Go Up
You are here: ConfigurationConfigure IT InfrastructureConfigure Active Directory Domain for Monitoring

Configure Active Directory Domain for Monitoring

For AD domain monitoring with Netwrix Auditor, the domain should be configured as explained below.

Domain Audit Policy Settings

Effective domain controllers policy settings must be configured as listed in the table below.

Policy Audit type

Audit account management

"Success"

Audit directory service access

"Success"

Audit logon events

"Success"

You can configure either Basic domain audit policies, or Advanced domain audit policies.

Audit Settings for AD Partitions

Required object-level audit settings for the Active Directory partition must be configured as described in the next sections.

Domain Partition

Object-level audit settings for the Domain partition must be configured to audit for Success of all access operations except the following: Full Control, List Contents, Read All Properties and Read Permissions.

These settings must be configured for Everyone security principal and applied to This object and all descendant objects.

Configuration and Schema Partitions

Object-level audit settings for the Configuration and Schema partitions must be configured to audit for Success of all access operations except the following: Full Control, List Contents, Read All Properties and Read Permissions

These settings must be configured for Everyone security principal and applied to This object and its descendant objects.

Security Event Log Settings

Security event log settings for the domain controllers should be configured as follows:

Setting Value
Max event log size 4 GB
Retention method Overwrite events as needed
Auto-archiving Enabled

Exchange Settings

If you have an on-premises Exchange server in your Active Directory domain, consider that some changes can be made via that Exchange server. To be able to audit and report who made those changes, you should:

  1. Configure the Exchange Administrator Audit Logging (AAL) settings, as described Configure Exchange Administrator Audit Logging Settings.
  2. Make sure that the account used for data collection has the following:
  • Membership in the Organization Management or Records Management group

-OR-

Next Steps

  1. Configure Data Collecting Account, as described in For Active Directory Auditing
  2. Configure required protocols and ports, as described in Protocols and Ports Required for Monitoring Active Directory, Exchange, and Group Policy section.
  3. If you plan to restore deleted Active Directory objects and their attributes using the Netwrix Auditor Object Restore for Active Directory tool (shipped with Netwrix Auditor,) it is recommended to set the Active Directory tombstone lifetime property to 730 days (default is 180 days). See Adjust Active Directory Tombstone Lifetime (optional) for details.

Go Up