Running Searches
To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.
A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted. By default, the number of results returned is limited to 100,000. For Recovery Manager for Active Directory items, the limit is fixed at 5,000.
Viewing Data by Object Type
IT Security Search groups the discovered data by object type:
- Computers
- Events
- Files
- Groups
- OUs
- Shares
- Users
-
Various other object types for which only Enterprise Reporter provides data, such as those related to Exchange, Azure and Office 365.
You can restrict the view to these object types by clicking the corresponding tab at the top of the grid; for miscellaneous object types provided only by Enterprise Reporter, click the More tab. On this tab, you have the option to make a dedicated tab for any such object type. For that, locate its item in the Object Type list on the left and click the pin icon on that item; this pins a new tab for the object type next to the More tab. When you don't need the tab any more, you can close it; you can pin it again later at any time.
|
NOTE: The number of items displayed on pinned tabs is limited to 100,000, as for predefined tabs. On the More tab, it is limited to 1000 items per object type. |
The object type is also switched when you use links in the context of some object's details, such as Activity initiated by this user or Who granted permissions to this file.
Specifying a Time Range for Events
To display events from only a specific time period, use the time range filter. For that, click the clock icon in the search box. If you choose not to specify a time range, the search will involve all available data.
Customizing the Event Grid Layout
When you view events of a particular kind, you may want to see a specific set of fields, including fields unique to such events. You may also want to hide fields that don't matter to you. To make such changes to the event layout, use the tools in the Columns drop-down menu to the right of the grid.
To add a field as a column, type its name in the text box provided in the drop-down menu and click Add. You can specify any name. To look up the correct field names, use the details view for any relevant event.
To remove an existing column, click the trash can icon next to its name.
To restore the default set of fields, click Reset to defaults.
To reorder columns, drag their headings around in the grid.
Your custom layout settings are used when you export events to PDF or CVS (using the Export to drop-down menu).
Understanding the Event Timeline
The event timeline is a bar graph representation of search results, where you can quickly spot event patterns. For example, it helps you find out the peak hours for the events you are interested in or easily track activity outside business hours.
Viewing Details of Search Results
When you select an item from the result list, the right pane shows brief details about the item. To go to the full details view for this item, click View Details.
The details view also suggests links to related data which you might be interested in and which you might be trying to find in the first place. Clicking such a link starts a search in an automatically supplied context. For example, when you are viewing the details of a folder in a network share, the following links are ready for you:
- Who accessed this folder
- Who granted permissions to this folder
- Files and folders in this share
Information about users, groups, computers and organizational units can come from more than one source. At this time, the following systems provide data about them: Enterprise Reporter, Recovery Manager for Active Directory and Active Roles. When multiple sources have information about the same object, IT Security Search shows data from the source that submitted it first, so that the results can be displayed sooner. A warning is shown about additional data that may be available. If you want these results, click the run a full scan link in the warning text. This will cause IT Security Search to retrieve the data from the remaining sources and correlate it.
Navigating Session History Using Breadcrumbs
As you work with the search results, your search path is saved as a breadcrumb sequence. This helps you go back to any previous step in your session without retracing the steps.
Using Facets to Filter Results
Facets are quick view filters by property value. When you apply a facet, IT Security Search shows only matching items. You can apply multiple facets at once, progressively limiting the number of results; you can also remove any of the facets you have applied.
Facets are shown to the left of the result pane. To apply a facet, click an available value link. For example, if you are viewing the details of a deleted user account (where the value of State is Deleted) and want to focus on other deleted users, click the Deleted link.
Alternatively, you can use the item's properties to work with facets. The properties that support this have funnel icons next to them in the details pane. To apply a facet, click such a property.
Fine-Tuning Your Search Terms
Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints—for example, by prefixing the field names to look in. For details, see Search Term Syntax.
Automating Complex Search Scenarios
Some search workflow ideas are best expressed as multi-stage search queries where data produced by a search is automatically streamed into the next search in a chain. The pipe operator (|) helps you achieve this, and field names in curly braces specify which fields to analyse in that data.
Example 1: Find the managers of all users who have created or deleted files on the \\FILESRV1\Software network share
"\\FILESRV1\Software" | Description:{SharePath} AND (What="File Created" OR What="File Deleted") | Who={Who} | DisplayName="{ManagedByDisplayName}"
Example 2: Find events by users from the Milwaukee office on computer FILESRV1
Office="Milwaukee" | Who:{SAMAccountName} AND Where:filesrv1
Example 3: Find computers where members of the Accounting group have logged in
"Accounting" | Who:{SAMAccountName} AND What:logon | Where={Where}
Example 4: Find all users from the same office as user dshaw
Who="dshaw" | Office="{Office}"
Search Term Syntax
Use the following syntax for search terms in the search box. Searches are case-insensitive.
|
|
Notes:
|
For details about the fields that you can use in your search queries, see Data Field Reference.
Single-Word Terms
This is known as full-text search. The search involves all available fields and uses the Contains operator.
| Meaning | Syntax | Details |
|---|---|---|
| Look for a single-word term in any attribute | Word without spaces Example: john |
john matches John or john in any attribute, but does not match stjohn in any attribute |
| Look for a single-word term with the specified beginning in any attribute | Word ending in an asterisk (*) without spaces Example: john* |
john* matches John or Johnson in any attribute |
| Find attributes where a specific single-word term is not contained in any attributes | Word without spaces with a leading hyphen Example: -john |
-john may match entries that contain stjohn, but does not match entries that contain john in any attribute |
| Find entries where a specific single-word term with the specified beginning is not contained in any attributes | Word ending in an asterisk (*) without spaces with a leading hyphen Example: -john* |
-john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute |
Term Combinations
| Meaning | Syntax | Details |
|---|---|---|
| Look for entries with specific single-word terms in any attributes | Words separated by spaces Example: john glen* |
john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found |
| Look for entries that do not contain specific single-word terms in any attribute | Word without spaces Examples:
|
|
| Look for entries with a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: "Account Logon" |
"Account Logon" matches entries that contain the exact phrase Account Logon in any attribute |
| Look for entries that do not contain a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: logon server01 -"Account Logon" |
logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute |
| Meet one of the specified terms (or sets of terms) | Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
Examples:
|
|
| Explicitly mark an AND operation for visual clarity | Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
Examples:
|
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur. |
| Group and nest terms for logical operations on them | Parentheses enclosing the terms you want to group Example: (homer marge) OR (peter lois) |
(homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge. |
Searching in Specific Attributes
To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.
The following distinction is important:
- Labels unambiguously mapped to entry attributes; for example, Path:"Documents and Settings" in file access entries
In this case, the search involves the specified field and uses the Contains operator. - Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on
In this case, the search involves the associated fields as necessary and may even modify the search terms.
For details about the meanings of labels in particular contexts, see Normalized Attributes below.
|
|
Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:
|
| Meaning | Syntax | Details |
|---|---|---|
| Attribute contains term | Examples:
|
|
| Attribute does not contain term | Examples:
|
|
| Attribute equals term | Examples:
|
|
| Attribute does not equal term | Examples:
|
|
Specifying Quotation Marks
If your search term must include double quotes ("), then for each double quote you need supply an additional double quote as an escape character. See the following examples:
|
To find this string |
Specify this term |
|---|---|
|
the "Cancel" button |
"the ""Cancel"" button" |
|
computer "kltest16" |
"computer ""kltest16""" |
This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in "local 'Administrator' user".
Filter Syntax
Select one of the operators (explained in the following table), and enter your filter terms.
|
Operator |
Syntax |
Example |
Meaning |
|---|---|---|---|
|
Contains |
[FieldName]:<Value> |
Name:Paul |
The attribute contains all of the specified terms at once in any combination |
|
Does not contain |
-[FieldName]:<Value> |
-Name:John |
The attribute contains none of the specified terms anywhere |
|
Equals |
[FieldName]=<Value> |
Name="John Paul" |
The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
|
Does not equal |
-[FieldName]=<Value> |
-SamAccountName=jpaul |
The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
The following search syntax rules described above also apply to filter terms:
- Terms are case-insensitive.
- The term can be a single word, multiple words, or a phrase in quotation marks.
- In single-word terms, a trailing asterisk is treated as a wildcard character.
- In exact phrases, an asterisk is treated as a regular character.
|
|
Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter. |
Normalized Attributes
The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.
|
Label → Context ↓ |
Who | What | Where |
|---|---|---|---|
|
Users |
SAMAccountName DisplayName AccountSid DistinguishedName LogonName |
N/A |
DomainName |
|
Groups |
User information User account information ManagedByFullName ManagedByDisplayName |
N/A |
DomainName |
|
Computers |
ManagedByFullName ManagedByDisplayName |
N/A |
ComputerName NetBiosName |
|
Shares |
User information |
N/A |
ComputerName |
|
Files |
Permission information |
Permission information |
ComputerName |
Using Functions in Queries
Functions are a way to transform the results of a query to other objects inside a larger query. IT Security Search functions take a query as their single argument and return a collection of objects. Function names are case-insensitive.
The following functions are implemented:
|
Function |
Details |
Examples |
|---|---|---|
|
Members |
Returns the direct members of all groups that the argument query returned. |
Members([Managed By]:"marty stu") |
|
Members_Deep |
Returns both direct and indirect members of all groups that the argument query returned. |
Members_Deep(name="DL.IT") |
|
MemberOf |
Returns all groups that directly contain the accounts returned by the argument query. |
MemberOf(FullName="DL.Accounting") |
|
MemberOf_Deep |
Returns all groups that directly or indirectly contain the accounts returned by the argument query. |
MemberOf_Deep(Name="DL.Facilities") |
If the argument query returns objects that a function cannot be applied to, the function skips these objects. For example, the Members function doesn't do anything about user account objects.
Example
Suppose you want to get events from all computers where user martystu is an administrator. Use the following query:
MemberOf_Deep(Who=martystu) AccountSID="S-1-5-32-544" | Where="{DomainName}" Who=martystu
This query takes advantage of the well-known SID of the built-in Administrators group. First it finds all aliases of this user account, then it gets all local Administrators groups where those accounts are members, no matter whether direct or indirect (membership information is discovered by Enterprise Reporter). Then the query pipes the results through a sub-query to find all events by these users on computers where they are administrators. For details about search-in-search capabilities, see Making Multi-Stage Searches.
|
IMPORTANT: Functions have the following limitations:
|
Making Multi-Stage Searches
You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.
This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.
To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}.
Example:
"rd.itsearch"| What:Logon AND Who:"{SAMAccountName}" | Name="{Where}"
In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users' SAM account names are in the Who field, and the What field contains "Logon". From the resulting events, pick only those that have any of the discovered computer names in the Where field.
Auto-Resolution of the Current User
If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the user who is running the query. The following information is extracted (where available): account name in domain\user format, SAM account name, display name and SID.
For example, if user Alan Smithee supplies a query containing Who="{Context.CurrentUser}", the resulting substituted information can be something like this:
Who=production\asmithee OR Who=ASmithee OR Who="Alan Smithee" OR Who="S-1-5-21-2591644-1571856274-80062049-1617"
If you want a particular identifying field instead of a set of fields, use the following accessors:
- {Context.CurrentUser.FullAccountName}
- {Context.CurrentUser.SamAccountName}
- {Context.CurrentUser.DisplayName}
- {Context.CurrentUser.AccountSid}
Examples:
- Description:"Computer of {Context.CurrentUser.DisplayName}" becomes Description:"Computer of Alan Smithee"
- onpremisessecurityidentifier="{Context.CurrentUser.AccountSid}" becomes onpremisessecurityidentifier="S-1-5-21-2591644-1571856274-80062049-1617"
|
NOTE: Resolution of this variable does not require that the Enterprise Reporter connector be enabled. |
Specifics of Recovery Manager for Active Directory Data
Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.
One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.
Searching by Distinguished Name
In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:
- These queries match the user:
Manager:"CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
Manager="CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp" - These queries do not match the user:
Manager:"CN=David Shore"
Manager="CN=David Shore"
Searching for Deleted Objects
When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:
- The name attribute undergoes the following change: <object_name> becomes <object_name>\0ADEL<object_GUID>. If you are aware of this pattern, you can look for deleted objects specifically.
- The samAccountName attribute remains unchanged in deleted users, computers and groups.
- In computers, the dnsHostName attribute also remains unchanged.
Searching Without Specifying Fields
When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:
|
Object Type |
Field |
Examples |
|---|---|---|
|
User or group |
aNR |
"Alan Smithee" becomes aNR:"Alan Smithee" "Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory) |
|
Computer or OU |
name |
primrose.domain.local becomes name:primrose.domain.local Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory) |
It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.
Specifics of Enterprise Reporter Data
Data from Enterprise Reporter contains information about permission assignments, and you can get this information by using the Assignment field in your search queries. This field accepts the following values: Direct, Indirect and All. Example: Assignment=All. If the Assignment field is omitted, its value is assumed to be Direct.
If you use the Assignment field in a query, permissions are analyzed for the objects indicated by the Who field.
|
|
Caution:
|
Using the PermissionsForFile keyword also gives you permission assignment data from Enterprise Reporter. This keyword requires that you specify a nested search query enclosed in double quotes; the inner query must use single quotes. Example:
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"
In the inner query, the What keyword helps specify the kind of permission to search for. Both of the following queries will return users with the Full Control permission:
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:full"
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:'full control'"
The PermissionsForFile keyword can be used in conjunction with other keywords and doesn't have to specify the entire query. The following will return all users called Administrator who have access permissions:
Who:Administrator PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"
Searching for Effective Permissions
You can query effective permissions by including What:Effective. For assignments, this option takes effect if you specify Assignment=All or Assignment=Indirect.
If What:Effective is omitted, the results include all files on which both Allow and Deny permissions are set. For example, if a user is a member of a group which is denied access to a particular file, then the file will be in the results, and Access Type will be recognized as Deny. If What:Effective is included, then the results will contain only Allow permissions.
Examples:
Who="ITSS\UserRead" AND Assignment=All AND What:Effective
Who="ITSS\UserRead" AND Assignment=All AND What:Effective AND What:modify
PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective"
PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective What:Modify"
Examples
Queries for events
| Query | Meaning |
|---|---|
| Who:"John Smith" | Activity initiated by user John Smith |
| What:"Group Member" AND "DL.RD" | Who was added to and deleted from group DL.RD |
| Where:"primrose" | Access to computer primrose |
| Workstation:"primrose" | Access from computer primrose |
Queries for files and folders
| Query | Meaning |
|---|---|
| Where:"primrose.mycorp.com" AND "D:\Private\assessment.pdf" | Who accessed the D:\Private\assessment.pdf file |
| Where:"primrose.mycorp.com" AND "D:\Personal\assessment.pdf" AND What:"File Access Rights Changed" | Who granted permissions to the D:\Personal\assessment.pdf file |
| Who:"John Smith" What:Owner | Files and folders owned by user John Smith |
| Who:"John Smith" | Files and folders where user John Smith has permissions |
| Where:"primrose.mycorp.com" AND "C:\_VIDEO" | Files and folders in the _VIDEO share |
Data Field Reference
The following topics provide details about fields that you can use in search queries, organized by supported system:
- Enterprise Reporter Data Fields
- InTrust Data Fields
- Change Auditor for Active Directory Data Fields
- Active Roles Data Fields
- Recovery Manager for Active Directory Data Fields
Enterprise Reporter Data Fields
The following are lists of fields that occur in Enterprise Reporter data, organized by type of returned object.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Computers
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountFullName |
No |
MAIN\HOUDEVW04$ |
SAMAccountDomain\SAMAccountName of the relevant computer account |
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the computer account |
|
ComputerName |
Yes |
achtung.main.mycompany.corp |
Short or NetBIOS name for the computer |
|
Description |
Yes |
Serial , AOPEN_, AWRDACPI, 1002MHz, 1002MHz, 3072MB RAM |
Description for the computer |
|
DistinguishedName |
No |
CN=HOUITW09, |
Distinguished name for domain computer |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
|
Groups |
No |
Pre-Windows 2000 Compatible Access;Cert Publishers |
List of groups (in common name format) where the computer account is a member explicitly |
|
HasGroups |
No |
True |
True if this computer account is a member of any group |
|
IsHidden |
No |
False |
True if the server is visible to other computers in the same network; otherwise, false |
|
Location |
Yes |
US/Houston |
Location of domain computer |
|
ManagedByDisplayName |
No |
Patricia Lum |
The display name of account by which the domain computer is managed |
|
ManagedByType |
No |
Users |
Type of account by which the domain computer is managed; Users or Groups |
|
Name |
Yes |
achtung |
NetBIOS name of the computer |
|
NetBiosName |
No |
IRVWEBW05 |
NetBIOS name for domain computer |
|
NumLogons |
No |
291 |
Number of times the domain computer was logged into |
|
OSName |
No |
Windows Server 2003 |
Full name of the computer's operating system |
|
OSServicePack |
No |
Service Pack 1 |
Service pack name for the computer's operating system |
|
OSVersion |
No |
5.2 (3790) |
Operating system version number for the computer |
|
OU_CanonicalName |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit |
|
OU_DistinguishedName |
No |
OU=Cary, |
Distinguished name for organizational unit |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
Scope |
Yes |
Active Directory |
Active Directory or Workgroup |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
Where |
No |
|
Same as ComputerName, NetBiosName |
|
Who |
No |
|
Same as ManagedByFullName, ManagedByDisplayName |
Files
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Computer |
Yes |
|
Same as ComputerName |
|
ComputerName |
No |
WST9240.main.mycompany.corp |
Short or NetBIOS name for the computer |
|
DomainName |
Yes |
MAIN |
NetBIOS name for domain |
|
Extension |
Yes |
.exe |
Extension of the file |
|
File |
Yes |
TestConsol.exe |
File or folder name |
|
FullAccountName |
Yes |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
|
OU_CanonicalName |
Yes |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
|
Owner |
Yes |
|
Same as FullAccountName, OwnerSid |
|
Owner Domain |
No |
|
Same as SAMOwnerDomain |
|
OwnerSid |
No |
S-1-5-32-544 |
Security identifier (SID) of the owner account |
|
OwnerType |
No |
Groups |
Owner account type: Users or Groups |
|
Path |
Yes |
D:\Images\59491\ |
Full path of the folder or file; based on the collection options, the value could be in the format c:\folder or \\computer\shared\Folder |
|
Permission |
No |
|
Same as PermissionsText |
|
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/execute file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAMOwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
|
SAMOwnerName |
No |
Administrators |
SAM account name of owner account |
|
Size |
Yes |
31335914 |
Size in bytes of the NTFS object |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
Type |
Yes |
File |
File or Folder; Folder if the NTFS object is a folder; otherwise, File |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as ComputerName |
|
Who |
No |
|
Same as PermissionsText |
Groups
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
|
AdminDisplayName |
No |
Administrator |
Admin display name for the domain group; name is displayed on admin screens |
|
CanonicalName |
No |
main.mycompany.corp/Groups/ |
The name of the domain group in canonical format |
|
CommonName |
No |
Development Users |
Common name for domain group |
|
Description |
Yes |
Owner: CLIVE_HERRY |
Description of the group |
|
DisplayName |
No |
AA_Accounting |
Display or common name for the group |
|
DistinguishedName |
No |
CN=MCDL.RD.CRDHub.APAC.AU,OU=RD, |
Distinguished name for domain group or SAM account name for a local user (computer\username) |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain accounts or computer's NetBios Name for local |
|
|
Yes |
|
Same as EmailAddress |
|
EmailAddress |
No |
BC5796F842DD49CD8F4@ |
Email address for the group |
|
Friendly Name |
Yes |
|
Same as FriendlyName |
|
FriendlyName |
No |
AA_Accounting (MAIN\FB430EAC2D2E4) |
Friendly name for the group |
|
FullAccountName |
No |
MAIN\Office.AMER.US.Boston |
domain\group; group is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
|
FullName |
No |
Development Users |
Full name for domain group |
|
Groups |
No |
MCDL.PreSales.NAC.DatabasePerf; |
Common or SAM account names of groups (semicolon-separated) that are explicitly members |
|
GroupScope |
Yes |
Universal |
One of the following:
|
|
GroupType |
Yes |
|
Same as IsSecurityEnabled |
|
HasGroups |
No |
False |
True if this group has members of type "group" |
|
HasUsers |
No |
True |
True if this group has members of type "user" |
|
HomePage |
No |
http://homepage |
Primary home page for domain group |
|
Info |
No |
Created as part of the ChangeBase Mail migration by Charles Arrot |
Informational notes on the domain group |
|
IsSecurityEnabled |
No |
Security |
Security or Distribution |
|
Managed By |
No |
|
Same as ManagedByDisplayName, ManagedByFullName |
|
ManagedByDisplayName |
No |
Owen Range |
Display name or Common name of account by which the domain group is managed |
|
ManagedByFullName |
No |
CN=Sarah Quash,OU=Employees, |
Account (distinguished name) by which the domain group is managed |
|
ManagedByType |
No |
Users |
Type of account by which the domain group is managed; Users or Groups |
|
Name |
Yes |
|
Same as DisplayName |
|
Nested Groups |
No |
|
Same as Groups |
|
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
|
OU_CanonicalName |
No |
main.mycompany.corp/Groups/Sales |
Canonical name for organizational unit |
|
OU_DistinguishedName |
No |
OU=Sales,OU=Groups,DC=main, |
Distinguished name for organizational unit |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's groups or NetBIOS name of the computer for computer's groups |
|
SAMAccountName |
No |
MCDL.RD.CRDHub.APAC.AU |
SAM account name for the account |
|
SIDHistory |
No |
S-1-5-21-329068152- |
List of previous security identifiers (SID) used if the domain group was moved from other domains |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
Url |
No |
http://group |
URL addresses of websites for the domain group |
|
Users |
No |
Zoe Ucchini;Peter Omelo |
Common or SAM account names of users (semicolon-separated) that are explicitly members |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as Users, UsersAccounts, ManagedByFullName, ManagedByDisplayName |
OUs
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AppliesTo |
No |
|
Same as PermissionsText |
|
CanonicalName |
Yes |
main.mycompany.corp/Builtin |
Canonical name for organizational unit |
|
ContainerType |
No |
Container |
Type of container: Container or Organizational Unit |
|
Description |
Yes |
Default container for upgraded computer accounts |
|
|
DistinguishedName |
No |
Description for organizational unit |
Distinguished name for organizational unit |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
|
HasPermissions |
No |
True |
True or False; True if PermissionsText is not empty |
|
Managed By |
Yes |
|
Same as ManagedByFullName,ManagedByDisplayName |
|
ManagedByDisplayName |
No |
MCDL.RD.ITSearch |
Display or common name of management account |
|
ManagedByFullName |
No |
CN=MCDL.RD.ITSearch,OU=RD,OU=Groups, |
The account (distinguished name) by which the organizational unit is managed |
|
ManagedByType |
No |
Groups |
Management account type; Users or Groups |
|
Name |
Yes |
Computers |
Common short name for organizational unit |
|
NumberOfComputers |
No |
4 |
Number of domain computers in organizational unit |
|
NumberOfContacts |
No |
5 |
Number of contacts in organizational unit |
|
NumberOfGroups |
No |
3 |
Number of domain groups in organizational unit |
|
NumberOfOtherObjects |
No |
6 |
Number of other domain objects in organizational unit |
|
NumberOfUsers |
No |
2 |
|
|
Permission |
No |
|
Same as PermissionsText |
|
PermissionsText |
No |
NT AUTHORITY\SELF: Allow Read Property, Write Property for location [Descendant computer objects] Inherited;NT AUTHORITY\SELF: Allow Read Property, Write Property for defender-tokenData [Descendant defender-tokenLicenseClass objects] Inherited |
Semicolon-separated list of permission/ account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
|
Same as CanonicalName |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as ManagedByFullName,PermissionsText |
Shares
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Comment |
Yes |
Docs share |
Comment for the share |
|
Computer |
Yes |
|
Same as ComputerName |
|
ComputerName |
No |
WST9240.main.mycompany.corp |
NetBIOS name of the computer |
|
FullOwnerName |
No |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
|
Local Path |
Yes |
|
Same as SharePath |
|
Name |
Yes |
|
Same as ShareName |
|
Owner |
Yes |
|
Same as FullOwnerName |
|
OwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
|
OwnerName |
No |
Administrators |
SAM account name of owner account |
|
OwnerType |
No |
Groups |
Owner account type; Users or Groups |
|
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/execute file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access type [Allow|Deny] Inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
|
ShareName |
No |
C$ |
Name of the share |
|
SharePath |
No |
D:\Custom Utilites |
Local path of share |
|
ShareType |
No |
Administrative Shared Folder |
Type of resource being shared |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as ComputerName |
|
Who |
No |
|
Same as PermissionsText |
Users
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Account SID |
Yes |
|
Same as AccountSid |
|
AccountIsDisabled |
No |
True |
True if domain(computer) user account is disabled; otherwise, False |
|
AccountIsLocked |
No |
False |
True if domain(local) user account is locked; otherwise, False |
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
|
Assistant |
No |
CN=Pamela Ear, |
The distinguished name of the domain user's administrative assistant |
|
CannotChangePassword |
Yes |
False |
True if the local user cannot change the password; otherwise, false |
|
City |
No |
Shanghai |
City of domain user account |
|
Company |
Yes |
My Company Inc. |
Company of the user account |
|
Country |
Yes |
Canada |
Country or region of the user account |
|
Department |
Yes |
R&D - Development |
Name of the user's department |
|
Description |
No |
Build account for Archive Manager Offline Client |
Description of the user |
|
DirectReports |
No |
CN=Philip Arsley, |
List of domain users that directly report to the domain user |
|
DisplayName |
No |
Caroline Abbage |
Display name or SAMAccount name for the user |
|
DistinguishedName |
No |
CN=Caroline Abbage, |
Distinguished name for domain user or computer\user for local users |
|
Division |
No |
Reporting division |
Division for domain user |
|
Domain |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain's users or NetBIOS name of the computer for computer's users |
|
|
Yes |
|
Same as EmailAddress |
|
EmailAddress |
No |
Patricia.Lum@support.mycompany.com |
Email address for the user |
|
EmployeeID |
No |
69267 |
Employee ID for domain user |
|
FaxNumber |
No |
0123456789 |
Facsimile number for domain user |
|
FirstName |
No |
Paul |
Given name (first name) of domain user |
|
FullAccountName |
No |
MAIN\jcdenton |
domain\user; user is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
|
Groups |
No |
WST8766VM1\Administrators; |
List of groups. CommonName or Computer\groupName (explicit membership) |
|
HasDirectReports |
No |
True |
True or False; True if DirectReports is not empty |
|
HasGroups |
No |
True |
True if this user is member of any group |
|
HasPhoto |
No |
True |
True if this user has a photo |
|
HomeDirSize |
No |
0 |
Size of the home directory for the domain user |
|
HomePhoneNumber |
No |
+7-123-4567890 |
Phone number for the domain user |
|
HomePostalAddress |
No |
Main street |
Mailing address for the domain user |
|
Info |
No |
Account used for Patchlink & Symantec scanning of domain systems |
Informational notes on the domain user |
|
Initials |
No |
M |
Initials for the domain user |
|
IpPhone |
No |
+44 1234 567890 x12345 |
IP telephone number or address for the domain user |
|
LastName |
No |
Epper |
Last name of domain user |
|
LogonHours |
No |
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |
Hex-coded hours that the domain/local user is allowed to log on to the domain |
|
Logon Name |
No |
|
Same as LogonName |
|
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
|
ManagedBy |
No |
CN=Christina Hilli, |
The account (distinguished name) by which the domain user is managed |
|
Manager |
Yes |
|
Same as ManagedBy,ManagedByDisplayName |
|
MiddleName |
No |
N |
Middle name for the domain user |
|
Mobile |
Yes |
+7-123-4567890 |
Mobile number for the user |
|
Name |
Yes |
|
Same as DisplayName |
|
NumLogons |
No |
3910 |
Number of times the domain/local user has successfully logged on |
|
Office |
Yes |
Castlegar |
Office location for the user |
|
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
|
OtherIpPhone |
No |
Conference 84030 |
List of alternate TCP/IP addresses for the phone for the domain user (Telephony) |
|
OtherMailbox |
No |
other_mailbox@hotmail.com |
Additional email addresses for the domain user |
|
OtherMobile |
No |
+55 11 12345 6789 |
List of alternate mobile phone numbers for the domain user |
|
OtherTelephone |
No |
+1 123 456 7890 |
List of alternate telephone numbers for the domain user |
|
OU_CanonicalName |
No |
main.mycompany.corp/IS/SVC-Accounts/MailboxEnabled |
Canonical name for organizational unit (for domain users only) |
|
OU_DistinguishedName |
No |
OU=Enabled SVC-Accounts, |
Distinguished name for organizational unit (for domain users only) |
|
PasswordIsexpired |
No |
True |
True if domain user's password is expired; otherwise, false |
|
PasswordNeverExpires |
No |
True |
True if the domain/local user's password never expires; otherwise, false |
|
PersonalTitle |
No |
Mr. |
Personal title for the domain user |
|
PostalCode |
No |
411016 |
Postal or zip code for the domain user |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAM Account Domain |
Yes |
|
Same as SAMAccountDomain |
|
SAM Account Name |
Yes |
|
Same as SAMAccountName |
|
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's users or NetBIOS name of the computer for computer's users |
|
SAMAccountName |
No |
jcdenton |
SAM account name for the account |
|
Scope |
Yes |
Active Directory |
Active Directory or Computer |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
StateOrProvince |
No |
AZ |
State or province for the domain user |
|
StreetAddress |
No |
1042 Bluesky Blvd., Bldg. 1 Flagstaff AZ |
Street address for the domain user |
|
TelephoneNumber |
No |
+1 123 456 7890 x45678 |
Telephone number for the domain user |
|
Title |
Yes |
Software Developer 3 |
Title for the user |
|
UserPrivilegeLevel |
No |
Normal |
Flag for user privilege level: Normal or Unknown |
|
UserWorkstations |
No |
ALVMISW02,ALVSANW01,ALVPATW01,ALVPATW02 |
NetBIOS or DNS names of the computers running Windows?NT Workstation or Windows?2000 Professional to which the domain user can log on |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as SAMAccountName, DisplayName, AccountSid, DistinguishedName |
Other Object Types
In addition to the object types listed above, Enterprise Reporter can provide field data for various other objects. To see the kinds of objects available in your environment, click the More tab in the search result grid. For a list of supported fields of a particular object type, see the details of such an object.