave out the user ID information ("Security ID"). All required information is clearly stated in the Security event with Event ID 4732 like below:

A member was added to a security-enabled local group.

Subject:
Security ID: OURCORP\"UserID of person adding the account"
Account Name: "UserID of person adding the account"
Account Domain: OURCORP
Logon ID: 0x26e1d

Member:
Security ID: OURCORP\"UserID of account added" (this is the event info we also want)
Account Name: -

Group:
Security ID: BUILTIN\Administrators
(this is the group the account was added to) Group Name: Administrators
Group Domain: Builtin

Additional Information:
Privileges: -

PRTG is making use of the Event information provided in "Account Name" only, and if it were to use "Security ID", we would have all information complete. So how can we make that "Security ID" information available (rather than "Account Name" only which is only displayed at the Subject section and not at the Member section of the event.

Yeah, but the message itself is not really parsed with the sensor and probably too long to be displayed in the sensor message. Guess my approach dislclosed in my previous post would be the proper way to go here. Maybe pushing them to a syslog receiver sensor could work as well, since it's easier to search within PRTG.

Kind regards,
Stephan Linke, Tech Support Team