How to create a rule to disable an account that is being used to logon to a specific workstation after business hours?
1. Open the Quest InTrust Manager MMC snap-in.
2. Expand the Real-Time Monitoring | Rules | Windows/AD Security | Detecting Common Attacks| Gaining User Access | Suspicious logons node.
3. Right-click on "Successful logon during non-business hours" rule and select "Copy"
4. Right-click on "Suspicious logons" node and select "Paste"
5. Right-click on the copied rule just created and select "Properties"
6. Under the "General" tab", click on "Configure Activity Time..." and specify that time you want (e.g. 7pm - 6am), click Activate and Ok.
7. Check the box for "Enabled"
8. Click on "Response Actions" tab and click Add.
9. Select "Execute script" and click Ok.
10. Select "Disable User" script, click Next and Finish.
11. From the Parameters list, select "Domain" and click "Edit..".
12. Type the following for the value: %String2%
13. From the Parameters list, select "User" and click "Edit..".
14. Type the following for the value: %String1%
15. Click OK
16. Click on "Notifications" tab and check "E-mail" box if you need notification to be sent.
17. Click OK
Below are the steps on how to setup the policy:
1. Expand the Real-Time Monitoring | Policies node
2. Right-click on "Policies" node and select "New Policy..."
3. Type the name of this Policy
4. Add the site that you need this policy applied to.
5. Add the rule that we just created above.
6. Check "Notify selected operators" and add the recipients.
7. Click Finish
8. Right click on the new policy and check the box for "Activate"
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center