Simple business case for #MIM2016 SSPR

It occurs to me that perhaps we don’t always do due diligence when it comes to establishing a credible business case for IAM intiatives, and this only comes back to bite us later.  One of the easiest metrics is the number of AD Admin password resets to justify a MIM 2016 SSPR (self service password rese) investment, and if we take the recommendation of this blog post, then this is as simple as applying a Windows Event Log filter on each of your AD DCs.

I’ve set this up on one of my DCs and exported it here for you to try yourself – just save to an XML file and import it from an MMC snapin (Event Viewer console):

 <Name>Admin Password Resets</Name>
 <Description>Events 4724 and 627, 628, 4723</Description>
 <Query Id="0" Path="Application">
 <Select Path="Application">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 <Select Path="Security">*[System[(EventID=4724 or EventID=627 or EventID=628 or EventID=4723)]]</Select>
 <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column>
 <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
 <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">150</Column>
 <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">60</Column>
 <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">60</Column>
 <Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">60</Column>
 <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
 <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
 <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
 <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
 <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
 <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
 <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
 <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
 <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
 <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
 <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
 <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
 <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
 <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>

Of course if you have plenty of DCs you won’t want to be doing this on a constant basis – so you will want to run this on a schedule say via PowerShell and collate the data in some way – perhaps PowerBI?

Anyhow, if you take the time to look at the facts that come out of a simple query like the above, then you can provide some factual evidence to substantiate your MIM SSPR investment.


About bobbradley1967

Microsoft Identity and Access Professional with 2 decades of successful IAM implementations in APAC, specialising in MIM and its predecessors (FIM/ILM/MIIS) and now with SoftwareIDM. A Microsoft IAM MVP prior to that with a background in MS.Net applications development/SI. Now with a particular interest how Identity and HyperSync Panel provide the Identity and Access orchestration presently missing in the Azure Entra Suite to effectively enforce Zero Trust on the M365 platform.
This entry was posted in Active Directory, MIM (Microsoft Identity Manager) 2016, SSPR and tagged , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.