AD Audit Program Overview: Active Directory Change Reporter

Recently we wrote about how to set up and implement an Active Directory audit on our own and what are the difficulties of using a regular Windows audit system for the organization’s purposes. In this post we will tell you a little (and show - at the end of the presentation) about our program NetWrix Active Directory Change Reporter , which audits AD and helps to overcome the limitations of the built-in AD tools (event viewer, tombstone, recycle bin ...), which have a number of important disadvantages:
1. A large amount of "unnecessary" information in magazines. If you try to search for information about a particular event manually, then you can spend a lot of time to find it. The number of events that are recorded in the log is very large, so analyzing the event log can be quite a laborious task. Therefore, there are various utilities that process and filter the event log, thereby providing only informative data.
2. Short data retention period due to log rewriting. The event log is not intended for long-term storage of data in large domains. For long-term storage of events, you can turn on auto-archive of the event log, but you need to be careful, because archives can fill up all free disk space very quickly, with serious consequences.
3. Logging on each of the domain controllers. There is no possibility by regular means to achieve the union of all journal entries in a single place. Log entries need to be analyzed on each of the domain controllers. But the number of these records, even in medium-sized domains on a single domain controller, can reach several tens per second, which makes the search process problematic.
4. Limited recovery options. Namely:
- Lack of graphical interface;
- Ability to recover only deleted objects. Changes can not be rolled back.
- Lack of the possibility of mass restoration, for example, immediately restore the organizational unit with all its members;
- With a developed forest structure - the inability to restore objects from the same machine from different domains.

In order to provide more efficient management of IT-infrastructure, specialized solutions are developed in the field of auditing AD.
')
The product NetWrix Active Directory Change Reporter is just such a solution, consider its functionality:
1. Create AD change reports. Once a day, the program collects data on all changes made in your AD and sends a ready report to the specified recipients, with the information Who made this or that change and When.
2. Fixing in the reports the values ​​of “Before” and “After” for each change. Reports include values ​​before and after the change for each changed object or attribute.
3. Alerts in real time. Customizable alerts allow you to learn in real time about critical changes to Active Directory.
4. A wide library of standard reports and the ability to create advanced reports (implemented using the MS SQL add-on - Reporting Services).
5. Active Directory Status Reports. The program allows you to generate reports on the current and past status of the Active Directory structure.
6. Mailings based on report templates. Any report can be configured to a newsletter with the following parameters: recipients, report format (Word, Excel, Pdf) and sending schedule (daily, weekly, monthly).
7. Master Repair Objects AD. The Active Directory Object Recovery Wizard allows you to monitor unwanted changes to Active Directory. And recover deleted objects with all attributes and properties.
8. Long-term storage of audit data. After collection, the data is archived, stored in the local storage of the program and uploaded to the SQL server database. And the size of the saved data is an order of magnitude smaller than the size of the event logs.

How to set up the program?

Creating an observable object:

In the main Enterprise Management Console window, find the “ Managed Objects ” tree node and use the context menu to create a new object ( Create New Managed Object ).



1. Specify the type of object.
The “ New Managed Object Wizard ” wizard starts . Select “ Domain ” to create and configure a new domain for data collection and reporting.


2. Set a user to run the program and collect data .
In the next step, you must select an account that will be used by default by Active Directory Change Reporter for data collection and report generation.


3. Configure SMTP Settings
In the next step, configure the SMTP server settings that will be used to send reports by email. Specify the name of the SMTP server, port and sender address. If your SMTP server requires authentication, select Use SMTP Authentication and enter your username and password. If the server requires SSL, then you can select Use Secure Sockets Layer encrypted connection (SSL) .


4. Specify the domain name.
Enter the domain name using a FQDN, for example “MyDomain.local”.


5. Activate individual products:
In addition to AD auditing, you can also enable group policy auditing and Exchange Server in the program.



6. Configure the database
In the next step, you can specify the SQL server settings for further use of report templates that are included in the program.


7. Compress network traffic.
The network traffic compression feature allows you to significantly speed up data collection by using agents and compressing the collected data before sending it directly from a domain controller to a local Active Directory Change Reporter machine.


8. Reports on the status of the Active Directory structure (Snapshot Reporting)
Snapshot Reporting is a feature that allows you to view the Active Directory structure at the time of the last program launch, as well as the AD state for a specified period in the past.


9. Configure the list of report recipients


10. Configure real-time alerts.


You can add, edit and delete notifications. The following 3 types of notifications are enabled by default:
1. Changes to Admin Group Memberships (Changes in the composition of the domain administrator groups and enterprise administrators)
2. Changes to Domain Configuration
3. Changes to Any Active Directory Objects (Any changes to AD)


That's it, the program is set up!

How to work with the program?

All work with the program is carried out through the console NetWrix Enterprise Management Console


1. The AD Change Reporter node includes the recipients of daily reports, the time they were received, and the frequency.


2. In the node Real-Time alerts you can manage alerts in real time.


If you wish, you can create the necessary notification yourself for a specific change important to you.

3. In the Advanced Report node, there is a library with standard report templates.

Opening the report, you download data from the SQL server. Also, if necessary, for any report you can sort the necessary information using the built-in filters.

4. Mailing management occurs in the Subscriptions section.

There are 2 ways to create a newsletter: either click the “ Subscribe ” button in the menu of the report you are interested in in the Advanced reports node, or in the “ add ” button in the “ Subscriptions ” node.

Next, the wizard for creating mailings will open, where you will need to provide the following information:
1. Set subscription name
2. Select mailing recipients
3. Report format
4. Set change parameters
5. Frequency of sending mailings

5. Object recovery is performed using the NetWrix AD Object Restore Wizard , which is located on the AD Change Reporter node.

This is a recovery module for deleted and modified objects. If it is necessary to promptly react to changes in individual objects or quickly restore, for example, a remote unit, this module is irreplaceable.

In more detail the work of the program is shown in the presentation.


Here is the program itself
If you have questions about the functioning of the program (of course, it is impossible to describe everything in one post), then you can ask them in the comments. We will try to respond to them promptly.