AD Audit Program Overview: Active Directory Change Reporter
Recently, we wrote about how to configure and audit Active Directory on our own and what are some difficulties in using a standard Windows audit system for organization purposes. In this post, we will talk a bit (and show - at the end of the presentation) about our NetWrix Active Directory Change Reporter program , which audits AD and helps to overcome the limitations of AD built-in tools (event viewer, tombstone, recycle bin ...), which have a number of important disadvantages:
1. A large amount of “unnecessary” information in magazines. If you try to search for information about an event manually, you can spend a lot of time to find it. The number of events that are recorded in the log is very large, so analyzing the event log can be a rather time-consuming task. Therefore, there are various utilities that process and filter the event log, thereby providing only informative data.
2. Short period of data storage due to log rewriting.The event log is not intended for long-term storage of data in large domains. For long-term storage of events, you can enable auto-archiving of the event log, but you need to be careful because archives can very quickly fill up all the free space on the disk, which will lead to serious consequences.
3. Logging on each of the domain controllers. There is no possibility of regular means to achieve the unification of all journal entries in a single place. Log entries need to be analyzed on each of the domain controllers. But the number of these records even in medium-sized domains on one domain controller can reach several tens per second, which makes the search process problematic.
4. Limited recovery options. Namely:
- Lack of graphical interface;
- Ability to recover only deleted objects. Changes cannot be rolled back.
- Lack of the possibility of mass recovery, for example, immediately restore the organizational unit with all its members;
- With a developed forest structure - the inability to restore objects from the same machine from different domains.
In order to provide more efficient management of IT-infrastructure, specialized solutions in the field of audit AD are developed.
NetWrix Active Directory Change Reporter product is just such a solution, consider its functionality:
1. Reporting on AD changes.Once a day, the program collects data on all changes made in your AD and sends a ready report to the indicated recipients, with information on who made this or that change and when.
2. Fixing in reports the values “Before” and “After” for each change. The reports include values before and after the change for each changed object or attribute.
3. Real-time alerts. Customizable alerts let you know in real time about critical Active Directory changes.
4. A wide library of standard reports and the ability to create advanced reports (implemented using the MS SQL add-on - Reporting Services).
5. Active Directory Status Reports.The program allows you to generate reports on the current and past state of the Active Directory structure.
6. Newsletters based on report templates. Any report can be configured for mailing with the following parameters: recipients, report format (Word, Excel, Pdf) and sending schedule (daily, weekly, monthly).
7. Wizard to restore AD objects. The Active Directory Object Restore Wizard allows you to monitor unwanted Active Directory changes. And recover deleted objects with all attributes and properties.
8. Long-term storage of audit data.After collection, the data is archived, stored in the local storage of the program and poured into the SQL server database. Moreover, the size of the stored data is an order of magnitude smaller than the size of the event logs.
How to configure the program?
Creating an Observed Object:
In the main window of the Enterprise Management Console, find the node of the “ Managed Objects ” tree and use the context menu to create a new object ( Create New Managed Object ).
1. Specify the type of object.
The “ New Managed Object Wizard ” wizard starts . Select “ Domain ” to create and configure a new domain for data collection and reporting.
2. Set the user to run the program and collect data .
The next step is to select the account that Active Directory Change Reporter will use by default to collect data and generate reports.
3. Set the SMTP settings
The next step is to configure the SMTP server that will be used to send reports by e-mail. Set the SMTP server name, port, and sender address. If your SMTP server requires authentication, select Use SMTP Authentication and enter your username and password. If the server requires SSL, you can select Use Secure Sockets Layer encrypted connection (SSL) .
4. Specify the domain name.
Enter the domain name using the FQDN, for example, “MyDomain.local”.
5. Activate individual products:
In addition to AD auditing, the program can also include Group Policy Auditing and Exchange Server.
6. Configure the database
In the next step, you can specify the SQL server settings for further use of the report templates that are included in the program.
7. Compression of network traffic.
The function of compressing network traffic allows you to significantly speed up data collection through the use of agents and compression of the collected data before they are sent directly from the domain controller to the local Active Directory Change Reporter machine.
8. Reports on the status of the Active Directory structure (Snapshot Reporting)
Snapshot Reporting is a function that allows you to view the Active Directory structure at the time of the last launch of the program, as well as the state of AD for the specified period in the past.
9. Configure the report recipient list
10. Set up real-time alerts.
You can add, edit and delete notifications. By default, the following 3 types of notifications:
1. Changes to Group is by Admin Tuesday, Memberships (Changes in the composition of domain administrators and enterprise administrators group)
2. Changes to the Domain the Configuration (changes in the domain configuration)
3. Changes to the Active Directory Any For the Objects (Any changes in AD )
That's it, the program is configured!
How to work with the program?
All work with the program is carried out through the NetWrix Enterprise Management Console
1. In the AD Change Reporter node , recipients of daily reports, time of their receipt and frequency are indicated.
2. In the Real-Time alerts node, you can manage alerts in real time.
If you wish, you can create the necessary notification yourself for a certain change that is important to you.
3. In the Advanced Report node , there is a library with standard report templates.
Opening the report, you download data from the SQL server. Also, if necessary, for any report, you can sort the necessary information using the built-in filters.
4. Newsletters are managed in the Subscriptions section.
There are 2 ways to create a newsletter: either click the “ Subscribe ” button in the menu of the report you are interested in in the Advanced reports node , or the “ add ” button in the “ Subscriptions ” node .
Next, the newsletter creation wizard will open, where you will need to specify the following information:
1. Set the name of the subscription
2. Select the mailing recipients
3. Report format
4. Set the change parameters
5. Frequency of sending mailings
5. The objects are restored using the NetWrix AD Object Restore Wizard located in the AD Change Reporter node
This is a module for recovering deleted and modified objects. In the event that you need to quickly respond to changes in individual objects or quickly restore, for example, a deleted unit, this module is indispensable.
In more detail, the program is shown in the presentation.
Here the actual program itself.
If you have questions about the functioning of the program (of course, it is impossible to describe everything in one post), then you can ask them in the comments. We will try to respond to them promptly.