We're doing a demo...just installed the environment and are learning how to setup the monitoring. We have the integration with AD setup and I can login with my domain id with no issues. We setup a rule to watch for a change to any group with *admin* in the name. IF a domain group is changed, we get the user who was changed and the user who changed it. IF a local server group is changed, we get the user's SID from active directory that was changed...but we get the domain ID name of the user who changed it.
here is what I get in email
What Changed: member "%{s-1-5-12-1234567-123456789-123456789-12345}" removed from "builtin\administrators"
Was changed by: DOMAINX \ USERX
On: servernam.domain.com
At: 2017-08-11 19:03:12.0
for What changed, we're using EventInfo, and for Was Changed By we're using SourceAccount
Can anyone tell me if we missed something or need a different connector setup? This only happens on a member server and the server has the agent installed and fully functional...we just can't seem to get us to not return a SID..
Thanks in advance for any help!