Monitor Active Directory Changes with Netwrix Auditor

0

Auditing environments is definitely a labor intensive task if done manually. Why do something manually when we can employ either automation or software to do this for us? Active Directory auditing is one of those tedious tasks that can be a bear to manage or to gather information on who changed what, what they changed. In steps Netwrix Auditor 9.0 which provides a feature rich and powerful way to record changes not only in Active Directory but also Windows File servers, Oracle DBs, Azure AD, EMC Storage, SQL Server, Exchange, NetApp, Windows Server, Office 365, SharePoint and VMware. It automatically creates reports as well as has alerting that can proactively alert when things in the environment have changed. Let’s take a look at how to Monitor Active Directory Changes with Netwrix Auditor.

Monitor Active Directory Changes with Netwrix Auditor

You can actually monitor Active Directory changes with Netwrix Auditor Community Edition for Free. However, there are some limitations to the free version of Auditor. The feature by feature comparison can be found here. To begin with, when you download the trial version of Netwrix, you will be placed in a 20 day trial mode which allows you to see all the unrestricted features of the product.

Installation Process

The downloaded zip file is around 187 MB.  When you execute the included .exe file, you will see the installer app for Auditor.

netwrixaud01 Monitor Active Directory Changes with Netwrix Auditor

The setup file process is your standard installer.

netwrixaud02 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud03 Monitor Active Directory Changes with Netwrix Auditor

The full installation includes the server software as well as the client to interact with the Auditor server.

netwrixaud04 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud05 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud06 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud07 Monitor Active Directory Changes with Netwrix Auditor

Configuring Netwrix Auditor

The configuration Window is a tad busy, however, it is intuitive and you can find what you are looking for.  Below for setting up the Active Directory plan, click New Active Directory Plan in the upper left hand corner.

netwrixaud08-1024x681 Monitor Active Directory Changes with Netwrix Auditor

This launches the New Monitoring Plan configuration.  We specify the account for collecting data.

netwrixaud09 Monitor Active Directory Changes with Netwrix Auditor

Netwrix Auditor uses SQL DB for the backend database.  If you don’t have an existing instance to point Auditor to, you can choose to install the included SQL Express database which is what I chose below.

netwrixaud10 Monitor Active Directory Changes with Netwrix Auditor

SQL Express instance install configuration begins.

netwrixaud11 Monitor Active Directory Changes with Netwrix Auditor

Below we specify the Windows authentication enabled user account.

netwrixaud12 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud13 Monitor Active Directory Changes with Netwrix Auditor

Netwrix Auditor creates the default Netwrix_Auditor_Monitoring_plan_1 DB.  We can also specify custom connection parameters for the SQL connection.

netwrixaud14 Monitor Active Directory Changes with Netwrix Auditor
netwrixaud15 Monitor Active Directory Changes with Netwrix Auditor

Next we setup the Notifications configuration which is the SMTP server that Netwrix Auditor uses for sending emails, alerts, etc.

netwrixaud16 Monitor Active Directory Changes with Netwrix Auditor

You click the Add Recipients to add the email address(es) for the recipients.

netwrixaud17 Monitor Active Directory Changes with Netwrix Auditor

Specify the name of our Monitoring plan.

netwrixaud18 Monitor Active Directory Changes with Netwrix Auditor

Here I accepted the default for specify item for monitoring which is Domain (the entire Active Directory domain, with containers, printers, users, etc).

netwrixaud19 Monitor Active Directory Changes with Netwrix Auditor

Next, we add the FQDN of the domain we are wanting to monitor.

netwrixaud20-1024x683 Monitor Active Directory Changes with Netwrix Auditor

We should now see the domain we have added.  Note the Issues encountered below in my screenshot was related to WinRM connections to Exchange.

netwrixaud21 Monitor Active Directory Changes with Netwrix Auditor

Reports

One thing for me that was not configured automatically was the report’s settings.  In fact, the first time I tried to run a report I received an error stating report settings were missing.  To enable those, navigate to Settings >> Audit Database.  Then settings need to be populated under SQL Server Reporting Services settings.

netwrixaudreporting01-1003x516 Monitor Active Directory Changes with Netwrix Auditor

Now, we can effectively view our reports.  After making a change in Active directoy in the lab, I viewed the All Active Directory Changes report.

netwrixaud25 Monitor Active Directory Changes with Netwrix Auditor

Quickly, I saw the change that I had made appear in the report.  As you can see below, you have all the useful information that you would expect to see in an audit report of changes made in Active Directory – Action, Object Type, What, Who, and When.

netwrixaud22 Monitor Active Directory Changes with Netwrix Auditor

Also, really helpful are Alerts that can be configured for your environment.  Below is a screenshot of just a few of the “in the box” prebuilt alerts that are prebuilt.  We can also setup custom alerts as well.  To configure recipients, simply click the “pencil” icon to the right of the specific alert.

netwrixaud23 Monitor Active Directory Changes with Netwrix Auditor

Below, is a sample of information I received via email of changes made to the environment.

netwrixaud24-1024x442 Monitor Active Directory Changes with Netwrix Auditor

Great information delivered all at your fingertips via email.  If you are tasked with monitoring or change control for Active Directory, this type of alerting and reporting is exceptional and takes the heavy lifting out of otherwise manual processes.

Thoughts

We have only scratched the surface here on Netwrix Auditor and its capabilities and features.  This post only looked at how to Monitor Active Directory Changes with Netwrix Auditor but as mentioned above, it can monitor many other software packages and infrastructure.  Take a look at Netwrix Auditor and download a trial to kick the tires.