20.1 The AD DS Event

You will see an event such as this in the Windows Security event log any time DRA executes a supported operation.

LDAP Display Name:	extensionAttribute1
Syntax (OID): 2.5.5.12	2.5.5.12
Value:	<dra-event user="DRDOM300\drauseradmin" sid="S-1-5-21-53918190-1560392134-2889063332-1914" tid="E0E257E6B4D24744A9B0FE3F86EC7038" SubjectUserSid="S-1-5-21-4224976940-2944197837-1672139851-500" ObjectDN="CN=admin_113,OU=Vino_113,DC=DRDOM113,DC=LAB"/>+a+02ROO+bJbhyPbR4leJpKWCGTp/KXdqI7S3EBhVyniE7iXvxIT6eB6IdcXQ5StkbIAHJgKzLN5FCOM5fZcITxyAPLWhbstaA7ZA0VbVC9MGlVIaAcjl3z7mpF9GKXsfDogbSeNlmHliXvH5KpOX3/29AKMPj/zvf6Yuczoos=

LDAP Display Name:

extensionAttribute1

Syntax (OID): 2.5.5.12

2.5.5.12

Value:

<dra-event user="DRDOM300\drauseradmin" sid="S-1-5-21-53918190-1560392134-2889063332-1914" tid="E0E257E6B4D24744A9B0FE3F86EC7038" SubjectUserSid="S-1-5-21-4224976940-2944197837-1672139851-500" ObjectDN="CN=admin_113,OU=Vino_113,DC=DRDOM113,DC=LAB"/>+a+02ROO+bJbhyPbR4leJpKWCGTp/KXdqI7S3EBhVyniE7iXvxIT6eB6IdcXQ5StkbIAHJgKzLN5FCOM5fZcITxyAPLWhbstaA7ZA0VbVC9MGlVIaAcjl3z7mpF9GKXsfDogbSeNlmHliXvH5KpOX3/29AKMPj/zvf6Yuczoos=

The event value consists of two pieces. The first is an XML string containing the Event Stamping data. The second is a signature of the data that can be used to validate that the data was actually generated by DRA. To validate the signature, an application must have the public key for the signature.

The XML string consists of the following information:

User	The assistant administrator who performed the operation
Sid	The SID of the assistant administrator who performed the operation
Tid	The DRA auditing transaction ID to ensure each event is unique
SubjectUserSid	The SID of the DRA service account or access account that actually updated AD
ObjectDN	The distinguished name of the object that was modified