Windows administrators who have found that the Active Directory audit tools in Windows Server 2008 and later are inadequate for their needs have turned to third-party products instead. Although Active Directory includes native policies to track changes in directory services, admins can find several tools to ease regulatory compliance, security and monitoring.
In my previous article, I looked at ManageEngine's ADAudit Plus, Dell's ChangeAuditor for Active Directory and LepideAuditor for Active Directory. They all address similar Active Directory data capabilities, as do the two third-party products below.
Netwrix Auditor monitors your Active Directory infrastructure to detect, capture and consolidate audit data that tracks who changed what, when they changed it and where those changes were made. Netwrix Auditor also supports numerous other platforms, including Exchange Server, SQL Server and SharePoint Server.
Collecting: Netwrix Auditor centrally collects data about dynamic changes to Active Directory and Group Policy configurations, including before and after values. It can also capture snapshots of the directory. Netwrix Auditor employs AuditAssurance technology, which consolidates audit data from multiple independent sources, including event logs, configuration snapshots and change history records.
Reporting: Netwrix Auditor can generate reports that show all user and administrative activity in human-readable form. Reports can be based on dynamic changes or snapshot data, using any of the available archived information. Admins can also schedule automatic report delivery.
Alerting: Netwrix Auditor supports real-time alerts that warn of inappropriate or risky Active Directory modifications. Alerts are based on customizable notification templates and can be sent as email or text messages.
Archiving: All audit data is compressed and written to a centralized database that can retain data for seven years or longer. The data provides a full audit trail of all Active Directory and Group Policy changes during any period for which data has been collected.
PowerBroker Auditor for Active Directory
PowerBroker Auditor for Active Directory from BeyondTrust provides centralized, real-time change auditing and the ability to undo unwanted modifications. The tool is scalable, easy to deploy and automatically integrated into native management tools such as Active Directory Users and Computers.
Collecting: PowerBroker uses a single agent to collect Active Directory and Group Policy change data without depending on event logs or needing to modify Group Policy Objects or System Access Control Lists. All change data includes old and new values as well as the host name or IP address of where changes were made.
Reporting: PowerBroker includes an extensive library of built-in reports that cover security, operations management and regulatory compliance. In addition, the product provides a set of audit views that give insight into data stored in the central database. The view data can also be outputted to PowerBroker reports. PowerBroker uses SQL Server Reporting Services (SSRS) to deliver reports that display event data in plain language. Administrators can also create customized reports and audit views.
Alerting: PowerBroker supports real-time alerts on any auditable changes in Active Directory and Group Policy.
Archiving: All audited changes in Active Directory and Group Policy are stored in a central database that provides data to the audit views and SSRS reports. The database also contains the data necessary to build object-specific audit trails. In addition, the recovery feature in PowerBroker can access the database to undo changes.
Choosing an auditing and reporting tool
When considering auditing and reporting systems, you should take into account not only their features -- particularly around data collection, reporting, alerting and archiving -- but also each vendor's support services and general financial stability. The hope, of course, is that support will still be there when you need it.
You'll also want to consider the company's licensing model and how it could be affected by changes to the size of your domain and number of users. In addition, you should consider implementation of Active Directory alternatives. Do you need to install agents on domain controllers? Does the solution gather data through event logs or Active Directory application programming interfaces?
Make sure that your choice provides the auditable data and generated reports you need to easily demonstrate your organization's regulatory compliance. At the same time, you might want to consider what the product does beyond auditing. Will it help IT with troubleshooting or change management? And what about auditing additional systems, such as Exchange Server or SharePoint Server?
You might also want features such as the ability to roll back Active Directory to an earlier state. There are many factors to take into account when deciding on an auditing and reporting utility, but these third-party Active Directory audit tools and their features can help.
This was first published in November 2013