Search Knowledge Base

RELATED LINKS • LogClarity® Solution Overview • LogClarity® Domain Controller Edition • LogClarity® Database Edition • LogClarity® Server Edition • LogClarity® Syslog Edition

KB ID:	10011
Last Revision:	November 26, 2006
Version:	1.0

Search:  Find the events when users from a specific OU has logged into any computers in a specific OU.

The most powerful feature of LogClarity® is the ability to search by location.  Whether you manage a single OU or a number of domains, you need to search for your managed area in the domain in an intuitive and efficient way.  LogClarity® lets you search for events for an entire location in one search.

The primary logons to a computer are logged as:

• Successful Logon (ID: 528)
• Service Ticket Request (ID: 673)

On top of Successful Logons (ID: 528), logons to remote machines might be logged as a Service Ticket Request (ID: 673).  Service Ticket Requests are more accurate when using Log Fidelity's solution because domain controllers log multiple identical Service Ticket Requests during the entire session when the user is logged on, but Log Fidelity's solution filters out all the multiple Service Ticket Requests and only logs one Service Ticket Request when the logon actually happens.  The only difference between Successful Logons and Service Ticket Requests is that the IP logged by a Successful Logon sometimes contains the IP address of the remote computer if the user is logging in remotely via Terminal Service (aka Remote Desktop) whereas the IP logged in the Service Ticket Request is always the IP Address of the computer being logged onto. 

PREREQUISITES

The name of the OU (Organizational Unit) where the users are located and the name of the OU where the computers are located.

ESTIMATED QUERY TIME

2-5 seconds.

METHOD 1 (Advanced Search)

1.  Find the Distinguished Name of the OU where the users are located by typing the OU name in the Distinguished Name Search Field and click Search.
2.  Enter the correct Distinguished Name of the OU in the Client DN field.
3.  Find the Distinguished Name of the OU where the computers are located by typing the OU name in the Distinguished Name Search Field and click Search.
4.  Enter the correct Distinguished Name of the OU in the Target DN field.
5.  Select Logon Events only.
6.  Select "Success" in the Type field.
7.  Click Submit.

LIKELY SCENARIOS IT APPLIES TO

• You want the usage information of an entire office/lab/department that are organized by OUs and not include a list of activity outside of that OU.
• You want to see if people of a particular OU are logging into computers in a specific OU that they shouldn't be logging into.

FINE TUNE YOUR SEARCH

If you know the time scope, domain of the computers, or want to restrict your searches to users in a specific domain you can fine tune your search.