Simple business case for #MIM2016 SSPR

It occurs to me that perhaps we don’t always do due diligence when it comes to establishing a credible business case for IAM intiatives, and this only comes back to bite us later.  One of the easiest metrics is the number of AD Admin password resets to justify a MIM 2016 SSPR (self service password rese) investment, and if we take the recommendation of this blog post, then this is as simple as applying a Windows Event Log filter on each of your AD DCs.

I’ve set this up on one of my DCs and exported it here for you to try yourself – just save to an XML file and import it from an MMC snapin (Event Viewer console):

 <Name>Admin Password Resets</Name>
 <Description>Events 4724 and 627, 628, 4723</Description>
 <Query Id="0" Path="Application">
 <Select Path="Application">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 <Select Path="Security">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column>
 <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
 <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column>
 <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column>
 <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column>
 <Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">60</Column>
 <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
 <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
 <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
 <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
 <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
 <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
 <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
 <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
 <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
 <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
 <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
 <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
 <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
 <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>

Of course if you have plenty of DCs you won’t want to be doing this on a constant basis – so you will want to run this on a schedule say via PowerShell and collate the data in some way – perhaps PowerBI?

Anyhow, if you take the time to look at the facts that come out of a simple query like the above, then you can provide some factual evidence to substantiate your MIM SSPR investment.


About bobbradley1967

Microsoft IAM MVP and Solutions Architect (MCTS, MCP) - FIM/ILM/MIIS Specialist, with 20 years SQL database ( OLAP) and MS.Net applications development/SI background, in particular on the SharePoint platform
This entry was posted in Active Directory, MIM (Microsoft Identity Manager) 2016, SSPR and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s