Skip to main content

Active Directory

Netwrix Auditor relies on native logs for collecting audit data. Therefore, successful change and access auditing requires a certain configuration of native audit settings in the audited environment and on the Auditor console computer. Configuring your IT infrastructure may also include enabling certain built-in Windows services, etc. Proper audit configuration is required to ensure audit data integrity, otherwise your change reports may contain warnings, errors or incomplete audit data.

CAUTION: Folder associated with Netwrix Auditor must be excluded from antivirus scanning. See the Antivirus Exclusions for Netwrix Auditor knowledge base article for additional information.

You can configure your IT Infrastructure for monitoring in one of the following ways:

  • Automatically through a monitoring plan – This is a recommended method. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary.

  • Manually – Native audit settings must be adjusted manually to ensure collecting comprehensive and reliable audit data. You can enable Auditor to continually enforce the relevant audit policies or configure them manually:

    • Configure the domain for auditing. See the Audit Configuration Assistant topic for information on configuring the domain.

    • On the Auditor console computer:

      • If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Auditor to clear the old backups automatically. For that, use the CleanAutoBackupLogs registry key, as described in the Active Directory Registry Key Configuration topic.

        RECOMMENDED: Adjust retention period for the backup files accordingly (default is 50 hours). See the Adjust Security Event Log Size and Retention topic.

      • To provide for event data collection, the Secondary Logon service must be up and running . Open Administrative Tools > Services, right-click the Secondary Logon service and on the General tab make sure that Startup type for this service is other than Disabled.

Monitored Objects

Netwrix Auditor tracks changes made to all object classes and attributes in the Active Directory Domain, Configuration and Schema partitions. It also tracks changes to new object classes and attributes added due to the Active Directory Schema extension. For detailed information, refer to Microsoft articles:

Review the following limitations:

  • Netwrix Auditor does not track changes to non-replicated attributes, such as badPwdCount, Last-Logon, Last-Logoff, etc. The non-replicated attributes pertain to a particular domain controller and are not replicated to other domain controllers.
  • Changes made through the Exchange Management Console in the Organization Configuration node (Federation Trust, Organization Relationships and Hybrid Configuration tabs) are displayed in an internal Active Directory format that can be difficult to interpret.
  • Netwrix Auditor tracks changes to membership in all groups inside the monitored domain (Domain local groups) and Universal and Global groups of domains in the same forest. Changes to Domain local groups of a different domain in the same forest are not reported.

State-in-time data collection is supported for Active Directory.

For AD domain monitoring with Netwrix Auditor, the domain should be configured as explained below.

Domain Audit Policy Settings

Effective domain controllers policy settings must be configured as listed in the table below.

PolicyAudit type
Audit account management"Success"
Audit directory service access"Success"
Audit logon events"Success"

You can configure either Basic domain audit policies, or Advanced domain audit policies.

Audit Settings for AD Partitions

Required object-level audit settings for the Active Directory partition must be configured as described in the next sections.

Domain Partition

Object-level audit settings for the Domain partition must be configured to audit for Success of all access operations except the following: Full Control, List Contents, Read All Properties and Read Permissions.

These settings must be configured for Everyone security principal and applied to This object and all descendant objects.

Configuration and Schema Partitions

Object-level audit settings for the Configuration and Schema partitions must be configured to audit for Success of all access operations except the following: Full Control, List Contents, Read All Properties and Read Permissions

These settings must be configured for Everyone security principal and applied to This object and its descendant objects.

Security Event Log Settings

Security event log settings for the domain controllers should be configured as follows:

SettingValue
Max event log size4 GB
Retention methodOverwrite events as needed
Auto-archivingEnabled

Exchange Settings

If you have an on-premises Exchange server in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should:

  • Configure the Exchange Administrator Audit Logging (AAL) settings, as described the Exchange Administrator Audit Logging Settings topic.

  • Make sure that the account used for data collection has the following:

    • Membership in the Organization Management or Records Management group

-OR-

  • The Audit Logs management role.

Next Steps