Windows IT Pro
Connect With Us
Home > Windows > Comparative Review: Active Directory Auditing Tools

Comparative Review: Active Directory Auditing Tools

Tools to track down security threats and prove regulatory compliance

Aug. 20, 2011 Eric B. Rux | Windows IT Pro

What is in this article?:

  • Comparative Review: Active Directory Auditing Tools

The reality is simple: If you suspect that your network has been compromised, the built-in tools provided by Microsoft aren’t going to be much help. Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool. I’ll show you six products that will bring a smile to your face and put your mind at ease.

My environment for testing each product consisted of a Windows Server 2008 AD domain hosted on a VMware ESXi host. When needed, I added a separate server running Microsoft SQL Server 2008 or SQL Server 2008 Express to the domain. The products were installed on a domain controller (DC), SQL Server machine, or VMware virtual appliance. To create the organizational unit (OU) structure and add users to each domain, I ran a simple script that used the Dsadd command-line tool. Detailed side-by-side comparisons of each product can be viewed in the online product comparison table.

 

Blackbird Group’s Blackbird Auditor for Active Directory

Blackbird Group has a complete management suite for AD that consists of six modules, one of which is Blackbird Auditor for Active Directory. Each module can be purchased separately or together as a suite. All the modules are managed from the same management console. Unlike the other products in this review, Blackbird Auditor is licensed per employee, not by AD user, potentially saving you licensing costs.

Blackbird Auditor should be installed on a dedicated server. It requires Microsoft .NET Framework 3.5 and a SQL Server 2005 or later back end, which can be hosted on the dedicated server. However, SQL Server 2008 Express can be used for small environments (up to 2 DCs and a maximum of 2,500 users). For this review, I chose to use SQL Server 2008 Express.

After taking care of the prerequisites, you first install the Blackbird Management Suite Server software on the dedicated server. Licensing is handled with a .license file. The installation wizard walks you through setting up the Blackbird Service, directory connector, and back-end database. It also takes care of configuring the Windows Server firewall exceptions.

Next, you install the console using the Blackbird Management Suite Console software. It can be installed on the dedicated server or on a Windows XP or later workstation.

After the base application and console have been installed, one or more modules need to be installed. For this review, I installed only Blackbird Auditor.

Finally, you need to install an agent (what the company calls a handler) on each DC in your domain. This is done from the Management Suite Console by right-clicking the AD node and choosing Deploy data handler. The agent can be installed one DC at a time or on multiple DCs in a single operation.

Blackbird Auditor’s main console is wrapped in a Microsoft Management Console (MMC). From the console, you can easily view any of the built-in reports that will show you the activity in your domain, including changes made to computers, Group Policy Objects (GPOs), groups, OUs, and users. If your company is audited regularly, you’ll appreciate the prebuilt Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), and Sarbanes-Oxley (SOX) Act compliance reports.

If the built-in reports don’t show what you’re looking for, you can create your own. First, you create a new “Audit View” by answering a few who, what, where, and when type questions. Then, you schedule the audit. You can have the report emailed to you in .pdf or .xml format.

Reports are great for after-the-fact information, but there are certain events you need to know about right away. Blackbird Auditor can notify you when changes (create, modify, delete, move, and rename operations) are made to certain accounts or object types or when they occur on specific workstations or DCs.

Blackbird Auditor is tightly integrated with the MMC Active Directory Users and Computers snap-in. Installing the Blackbird RSAT Extensions adds several options to the snap-in. The Show audit trail, Show account activity, and Show group membership changes options are added to user objects. For example, right-clicking a user object and choosing Show audit trail displays the changes made to objects and who made the changes, as Figure 1 shows. The Show audit trail option is also added to group and OU objects.

Figure 1: Displaying an audit trail in Blackbird Auditor for Active Directory
Figure 1: Displaying an audit trail in Blackbird Auditor for Active Directory

Blackbird Auditor is a simple yet powerful tool. When combined with one or more of the other Blackbird modules, it puts the tools needed to manage AD at administrators’ fingertips.


Blackbird Auditor for Active Directory
PROS: Tight integration with the Active Directory Users and Computers snap-in; licensed on HR employee count, not AD user count
CONS: No built-in tool to assist in removing or archiving old data
RATING: 4 out of 5
PRICE: $6 per employee (HR count, not AD count)
RECOMMENDATION: Outstanding integration with the Active Directory Users and Computers snap-in and prebuilt FISMA, HIPAA, PCI, and SOX compliance reports make Blackbird Auditor stand out.
CONTACT: Blackbird Group • 866-224-8330 • www.blackbird-group.com


ManageEngine’s ADAudit Plus

Unlike the other products in this review, ADAudit Plus from ManageEngine (a division of Zoho) doesn’t require a SQL Server or SQL Server Express database. Instead, a MySQL database is configured for you during installation.

 »

Discuss this Article 3

Lorenzo0o0
on Mar 7, 2012
Thanks for the insight. We evaluated all 6 of these and wound up going with netwrix AD change reporter. The new version does offer real-time change alerting, so that was a big factor for us. It was also bar far the most affordable.
SCG
on Sep 2, 2011
Informative article on tools that can help firms pass SOX and HIPPA requirements. Eric helps us address security and business concerns with this review. Working with Eric in the Minasi group, his IT experience comes through in everything he does and it gives us reason to have confidence in Eric's advice and direction in the review. I do wonder why some vendors base their price on AD users and others on Domain Controllers.
cmrpm
on Sep 14, 2011
In response to this comparative review, I would like to point out a few inaccuracies and add a couple important points. Version 6 of ADCR is more than two years old and Version 7 was released July 2011 with the features that were reported absent. Missing features now included are: Real-time (e-mail/SMS) alerts, e-mail report subscription capabilities, and improved Windows 2008-compatible configuration wizards. Both Versions 6 and 7 offer a number of predefined compliance reports with Version 7 receiving nearly double the number of reports (60+) available in Version 6. All these reports in both versions were capable of being automatically delivered via e-mail on a daily basis. More reports are available from NetWrix upon request. The audit data stored in SQL can be archived for 7+ years as needed and data collection agents are optional though recommended for larger deployments. Before and after setting information is also captured and the Object Restore feature can restore individual object attributes in addition to objects themselves making this a more advanced offering than native AD restore options as this information is not contained in the AD Recycle Bin or Tombstones. Our technical staff is also more than happy to assist any customers that need setup help at no cost. I found it reassuring that Erics recommendations were added in Version 7 and that tells me that we are on the right path to delivering tools to help systems administrators meet their auditing and compliance goals. Thank You, Chris Rich Product Manager NetWrix Corporation NetWrix is #1 for Change Auditing and Compliance: Simple, Lightweight, Affordable

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc