When Microsoft released Windows Server 2008, it beefed up Active Directory auditing support by adding policies to help track changes to directory services. Yet many IT admins still consider the native auditing capabilities in Windows to be inadequate, particularly when it comes to regulatory compliance. As a result, IT professionals often turn to third-party Active Directory alternatives to address their auditing and reporting needs.
Of the reasons IT pros cite for why Active Directory audit tools fall short, the lack of a centralized system is at the top of their lists. Currently, administrators must turn to the event logs on each domain controller to pull auditing data from across the organization, and the data within the logs is not always useful, complete or clear.
When auditing Active Directory, analysts want detailed reports that are simple to generate, easy to understand, and provide granular details not readily available through the Windows features. Native auditing features lack effective alerting capabilities and efficient and secure long-term data archiving.
Because of these limitations, lots of third-party Active Directory alternatives have popped up in recent years. Yet selecting a product is no easy task. A comprehensive product must collect the necessary data into a central location, generate reports that provide both real-time and historic information, support effective alerting capabilities and facilitate long-term archiving.
Let's look at some popular products that can make Active Directory auditing and reporting easier and more efficient. Three are presented here, and we'll examine two more in an upcoming tip.
ManageEngine's ADAudit Plus is a Web-based system that tracks login activity as well as changes to users, computers, groups and domain policies. Administrators can access the ADAudit Plus dashboard via a browser from anywhere in the domain.
Collecting: ADAudit Plus provides a centralized location for collecting and viewing Active Directory data retrieved from the event logs. Administrators can track user management and login actions (including failures) as well as changes to Group Policy Objects (GPOs) and Active Directory attributes. ADAudit Plus can also audit changes to Windows file-server permissions.
Reporting: ADAudit Plus includes over 150 preconfigured audit reports that contain event-specific data. You can use configurable rules to define the report's granularity. Each rule is associated with an auditable action on one or more Active Directory objects. The reports can provide a history of changes to any user, computer or group, and can be exported to PDF, XML, CSV or HTML.
Alerting: Administrators can create alerts on any auditable event. The alerts are based on configurable profiles and come in the form of emails that can be targeted at admins or other selected users.
Archiving: ADAudit Plus automatically archives all collected data. Administrators can designate any storage server on the network for the archived information. Stored data is grouped into multiple compressed files and tagged by event dates.
ChangeAuditor for Active Directory
Dell's ChangeAuditor for Active Directory tracks all key Active Directory configuration changes in real time throughout the enterprise. ChangeAuditor runs from a single client without relying on native auditing and the overhead that comes with it.
Collecting: ChangeAuditor provides customizable auditing that uses a high-performance engine to collect data into a centralized location. The product relies on server-side agents to track critical Active Directory and file system changes to the schema, GPOs, nested groups and Domain Name System.
Reporting: ChangeAuditor utilizes SQL Server Reporting Services (SSRS) to provide built-in reports that translate the raw event data into meaningful information that meets regulatory mandates. ChangeAuditor reporting also lets analysts build their own reports. Data can be searched and reports filtered based on specific events and their relation to other events.
Alerting: ChangeAuditor provides real-time alerts for vital policy changes and security breaches. Alerts can be sent via email or to mobile devices via SMS messaging.
Archiving: ChangeAuditor uses SQL Server databases for archiving event data, so you can take advantage of SQL Server features such as backup and recovery. You can also access the data directly through SQL Server without going through the ChangeAuditor service.
LepideAuditor for Active Directory
LepideAuditor for Active Directory from Lepide Software provides a centralized platform for tracking real-time information about Active Directory changes occurring across multiple domains. It can also deliver complete audit trails related to any change sequence.
Collecting: LepideAuditor offers both agent and agentless data collection. The agents run on the domain controllers and can collect data as soon as changes occur. Either approach can track all changes that occur within Active Directory, collecting information about users, computers, groups, policies and organizational units. LepideAuditor also creates regular snapshots of Windows Active Directory, which can be used to restore the directory to a specific state.
Reporting: Administrators can generate need-based ad hoc reports on the complete domain or a specific domain controller. Report data can be filtered and sorted and then exported to PDF, CSV and MHT formats. Reports can also be scheduled for automatic delivery. LepideAuditor also includes a dedicated report that tracks user logon and logoff activity.
Alerting: To protect against undesirable changes, LepideAuditor can be configured to send real-time email alerts to IT when a critical event occurs.
Archiving: Log data collected by LepideAuditor is stored in a central database that can support years' worth of storage. LepideAuditor also lets you add previously created database files to the existing system.
Next time, we'll look at more Active Directory alternatives that could help you better demonstrate your organization's regulatory compliance.
This was first published in November 2013