How to Search for events where the user object attribute value is in the To: field
说明
Administrators may want to Search for ChangeAuditor events where the Active Directory user attribute value is in the To: field indicating that the attribute was populated but had been deleted or cleared.
解决办法
The following is an example of how to filter ChangeAuditor events to return when the last name attribute is changed from a value to "The "Last name changed on user object" event can be substituted with any event triggered by a change in an Active Directory user attribute.
Click on the What tab of the Search
Click the drop arrow next to the "Add" button and select "Subsystem | Active Directory..."
Under Actions, ensure only "Delete Attribute" is checked * Do not change the "Scope" or "All Transports"
Click OK
On the What tab of the Search, click the drop arrow next to the "Add" button and select "Event Class"
Locate the and select the Event Class "Last name changed on user object"