You can configure your Active Directory domain for monitoring in one of the following ways:
Automatically when creating a monitoring plan
This method is recommended for evaluation purposes in test environments.
For a full list of audit settings required for Netwrix Auditor to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring.
NOTE: If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary.
To configure your domain for monitoring manually, make sure you have the following tools installed:
Also, perform the following procedures:
- Configure Basic Domain Audit Policies or Configure Advanced Audit Policies. Either local or advanced audit policies must be configured to track changes to accounts and groups, and to identify workstations where changes were made.
- Configure Object-Level Auditing
- Adjusting Security Event Log Size and Retention Settings
- Adjust Active Directory Tombstone Lifetime
- Enable Secondary Logon Service
For AD auditing, also remember to do the following:
- Configure Data Collecting Account, as described in Configure Data Collecting Account
- Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Active Directory, Exchange, and Group Policy
NOTE: If you have an on-premises Exchange server 2010, 2013 or 2016 in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described Configure Exchange Administrator Audit Logging Settings.
Also, the account used for data collection must belong to the Organization Management or Records Management group