Reporting on members of specific groups with Quest InTrust

Hi, everyone. In this demo, we'll show you how to tweak basic InTrust logon reporting workflow to focus just on the members of a specific group. Currently, we've got a task that produces a report on all failed logons. The resulting report contains every failed logon there was. Suppose you want to capture failed logons by the members of just one particular group, in our case, a group called managers. What's more, you need both direct and indirect members, meaning users that ended up in the group through membership in other groups. Here's an example of an indirect member of managers. John Doe is in that group because he's a member of Dev. We need a customized import policy to filter out all the logons we don't need. Let's use the generic failed logon policy as a starting point. It does most of what we want. But some changes have to be made to the filter. That implies a bit of code editing. But I'll explain it as we go along. First of all, the name of the group should be exposed as a configurable parameter. Use one of the existing parameters as a template. In the rules XML code, I'll select a snippet that defines the rule parameter, in this case, the computer parameter. I'll duplicate that and change the copy to make a new parameter. I have to change the names and the description. Next, I'll add the actual filtering logic that's associated with the parameter. It's going to be a new clause in the real expression. The part we need to edit is at the bottom. It deals with the relevant event ID. You can see a number of expressions joined by AND operators. Let me add another AND clause. To apply our additional filter, we'll use the member of predefined function. That function tells if the user that you parse as the first argument is a member of the groups that you parse as a second argument, the user that I'm parsing is a combination of the domain from insertion string 7 and the user name from insertion string 6. The group names come from our new rule parameter. Setting the third argument to true makes the result true if any of the groups match, not necessarily all of them. Turn on the new parameter and specify the group name. Note that the parameter is a list. So you can specify multiple groups if you like. Also note that I have removed the catchall asterisk value. Now, switch to the new import policy. Don't forget to commit the changes. Clear the old logon data from the database so it doesn't go into the report. Finally, let's confirm that the new report contains just what we need. As expected, logons by nonmembers of managers are gone from the report. Importantly, all we needed for the purpose was InTrust and native Windows logs. No other tools were necessary. Thanks for watching.