I may be overthinking this, it seems like it should be easier. We have several accounts that are in Admin groups on several servers, however, their names do not contain admin or administrator or root. After some investigation, we realized that those users are not being treated as administrators. Looking thru windows logs and LEM logs, we see that their group "Administrators", "DNSAdmins", etc are not being inserted into the logs and therefore not being sent to LEM resulting in LEM not recognizing them as admins. I tried adding the User Defined Admin Groups to the rule, however, it still doesn't work since Windows is not sending the group a user belongs to with its logs.
Is there a way to either:
Make LEM harvest admins to populate the User Defined admin group
Add the group a user belongs to in the Windows Logs sent to LEM
Have LEM call back to a server to see if a user who has failed logon is in an admin group?
Thanks