Failed logon with specific failure reason


We have 2 Domains in our organization and sometime by mistake some users of the second domain  (applications usualy) -

Of course their logons failed  , because they are from another domains..

Is there any option to make an Expection to the whole domain in this rule (Matching Parameters) ? (Failed logon with specific failure reason(Misspelled or Disabled ))

Something like     "DOMAIN\*"

Thanks in advance

  • Hi Benybb, as far as I understand, we're talking about the custom rule from the forum item . I will give you a couple of possible additions to the rule text, but you have to add them manually, because I don't know the current state of this rule in your environment. So, open the rule properties in InTrust Manager and click Advanced button on the Matching tab. Inside arguments section, add a new argument:
    <argument displayname="Target Domains" name="Target_Domains" class="List" description="A list of target domains to monitor.">
    And down in the list of conditions add the following line (not in the beginning and not in the end, but in the middle):
    and in(String7, "wi", array(<parameter name="Target_Domains"/>))
    This will implement the domain including filter.


    If your intention is excluding filter, then change to negative:
    <argument displayname="Exclude Domains" name="Exclude_Domains" class="List" description="A list of domains to exclude from monitoring.">
    and not(in(String7, "wi", array(<parameter name="Exclude_Domains"/>)))