Go Up
You are here: AdministrationMonitoring PlansManage Data SourcesActive Directory

Active Directory

Complete the following fields:

Option Description
General

Monitor this data source and collect activity data

Enable monitoring of the selected data source and configure Netwrix Auditor to collect and store audit data.

Monitor Active Directory partitions

Select which of your Active Directory environment partitions you want to audit. By default, Netwrix Auditor only tracks changes to the Domain partition and the Configuration partition of the audited domain. If you also want to audit changes to the Schema partition, or to disable auditing of changes to the Configuration partition, select one of the following:

  • Domain—Stores users, computers, groups and other objects. Updates to this partition are replicated only to domain controllers within the domain.
  • Configuration—Stores configuration objects for the entire forest. Updates to this partition are replicated to all domain controllers in the forest. Configuration objects store the information on sites, services, directory partitions, etc.
  • Schema—Stores class and attribute definitions for all existing and possible Active Directory objects. Updates to this partition are replicated to all domain controllers in the forest.

NOTE: You cannot disable auditing the Domain partition for changes.

Detect additional details

Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made.

Specify data collection method

You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.

Configure audit settings

You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary.

NOTE: This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed.

Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to Configure IT Infrastructure for Auditing and Monitoring.

Collect data for state-in-time reports

Configure Netwrix Auditor to store daily snapshots of your Active Directory domain configuration required for further state-in-time reports generation. See State–in–Time Reports for more information.

The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Netwrix Auditor.

If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.

For that, in the Manage historical snapshots section, click Manage and select the snapshots that you want to import.

NOTE: To import snapshots, you must be assigned the Global administrator or the Global reviewer role .

Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click OK.

Users

Specify monitoring restrictions

Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add. Then, provide the user name in the domain\user format. For example: mydomain\user1. Consider the following:

  • Use NetBIOS domain name format.
  • You can provide the "System" value to exclude events containing the “System” instead of an account name in the “Who” column.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Objects

Specify monitoring restrictions

Specify restrictions for your Active Directory objects. You can Monitor all objects or create lists of specific objects to include and / or exclude from your monitoring scope (search results, reports and Activity Summaries).

Click Add and enter an object path using one of the following formats:

  • Canonical name – example: mydomain.local/Computers/filesrv01

    OR

  • Object path as shown in the "What" column of reports and search results – example: \local\mydomain\Computers\filesrv01

NOTE: You can use a wildcard (*) to replace any number of characters in the path. Example:

  • dc11.local/OU omits all objects within the OU, but not the OU itself.
  • dc11.local/OU/* omits all objects within it and in all child OUs, but not the OU itself.
  • dc11.local/OU* omits OU itself, all objects within it and in all child OUs.

TIP: In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files. Review the following for more information: Exclude Objects from Monitoring Scope

Review your data source settings and click Add to go back to your plan. The newly created data source will appear in the Data source list. As a next step, click Add item to specify an object for monitoring. See Add Items for Monitoring for more information.

Go Up