Home
  •  

Accounts with the same SID have been detected - one has been deleted

Accounts_with_the_same_SID_have_been_detected___one_has_been_deleted_5_Rule (Rule)

Knowledge Base article:

Summary

There are two or more well-known objects that have the same security identifier (SID) attribute in the Security Accounts Manager (SAM) database. The newest account will be kept, and all older duplicate accounts will be deleted.

This is a collection rule for one of the the Active Directory® directory service reports.

Sample Event:

There are two or more well known objects that have the same SID attribute in the SAM database. The Distinguished Name of the duplicate account is %1. The newest account will be kept, all older duplicate accounts have been deleted. Check the event log for additional duplicates.

External

For more information, see:

Element properties:

TargetMicrosoft.Windows.Server.2012.AD.DomainControllerRole
CategoryEventCollection
EnabledTrue
Event_ID12303
Event SourceMicrosoft-Windows-Directory-Services-SAM
Alert GenerateFalse
RemotableTrue
Event LogSystem
CommentMom2005ID='{1AC820FC-5E86-4077-ABD9-B95F263A8184}';MOM2005GroupID=

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
CollectEventData WriteAction Microsoft.SystemCenter.CollectEvent Default
CollectEventDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Accounts_with_the_same_SID_have_been_detected___one_has_been_deleted_5_Rule" Comment="Mom2005ID='{1AC820FC-5E86-4077-ABD9-B95F263A8184}';MOM2005GroupID=" Enabled="true" Target="AD2012Core!Microsoft.Windows.Server.2012.AD.DomainControllerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>12303</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Microsoft-Windows-Directory-Services-SAM</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="CollectEventData" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="CollectEventDataWarehouse" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>