search
Ctrlk
DownloadsPricingRequest a trial

Audit variables

The following variables are available for use in events processed by audit notification channels. Where information is not available or not applicable to an audit event, the placeholder value will be replaced with an empty string.

hashtag
{user.SamAccountName}

The user's samAccountName

hashtag
{user.MsDsPrincipalName}

The user's NT4-style domain name (eg domain\user)

hashtag
{user.DisplayName}

The user's displayName

hashtag
{user.UserPrincipalName}

The user's UPN

hashtag
{user.Sid}

The user's SID

hashtag
{user.DistinguishedName}

The user's distinguished name

hashtag
{user.Description}

The description attribute of the user in Active Directory

hashtag
{user.EmailAddress}

The user's email address

hashtag
{user.Guid}

The objectGUID of the user in Active Directory

hashtag
{user.GivenName}

The user's given name

hashtag
{user.Surname}

The user's surname

hashtag
{computer.SamAccountName}

The samAccountName of the computer

hashtag
{computer.MsDsPrincipalName}

The NT4-style name of the computer (eg domain\pc1$)

hashtag
{computer.DistinguishedName}

The distinguishedName of the computer

hashtag
{computer.Description}

The description attribute of the computer in Active Directory

hashtag
{computer.DisplayName}

The display name of the computer

hashtag
{computer.Guid}

The objectGUID of the computer in Active Directory

hashtag
{computer.Sid}

The SID of the computer in Active Directory

hashtag
{request.ComputerName}

The exact string provided by the user in the computer name field of the access request

hashtag
{request.Reason}

The user-supplied reason for the access request

hashtag
{AuthzResult.MatchedRuleDescription}

The friendly description of the rule that granted access to the user

hashtag
{AuthzResult.MatchedRule}

The ID of the rule that granted access to the user

hashtag
{AuthzResult.ExpireAfter}

The duration of time that access was allowed for. For JIT, this is the duration of allowed time specified in the matching access rule. For LAPS, this is the amount of time until the LAPS password expires, if configured to do so in the access rule.

hashtag
{AuthzResult.AccessExpiryDate}

The specific date and time that the JIT access expires, or the date and time that the LAPS password is set to rotate.

hashtag
{AuthzResult.ResponseCode}

A response code that represents the result of the authorization decision. Valid values are;

  • Success: The user was granted access to the specified computer

  • Undefined: No authorization state is provided. The user's access was denied.

  • NoMatchingRuleForComputer : There were no authorization rules that applied to the specific computer. The user's access was denied.

  • NoMatchingRuleForUser: There were no rules that specifically granted access to a user. The user's access was denied.

  • ExplicitlyDenied: Reserved for future use. The user's access was denied.

hashtag
{AuthzResult.AccessType}

The type of access that was evaluated. Valid values are;

  • LocalAdminPassword

  • LocalAdminPasswordHistory

  • Jit

  • BitLocker

hashtag
{AuthzResult.AccessTypeDescription}

A friendly name for type of access that was evaluated. Valid values are;

  • Local admin password

  • Local admin password history

  • Just-in-time access

  • BitLocker recovery passwords

hashtag
{message}

Additional auditing information generated by the system

hashtag
{request.IPAddress}

The IP address of the users request

hashtag
{request.Hostname}

The hostname (if available) obtained from doing a reverse lookup of the IP address

hashtag
{datetime}

The date and time of the access request, in the local time zone of the server

hashtag
{datetimeutc}

The date and time of the access request, in UTC time

PreviousActive DirectoryNextAuditing Page

Last updated

Was this helpful?