You can configure your Active Directory domain for monitoring in one of the following ways:
This is a recommended method of applying Active Directory audit settings required by Netwrix Auditor to monitor your AD domain. With related option enabled, the program will check your current audit settings at each data collection and adjust them if necessary.
To use this approach, do any of the following:
- When creating a new monitoring plan, at the first step of the wizard select the Adjust audit settings automatically option. See Settings for Data Collection for details.
- For the existing monitoring plan, modify data collection settings for Active Directory data source, selecting Adjust audit settings automatically option.
See Manage Data Sources and Active Directory for details.
To configure your domain for monitoring manually, you will need Group Policy Management Console and ADSE Edit. If these tools are not installed, refer to related sections:
Then take the following steps:
- Configure local or advanced audit policies — to track changes to accounts and groups and to identify workstations where these changes were made (see Configure Basic Domain Audit Policies or Configure Advanced Audit Policies for details).
- Configure Object-Level Auditing
- Adjust Security Event Log Size and Retention Settings
- Adjust Active Directory Tombstone Lifetime
- Enable Secondary Logon Service
If you have an on-premises Exchange server in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should configure the Exchange Administrator Audit Logging (AAL) settings, as described Configure Exchange Administrator Audit Logging Settings. Besides, the account used for data collection must meet the following requirements:
- Be a member of the Organization Management or Records Management group
Also, remember to do the following for AD auditing:
- Configure Data Collecting Account, as described in Configure Data Collecting Account
- Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Active Directory, Exchange, and Group Policy.