It occurs to me that perhaps we don’t always do due diligence when it comes to establishing a credible business case for IAM intiatives, and this only comes back to bite us later. One of the easiest metrics is the number of AD Admin password resets to justify a MIM 2016 SSPR (self service password rese) investment, and if we take the recommendation of this blog post, then this is as simple as applying a Windows Event Log filter on each of your AD DCs.
I’ve set this up on one of my DCs and exported it here for you to try yourself – just save to an XML file and import it from an MMC snapin (Event Viewer console):
<ViewerConfig> <QueryConfig> <QueryParams> <Simple> <Channel>Application,Security</Channel> <EventId>4724,627,628,4723</EventId> <RelativeTimeInfo>0</RelativeTimeInfo> <BySource>False</BySource> </Simple> </QueryParams> <QueryNode> <Name>Admin Password Resets</Name> <Description>Events 4724 and 627, 628, 4723</Description> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select> <Select Path="Security">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select> </Query> </QueryList> </QueryNode> </QueryConfig> <ResultsConfig> <Columns> <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column> <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column> <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column> <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column> <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column> <Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">60</Column> <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column> <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column> <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column> <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column> <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column> <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column> <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column> <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column> <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column> <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column> <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column> <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column> <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column> <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column> </Columns> </ResultsConfig> </ViewerConfig>
Of course if you have plenty of DCs you won’t want to be doing this on a constant basis – so you will want to run this on a schedule say via PowerShell and collate the data in some way – perhaps PowerBI?
Anyhow, if you take the time to look at the facts that come out of a simple query like the above, then you can provide some factual evidence to substantiate your MIM SSPR investment.
IdM for Real 