Event definition Search Query "OR"

Hi,
I try to monitor changes in selected AD groups with query:
(EventID:4728 OR EventID:4732) AND ((TargetUserName:Domain Admins OR TargetUserName:Account Operators OR TargetUserName:DnsAdmins ))
but the query runs unstable sometimes skips an event or reports entries from outside listed groups? Is probleme redundant use of “OR” should I rephrase it ?

Using the forum markup </> helps with readability…

(EventID:4728 OR EventID:4732) AND ((TargetUserName:Domain Admins OR TargetUserName:Account Operators OR TargetUserName:DnsAdmins ))

First guess, your data has spaces and the may be parsed wrong. Use quotes…

(EventID:4728 OR EventID:4732) AND (TargetUserName:"Domain Admins" OR TargetUserName:"Account Operators" OR TargetUserName:DnsAdmins )

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.