Parser override for Windows 2008 Group Modification events

Document created by gportnoy on Jun 18, 2010Last modified by gportnoy on Jun 18, 2010
Version 2Show Document
  • View in full screen mode

The parser override attached below is meant for the Unified Connector parsing Windows 2008 events. This override will result in Windows 2008 Group modification events being parsed in the same fashion as their counterparts in Windows 2003. Events modified include events with IDs 4728, 4729, 4732, 4733, 4746, 4747, 4751, 4752, 4756, 4757, 4761, 4762.


The changes are:

destinationUserId - contains the name of the group modified in format DOMAIN\Group

destinationUserName - contains the name of the group modified

destinationNtDomain - contains the domain of the group modified

deviceCustomString6 - contains the account added to or removed from the group in format DOMAIN\username


Place this file (or append to one which already exists) in  current\user\agent\fcp\windowsfg\windows_2008\