• State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 3279 views
  • Users 0 members are here
Options
Related

Custom search failed login for specific AD group

akingbade.ajewole
over 4 years ago

Trying to edit search "All failed Logons" to only include specific AD groups.

I change

(ComputerType & 24 != 0 )

to

(ComputerType & 24 != 0 ) and member_of( Who, 'Domain Admin', true)

But I dont get any result. Any insight? (I cant insert picture from local drive)

Parents
  • 0 over 4 years ago

    Hi akingbade.ajewole,

    Your expression has a mistype, the correct one for Domain Admins group is

    (ComputerType & 24 != 0) and member_of(Who, 'Domain Admins', true)

    Also I have to say that the speed of such custom filter may be quite low, in my environment the calculation takes 3 seconds per one event.

  • 0 over 4 years ago in reply to Igor.Ilyin

    Thanks for the reply. I changed to that and got no result after running for 3hrs.

  • 0 over 4 years ago in reply to akingbade.ajewole

    Hi,

    There might be several reasons for such result. Member_of is making direct live requests to AD of your domain. First, if the user under which you run RV and the events in the repository are not from the same forest/domain, using member_of has no sense, nothing will be found. The Second reason is opposite, you are in the same forest/domain and there is a huge amount of events that should be returned to a grid. As I mentioned earlier, the search may take unreasonable time. I agree that this combination (who + member_of) should have better performance, and I will create a change request on this. May I ask you also contact the official Quest support and create a ticket, this will speed-up the investigation and possible fix.

    Thank you!

Reply
  • 0 over 4 years ago in reply to akingbade.ajewole

    Hi,

    There might be several reasons for such result. Member_of is making direct live requests to AD of your domain. First, if the user under which you run RV and the events in the repository are not from the same forest/domain, using member_of has no sense, nothing will be found. The Second reason is opposite, you are in the same forest/domain and there is a huge amount of events that should be returned to a grid. As I mentioned earlier, the search may take unreasonable time. I agree that this combination (who + member_of) should have better performance, and I will create a change request on this. May I ask you also contact the official Quest support and create a ticket, this will speed-up the investigation and possible fix.

    Thank you!

Children