Hi,
In Active Directory 5136 Event id committed for multiple purpose.
example like Change To Display Name Of User,Change To Permissions on an OU
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136
However I want to filter the 5136 event id for group membership changes how to do that. let me know please.
Hi mcsebala,
This task is not a complex one for an InTrust enthusiast. When you look at the group membership 5136 event in the Repository Viewer, you easily notice the key insertion strings that uniquely define such event. They are Class Name (Insertion String #11) and Attribute Name (Insertion String #12). So, if you want to create a gathering policy that collects only group membership 5136 events, you should specify repository filter with IS#11=group and IS#12=member. And in the Repository Viewer you might want to create a separate search, just add Class Name and Attribute Name to the search filter (and also to the grid layout if you need).
Hi mcsebala,
This task is not a complex one for an InTrust enthusiast. When you look at the group membership 5136 event in the Repository Viewer, you easily notice the key insertion strings that uniquely define such event. They are Class Name (Insertion String #11) and Attribute Name (Insertion String #12). So, if you want to create a gathering policy that collects only group membership 5136 events, you should specify repository filter with IS#11=group and IS#12=member. And in the Repository Viewer you might want to create a separate search, just add Class Name and Attribute Name to the search filter (and also to the grid layout if you need).
