Go Up
You are here: AdministrationMonitoring PlansManage Data SourcesActive Directory

Active Directory

Complete the following fields:

Option Description
General

Monitor this data source and collect activity data

Enable monitoring of the selected data source and configure Netwrix Auditor to collect and store audit data.

Monitor Active Directory partitions

Select which of your Active Directory environment partitions you want to audit. By default, Netwrix Auditor only tracks changes to the Domain partition and the Configuration partition of the audited domain. If you also want to audit changes to the Schema partition, or to disable auditing of changes to the Configuration partition, select one of the following:

  • Domain—Stores users, computers, groups and other objects. Updates to this partition are replicated only to domain controllers within the domain.
  • Configuration—Stores configuration objects for the entire forest. Updates to this partition are replicated to all domain controllers in the forest. Configuration objects store the information on sites, services, directory partitions, etc.
  • Schema—Stores class and attribute definitions for all existing and possible Active Directory objects. Updates to this partition are replicated to all domain controllers in the forest.

NOTE: You cannot disable auditing the Domain partition for changes.

Detect additional details

Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made.

Specify data collection method

You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.

Configure audit settings

You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary.

NOTE: This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed.

Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring.

Collect data for state-in-time reports

Configure Netwrix Auditor to store daily snapshots of your Active Directory domain configuration required for further state-in-time reports generation. See State–in–Time Reports for more information.

The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor.

If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.

For that, in the Manage historical snapshots section, click Manage and select the snapshots that you want to import.

NOTE: To import snapshots, you must be assigned the Global administrator or the Global reviewer role .

Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click OK.

Users

Specify monitoring restrictions

Specify user accounts to exclude from data collection (and, therefore, search results, reports and Activity Summaries). To add a user to the exclusion list, click Add, then provide the user name in the domain\user format.

Consider the following:

  • Use NetBIOS format for domain name: mydomain
  • Some audit data (events) may contain System as the user (initiator) account name. To exclude such data, specify "System" when adding a user name here.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Objects

Specify monitoring restrictions

Specify restrictions for the objects to monitor in your Active Directory. Use them to create the lists of specific objects to include and / or exclude from the monitoring scope (and, therefore, search results, reports and Activity Summaries)The following options are available:

  • Monitor all objects
  • Include these objects
  • Exclude these objects

To create a list of inclusions / exclusions, click Add and enter object path using one of the following formats:

  • Canonical name, for example: mydomain.local/Computers/filesrv01

    OR

  • Object path as shown in the "What" column of reports and search results, for example: \local\mydomain\Computers\filesrv01

NOTE: You can use a wildcard (*) to replace any number of characters in the path. See the examples below for more information.

Examples

The following examples explain how the exclusion rules work. Same logic applies to the inclusion rules.

  1. dc11.local/OU will exclude the OU itself. However, objects within this OU will not be excluded.
  2. dc11.local/OU/* will exclude objects within the OU. However, the OU itself will not be excluded.
  3. dc11.local/OU* will exclude the OU itself, all objects within it, and also all objects whose path begins with dc11.local/OU (like dc11.local/OU_HQ).

So, with the settings as in the screenshot above, the program will monitor all objects within the OU, except for the objects whose path begins with enterprise.local/OU/BO. Tthe OU itself, however, will not be monitored, meaning that, for example, its renaming will not be reported.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Go Up