Registry Keys for Monitoring Active Directory

Review the basic registry keys that you may need to configure for monitoring Active Directory with Netwrix Auditor. Navigate to Start Run and type "regedit".

Registry key (REG_DWORD type) Description / Value
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter


Defines the retention period for the security log backups:

  • 0—Backups are never deleted from Domain controllers
  • [X]— Backups are deleted after [X] hours


Defines whether audit check errors should be displayed in the Activity Summary footer:

  • 0—Display errors
  • 1—Do not display errors


Defines whether to display audit check errors for the root domain (when data is collected from a child domain) in the Activity Summary footer:

  • 0—Display errors
  • 1—Do not display errors


Defines what will be shown in the Workstation field:

  • 2—MAC address
  • 4—FQDN or IP address (set by default)
  • 6—Both



Defines whether the Activity Summary must display the attributes whose values were modified and then restored between data collections:

  • 0—These attributes are not displayed
  • 1—These attributes are displayed as "modified and reverted back"



Defines whether to contract the email subjects:

  • 0—No
  • 1—Yes



Defines whether to process security log backups:

  • 0—No
  • 1—Yes

NOTE: Even if this key is set to "0", the security log backups will not be deleted regardless of the value of the CleanAutoBackupLogs key.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\AD Change Reporter\<monitoring plan name>


Defines the number of Domain Controllers to simultaneously start log collection on.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Netwrix Auditor\Management Console\Database settings


Defines the timeout for executing SQL queries such as data selection, insertion or deletion (in seconds).


Defines the Audit Database connection timeout (in seconds).