Monitor Active Directory Changes with Netwrix Auditor
Auditing environments is definitely a labor intensive task if done manually. Why do something manually when we can employ either automation or software to do this for us? Active Directory auditing is one of those tedious tasks that can be a bear to manage or to gather information on who changed what, what they changed. In steps Netwrix Auditor 9.0 which provides a feature rich and powerful way to record changes not only in Active Directory but also Windows File servers, Oracle DBs, Azure AD, EMC Storage, SQL Server, Exchange, NetApp, Windows Server, Office 365, SharePoint and VMware. It automatically creates reports as well as has alerting that can proactively alert when things in the environment have changed. Let’s take a look at how to Monitor Active Directory Changes with Netwrix Auditor.
Monitor Active Directory Changes with Netwrix Auditor
You can actually monitor Active Directory changes with Netwrix Auditor Community Edition for Free. However, there are some limitations to the free version of Auditor. The feature by feature comparison can be found here. To begin with, when you download the trial version of Netwrix, you will be placed in a 20 day trial mode which allows you to see all the unrestricted features of the product.
Installation Process
The downloaded zip file is around 187 MB. ย When you execute the included .exe file, you will see the installer app for Auditor.
The setup file process is your standard installer.
The full installation includes the server software as well as the client to interact with the Auditor server.
Configuring Netwrix Auditor
The configuration Window is a tad busy, however, it is intuitive and you can find what you are looking for. ย Below for setting up the Active Directory plan, clickย New Active Directory Plan in the upper left hand corner.
This launches theย New Monitoring Plan configuration. ย We specify the account for collecting data.
Netwrix Auditor uses SQL DB for the backend database. ย If you don’t have an existing instance to point Auditor to, you can choose to install the included SQL Express database which is what I chose below.
SQL Express instance install configuration begins.
Below we specify the Windows authentication enabled user account.
Netwrix Auditor creates the defaultย Netwrix_Auditor_Monitoring_plan_1 DB. ย We can also specify custom connection parameters for the SQL connection.
Next we setup theย Notifications configurationย which is the SMTP server that Netwrix Auditor uses for sending emails, alerts, etc.
You click theย Add Recipients to add the email address(es) for the recipients.
Specify the name of our Monitoring plan.
Here I accepted the default forย specify item for monitoring which isย Domain (the entire Active Directory domain, with containers, printers, users, etc).
Next, we add the FQDN of the domain we are wanting to monitor.
We should now see the domain we have added. ย Note theย Issues encountered below in my screenshot was related to WinRM connections to Exchange.
Reports
One thing for me that was not configured automatically was the report’s settings. ย In fact, the first time I tried to run a report I received an error stating report settings were missing. ย To enable those, navigate toย Settings >> Audit Database. ย Then settings need to be populated underย SQL Server Reporting Services settings.
Now, we can effectively view our reports. ย After making a change in Active directoy in the lab, I viewed theย All Active Directory Changes report.
Quickly, I saw the change that I had made appear in the report. ย As you can see below, you have all the useful information that you would expect to see in an audit report of changes made in Active Directory – Action, Object Type, What, Who, and When.
Also, really helpful areย Alerts that can be configured for your environment. ย Below is aย screenshot of just a few of the “in the box” prebuilt alerts that are prebuilt. ย We can also setup custom alerts as well. ย To configure recipients, simply click the “pencil” icon to the right of the specific alert.
Below, is a sample of information I received via email of changes made to the environment.
Great information delivered all at your fingertips via email. ย If you are tasked with monitoring or change control for Active Directory, this type of alerting and reporting is exceptional and takes the heavy lifting out of otherwise manual processes.
Thoughts
We have only scratched the surface here on Netwrix Auditor and its capabilities and features. ย This post only looked at how to Monitor Active Directory Changes with Netwrix Auditor but as mentioned above, it can monitor many other software packages and infrastructure. ย Take a look at Netwrix Auditor and download a trial to kick the tires.