Filtering Security logs by account name (Active Directory)

  • Open up Security logs on the Domain Controller
  • Select ‘Filter Current Logs’ on the right hand side
  • Select the XML tab at the top and enter the below XML (Updating with the Username that you require)
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">* [EventData[Data[@Name='TargetUserName']='USERNAME']]</Select>
  </Query>
</QueryList>

Any comments or questions? Get in touch here or Email me at [email protected]