Open-AudIT

I have a domain with 1350 computers in it. I want to audit only computers that are in a specific OU. I thought this might be possible by modifying the local_domain variable in audit_config.
I can't seem to get it to work, but I'm not sure if it's because it's just not possible, or because the OU path has a space in it.

This works
[code]
local_domain = "LDAP://mydomain.local"[/code]

This is what I want to work
[code]local_domain = "LDAP://mydomain.local/this ou/andthisou"[/code]

Is it possible to do something like this? Or, do I have to audit the whole domain?

Thanks

The audit.config Active Directory audit LDAP settings have to be be something like...

[code]
audit_local_domain = "y"
local_domain = "LDAP://ou=servers,dc=mydomain,dc=local"
[/code]

so try changing

[code]
local_domain = "LDAP://mydomain.local/this ou/andthisou"
[/code]
to
[code]
local_domain = "LDAP://ou=thisou,dc=mydomain,dc=local"
[/code]
I dont know if it supports wild cards, but try it and see for example...
[code]
local_domain = "LDAP://ou=this*,dc=mydomain,dc=local"
[/code]

Let us know if any of this works.

Do bear in mind that you need WMI access in each of the containers (OUs), so be aware of possible policy restrictions, you probably will need to be a full domain admin of the Tree, not just an admin in a particular container.

Have fun...

Thank you. I got it to work with your suggestion.
For the following AD structure:
[code]
|-domain.local
|
|
|--ME
|
|-ANDR 152 Fluent Computers
[/code]

This code worked.
[code]local_domain = "LDAP://ou=ANDR 152 Fluent Computers,ou=ME,dc=emsad,dc=calumet,dc=purdue,dc=edu"[/code]

Notice the order of the ou's in the local_domain line is from bottom up.

Good observation, and perhaps less than obvious in my post. Glad you got it working.