The out-of-the-box real-time rule\alert, "User account removed by unauthorized personnel" does not work correctly on Windows 2008\R2.
This is because of this piece of the Matching REL code contains incorrect string values for the 2008 event:
EventID = 4726
and common(String5, String4)
WORKAROUND
It should be:
EventID = 4726
and common(String6, String5)
STATUS
Waiting for fix in a future release of InTrust.
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy