返回
-
标题
Alert and Log showing a short SID instead of the user name for an event -
说明
Sometimes you will see some events that show "S-1-5-18" for User (Actor) field instead of the actual user name of user who triggered the event. -
原因
This is expected behavior for "Well Known Accounts". For example, audited exchange events will often use the S-1-5-18 SID, which is the SID for the "Local System" account. -
解决办法
Please see the following documentation from Microsoft on Well Known User Accounts:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows