So I'm trying to get up a rule to monitor whether a service account is logging in interactively (I know this can be disabled though GP, but humor me for a minute). The thing I'm running into is that (typically) service accounts go into the Service Accounts OU, which doesn't appear to be selectable using an Active Directory Group. I'm probably missing something obvious, but is there some way to select for this OU so that it monitors anyone who's in it? Thanks.
We recently did this ourselves. LEM won't monitor an OU, only a security group. We created a security group in AD called "service accounts". Placed all our service accounts in there. When we created the rule for interactive logins, we just located the new security group via "directory services" in LEM. works like a charm.