Hi,
I try to monitor changes in selected AD groups with query:
(EventID:4728 OR EventID:4732) AND ((TargetUserName:Domain Admins OR TargetUserName:Account Operators OR TargetUserName:DnsAdmins ))
but the query runs unstable sometimes skips an event or reports entries from outside listed groups? Is probleme redundant use of “OR” should I rephrase it ?
Using the forum markup </>
helps with readability…
(EventID:4728 OR EventID:4732) AND ((TargetUserName:Domain Admins OR TargetUserName:Account Operators OR TargetUserName:DnsAdmins ))
First guess, your data has spaces and the may be parsed wrong. Use quotes…
(EventID:4728 OR EventID:4732) AND (TargetUserName:"Domain Admins" OR TargetUserName:"Account Operators" OR TargetUserName:DnsAdmins )
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.