Many organizations encourage or force Windows systems administrators to track and review high-security actions related to Active Directory (AD). Learn how Netwrix Auditor for Active Directory can give you visibility and governance of both on-premises and cloud-based Active Directory domains.

Most Windows systems administrators know that Active Directory includes Group Policy-based auditing. However, we also know that the built-in auditing isn’t very flexible. For instance, how would you respond if you needed to?

  • provide “who, what, when, how” information regarding privileged Active Directory changes;
  • generate meaningful reports to give to your compliance officers;
  • help your development staff write code that retrieves detailed AD audit data; or
  • audit user account changes in an Office 365 Azure AD instance?

The value proposition behind Netwrix Auditor for Active Directory is that administrators get a “single pane of glass” view of Active Directory configuration changes and access events. There are several pre-built reports, as well as an application programming interface (API). Moreover, if you purchase Netwrix Auditor for Azure AD, you can audit Office 365-based Azure AD instances as well.

Installation and first run ^

Netwrix offers a 20-day trial evaluation of Netwrix Auditor for Active Directory on its website. Although you can download, install, and configure SQL Server 2014 Express Edition with Advanced Services, I suggest you have a SQL Server instance already online; note that you’ll need SQL Server Reporting Services (SSRS) in addition to the database engine.

You’ll also need to ensure that the Windows Server member server on which you install the product has the .NET Framework 3.5 bits previously installed; the Netwrix installer won’t do that work for you.

As you can see from the following screenshot that shows the Netwrix Auditor splash screen, the Active Directory application is only one of many (separately licensed) apps.

Netwrix Auditor is a suite of product specific applications

Netwrix Auditor is a suite of product specific applications

In my lab environment, I chose the Full installation option because I wanted to test both the Active Directory and Azure AD applications.

As I said earlier, you’ll need to point the Netwrix installer at your SQL Server/SSRS instance and supply the appropriate configuration details.

After the installation is completed, you’ll have two new administrative utilities:

  • Administrator console: This Windows desktop application configures the auditing environment.
  • Netwrix Auditor client: This is your query/reporting tool.

The following screenshot shows the Netwrix Auditor administration console.

The Netwrix Auditor administrator console

The Netwrix Auditor administrator console

The three main nodes in the console interface are:

  • Managed Objects: Audit definitions for each supported application
  • AuditArchive: Database connections, long-term audit data storage options
  • Settings: Credentials, SMTP e-mail server addresses, licenses

Defining a managed object ^

As I said a moment ago, in Netwrix Auditor a managed object defines a target application (AD in this case, of course), database details, auditing scope, and real-time alert settings. Here’s a composite screenshot showing a couple of the wizard screens:

Defining an AD managed object

Defining an AD managed object

The following screenshot shows my completed Active Directory managed object configuration.

Viewing our AD managed object

Viewing our AD managed object

Make sure you run a data collection job immediately so you can gather an AD data snapshot. One of the many cool things you can do with Netwrix Auditor is compare past and present states of Active Directory, Group Policy, logons, or directory partition metadata.

Viewing audit data ^

Pop open the Netwrix Auditor console to access your collected audit data. The home page provides one-click access to the most common tasks; I show you that in the following figure.

The Netwrix Auditor client

The Netwrix Auditor client

On my test system, I clicked on one of the saved searches, AD or Group Policy modifications by Administrator since yesterday, on the home page and viewed the following results:

A Netwrix Auditor search results with superimposed details

A Netwrix Auditor search results with superimposed details

What’s very helpful, at least in my humble opinion, is Netwrix’s adoption of the “who, what, when, where” auditing security principle into this software. This is the information that security and compliance officers need to know, and this tool provides those answers.

Another option is to use the Interactive Search feature to run your own custom queries. Again, as you can see in the next figure, you build queries using that “who, what, when, where” syntax that is user-friendly and intuitive.

Netwrix Auditor’s Interactive Search

Netwrix Auditor’s Interactive Search

  1. Use the buttons to specify the search parameters.
  2. Rearrange, change values, or remove parameters
  3. Run the search! Super easy.

Generating reports ^

Remember that Netwrix Auditor is a solution that “rides on top of” built-in Windows Server security auditing and SQL Server Reporting Services. The good news here is that we don’t have to learn the funky SSRS syntax to construct reports; instead, Netwrix Auditor for Active Directory has dozens of pre-built reports as shown below.

Netwrix Auditor includes lots of pre built auditing reports

Netwrix Auditor includes lots of pre built auditing reports

One point about these built-in reports that you shouldn’t overlook is that many of them are built specifically to follow well-known industry compliance standards. Therefore, Netwrix Auditor can make passing your compliance audits potentially much faster and more accurate.

The actual reports show up in a format that anyone who’s used SSRS should instantly recognize. You can export the reports as delimited text, HTML, or PDF.

The actual reports are typical SSRS reports

The actual reports are typical SSRS reports

Azure AD auditing ^

A separately licensed Azure AD application allows you to run auditing on one or more Office 365 Azure Active Directory instances. If you’ve used Azure AD, then you know that this isn’t an LDAP-based, Group Policy-linked directory service—therefore, you have fewer auditing options available to you, with or without Netwrix.

The following screenshot summarizes the configuration workflow.

The Office 365 Azure AD managed object

The Office 365 Azure AD managed object

AD object and attribute restore ^

Netwrix understands that knowing about an unwanted AD change (deleting a user account, for instance) is only half the battle. That is, how the heck can you reconstitute the object?

Netwrix Auditor for AD has a built-in wizard for restoring AD changes down to the attribute level; that’s pretty darned cool!

Active Directory object restore

Active Directory object restore

As you can see, Netwrix can restore AD objects and attributes either from its own data store or directly from AD tombstone data.

Wrap-up ^

Well, there you have it! If you’re a Microsoft shop that needs to get a firm handle on your security auditing, then you may want to give Netwrix Auditor a try. Again, you can download a 20-day demo from their website. Check out their documentation as well.

Subscribe to 4sysops newsletter!

Netwrix doesn’t offer pricing and licensing details on their public web site. Instead, reach out to them via e-mail and start a conversation with one of their sales associates. Happy auditing!


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account