The parser override attached below is meant for the Unified Connector parsing Windows 2008 events. This override will result in Windows 2008 Group modification events being parsed in the same fashion as their counterparts in Windows 2003. Events modified include events with IDs 4728, 4729, 4732, 4733, 4746, 4747, 4751, 4752, 4756, 4757, 4761, 4762.
The changes are:
destinationUserId - contains the name of the group modified in format DOMAIN\Group
destinationUserName - contains the name of the group modified
destinationNtDomain - contains the domain of the group modified
deviceCustomString6 - contains the account added to or removed from the group in format DOMAIN\username
Place this file (or append to one which already exists) in current\user\agent\fcp\windowsfg\windows_2008\