0 Replies Latest reply on Jul 9, 2015 12:54 PM by anand_guru

    Info on redundant SIDs for Windows events

    anand_guru

      Hi Everyone,

       

      I see there are few windows SIDs that are redundant. They have different SID but for same Windows event. I understand that these are due to the differences in the way Win 2003 and Win 2008 logs the events. But I still see certain SIDs that I cannot map to a Win event ID.

       

      Eg: For Account Lockout there are 3 SIDs.

      43-211006440

      43-263047400

      43-282000870

       

      The 1st one is for Win 2003 (event id 664) and the 2nd one is for Win 2008 (event id 4740). What does the 3rd SID map to?

       

      I believe it is for some older versions of Windows, but i am not able to find and relate such SIDs with event ids.

       

      Like the simple logic - In a SID the last 3 or 4 digits (excluding the last digit) is the actual Win event ID. In the example should I be looking for Eveny ID 87? I did that, but it doesnt map to Account lockout.

       

      One can also use this thread to explain the first 3 digits of the SID too. i.e 211 for Win 2003, 263 for Win 2008, like this what are the other codes?

      So, what are these mysterious SIDs?

       

      Any help is appreciated.

       

      Thanks,

      Anand