Active Directory Auditing with Netwrix Auditor

Active Directory auditing and alerting on changes with state-in-time reports

Available Reports

The following predefined reports are available in the Enterprise edition of the product.

Name Description
All Active Directory Changes Shows all changes made to AD objects, permissions, and configuration, filtered by date range and user name who made changes. Download report sample.
Account Expiration Modifications Shows modifications to account expiration settings. For example, when somebody turned off account expiration for a set of accounts, which might indicate security issue (e.g. account expiration should never be turned off for temporary contractor accounts).
Accounts Enabled or Disabled Accounts are usually disabled for terminated employees and can be re-enabled back when employees join the company again. All such operations should be carefully monitored to make no unauthorized accounts remain active.
Administrative Group Membership Changes Administrative groups like Domain Admins and Enterprise Admins should be very well-defined and rarely changed. Changes to group memberships must be closely monitored.
Administrative Password Resets by User Administrative password resets are usually done by IT help desk personnel who have access rights to make password resets without knowing current passwords. Password resets may result in gaining of unauthorized access and therefore must be reviewed on regular basis.
All Active Directory Changes by Date Shows all changes to AD objects, permissions, and configuration grouped by date. You can filter by date range and user name who made changes.
All Active Directory Changes by Date (Chart) Graphical representation of all changes to AD objects, permissions, and configuration, grouped by date. The information can be filtered by date range and domain name.
All Active Directory Changes by Object Type Shows all changes to AD objects, permissions, and configuration grouped by object type (e.g. User or Group). You can filter by date range and user name who made changes.
All Active Directory Changes by User Shows all changes to AD objects, permissions, and configuration grouped by users who made changes. You can filter by date range and user name who made changes.
All Active Directory Changes by User (Chart) Graphical representation of all changes to AD objects, permissions, and configuration, grouped by users who made them. The information can be filtered by date range and domain name.
All Active Directory Configuration Changes Shows all changes made to objects inside the AD configuration container, such as domains, domain controllers, sites, etc. Changes in the configuration container can adversely affect AD functionality and must be regularly reviewed to detect mistakes and unauthorized changes.
All Active Directory Groups Shows all Groups, such as domain local groups, global groups, universal groups, filtered by domain name, group type and group name.
All Active Directory Schema Changes Shows all changes made to AD schema (classes and attributes). Schema change auditing is disabled by default and must be explicitly enabled.
All Active Directory Site Changes Shows all changes made to AD sites. AD sites rarely change and this report should be reviewed to detect accidental and unauthorized changes.
All Changes by Group Members This report displays all changes made by Members from the selected Groups. Note: for the report to work properly, add a text line with a Group Name to be monitored to the "GroupsID.txt" file located in the program installation folder. The report contains information on changes occurred after the group was added to the file.
All Computer Accounts Enabled and Disabled Shows all Computers (including such properties as path, name and status), filtered by domain name, status and computer name.
All Contact Changes Shows all changes made to Contact objects, their permissions and configuration, filtered for the specified time period and name of user who made changes.
All Groups without Members Shows all Groups without members, filtered by domain name and group name.
All User Accounts Enabled and Disabled Shows all Users (including such properties as path, name and status), filtered by domain name, status and user name.
All User Accounts whose Passwords Never Expires Shows all user accounts (with paths and status) which have the Account option set to ‘Password Never Expires’. The contents may be filtered by path, domain name or status.
All User Changes with Advanced Attributes Shows all changes made to AD user objects, their permissions, and configuration, filtered by date range and user name who made changes.
Changes in Domain Trust Relationships Shows all changes to domain trusts. Unauthorized changes to domain trusts relationships can break the overall system operation and compromise security.
Changes in Domain-Wide operations master roles Shows FSMO role transfers inside domains (e.g. PDC and RID Master). FSMO roles should rarely change and such actions must be audited and reviewed for accuracy.
Changes in Forest-Wide operations master roles Shows forest-wide FSMO role transfers (e.g. Schema Master). Forest-wide FSMO roles should rarely change and such actions must be audited and reviewed for accuracy.
Computer Account Modifications Shows all changes to computer account (e.g. renames, delegation settings, etc). Computer accounts are normally controlled by domain members (servers and workstations).
Computer Accounts Created Shows computer accounts created when workstations and servers are joined into domains.
Computer Accounts Removed Shows deleted computer accounts. Deletion of computer accounts is a typical cleanup operation, but it should be reviewed from time to time to ensure that no computer accounts have been mistakenly deleted.
Dial-in Access Modifications Shows changes to dial-in and VPN access rights. Normally only remote employees should be granted dial-in and VPN access and all changes to dial-in access must be reviewed by management.
Distribution Group Modifications Shows modifications to distribution group properties, including group membership. Changes to distribution groups must be reviewed on a regular basis because distribution groups control recipients of information and unauthorized changes can result in disclose and leakage of confidential information inside and outside an organization.
Distribution Groups Created Shows newly created distribution groups. Structure of distribution groups should reflect your organization’s information flow.
Distribution Groups Removed Shows deleted distribution groups. Use this report for early detection of accidentally deleted groups and use the Restore Wizard to quickly recover them.
Domain Controller Modifications Shows changes to DC configurations. Accidental and unauthorized changes can break AD operation and must be carefully monitored.
Domain Controllers Demoted DC demotion is a privileged operation and must be done wisely to avoid disruptions in operations.
Domain Controllers Promoted Shows addition of new domain controllers to domains. All DC promotions must be planned and reviewed for accuracy and security.
Group Members This report shows all users, groups and etc. located in the selected groups.
Logon Hours Modifications Logon hours setting controls allowed logon times and usually prevents access during non-business hours. Changes to this setting may indicate potential security issues.
Logon Workstations Modifications Shows modifications to allowed login workstations on the user account level. Workstation access restrictions are usually mandated by compliance and security requirements and changes to these restrictions must be audited.
New Servers Added with Details Shows computer accounts created when servers were joined to the domain.
Object Security Changes Shows changes to object permissions and audit settings. Changes to object permissions usually reflect delegation of rights to organizational units and other objects.
Organizational Unit Setting Modifications Shows changes made to organizational units (e.g. name, description, delegation), excluding changes made to child objects.
Organizational Units Accounts This report shows users, computers and inetorgpersons from the selected OUs and ‘Users’ and ‘Built-In’ containers including their usernames and account statuses (enabled/disabled).
Organizational Units Created Shows newly created organizational units. Creation of organizational units must be well-planned according to the organization structure and business practices.
Organizational Units Removed Shows deleted AD organizational units. Use this report for early detection of accidentally deleted OUs and use the Restore Wizard to quickly recover OUs and their child objects.
Password Changes by User Shows all successful password changes made by users (confirming their contemporary passwords) as opposed to password resets done by administrators without knowing effective users passwords. Password change auditing is disabled by default unless you explicitly enable it in program settings.
Security Group Membership Changes Shows addition and removal of members from security groups, including local, global, and universal groups. Security groups control who has access to what and therefore must be closely monitored for changes as requires by major compliance regulations.
Security Group Modifications Shows all types of changes made to security groups, including name, description, membership, and permissions.
Security Groups Created Shows newly created security groups, including local, global, and universal groups. Creation of security groups should reflect major changes to security access roles structure and therefore should be carefully reviewed for accurateness.
Security Groups Removed Shows deleted security groups, including local, global, and universal groups. Use this report for early detection of accidentally deleted groups and use the Restore Wizard to quickly recover them.
Sensitive Group Members This report displays users, groups and etc. located only in the Domain Admins group and Enterprise Admins group.
Service Packs Applied to Computers Shows changes to service pack installations on DCs, member servers and workstations. This report can be used to analyze effects of system failures related to service pack updates.
Service Principal Names Shows all computer accounts (including such properties as path, service principal name and operating system), filtered by domain name, path and property name.
User Account Lockouts This report shows all account lockout events. Account lockouts can have many possible reasons and surges in the numbers of account lockouts must be carefully analyzed to detect and prevent security incidents.
User Account Modifications Shows changes made to all user account attributes (e.g. name, contact info, dial-in permissions, manager, etc).
User Accounts Created Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and applications.
User Accounts Created With Details Shows all newly created user accounts. Creation of new accounts shall reflect hiring of new employees and addition of new services and applications. Note: for the report to work properly, add a "user:Property name:" (where Property name is an AD objects property, e.g.: user:displayName:) text line to the "processaddedprops.txt" file located in the product installation folder. Information on properties listed in this file is collected for every new user.
User Accounts Deleted Shows all deleted user accounts. According to best practices, accounts should be first disabled and then deleted after some time frame. This report should be reviewed regularly to detect accidentally deleted accounts and restore them using the AD Object Restore Wizard.
User Accounts Deleted With Details Shows all deleted user accounts. Accounts should be disabled, then deleted after a set time. Report should be reviewed to detect accidentally deleted accounts and restore them using AD Object Restore Wizard.
User Accounts Renamed Shows all account name operations. Accounts are rarely renamed (usually only if user changes his or her name) and this report should be reviewed from time to time to verify accurateness.
User Accounts Unlocked Shows manually unlocked user accounts. Account unlocking should be performed only by designated help desk personnel or automated software tools and this report can be used to detect violations of this recommended policy.
Users Disabled Shows all disabled user accounts. User accounts are normally disabled when employees leave the organization and this report can be used to ensure that all recently terminated employees have their accounts properly deactivated and no longer have access to the network.
Users Enabled Shows all enabled user accounts. User accounts are rarely enabled and usually enabling means that some previously terminated employee joined the organization once again (e.g. as a part of their new contract engagement). All recently enabled accounts must be carefully reviewed for security purposes.