Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 

December 12, 2008

Active Directory Auditing Tools

Not all AD auditing tools audit all of AD
A Web Exclusive from Windows IT Pro
Jeff James
Buyer's Guide
InstantDoc #100828
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Active Directory (AD) is a crucial component of just about any Windows-based IT infrastructure, and keeping tabs on who modified AD records, when they were changed, and why they were changed can be a full-time job. Throw in some additional requirements—such as the need to be in compliance with federal and state governance guidelines, from the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act (HIPAA)—and you have the makings of a headache-inducing task for many IT pros. But help is on the way.

Windows Server 2008 AD Improvements

Microsoft listened to IT pro complaints about AD auditing and implemented several new features in Windows Server 2008 to ease the pain. “Windows 2008 brings various benefits to the table with respect to event management, including a completely changed event-log storage model,” says Guido Grillenmeier, a Microsoft Directory Services MVP and a master technologist with HP’s Advanced Technology Group. “It also includes improved native AD auditing, as it allows more granular and more complete auditing of AD changes. For example, it can record the old value and new value of an attribute that was changed.”

Server 2008 breaks auditing into four categories: Access, Changes, Replication, and Detailed Replication. The Changes category improves upon the way AD changes were handled in Windows Server 2003 and Windows 2000, logging deltas of attribute changes, detailing new object creation and movement, and offering a create-event feature that’s triggered when objects are moved to different domains.

Choosing an AD Auditing Solution

Regardless of whether you’re running Server 2008, Windows 2003, or Win2K, an off-the-shelf AD auditing product can help minimize the workload. Determining what level of AD auditing your organization needs is important . Grillenmeier cautions against looking for a silver-bullet solution to AD auditing requirements. “For example, proxy-management solutions … such as AD Self-Service Suite and Ensim Unify … are nice tools to delegate specific management tasks to non-admin users and audit the changes they do to AD with the tool. However, these tools only audit what’s changed by them and can’t audit native changes in AD; they can never create a complete auditing trail.”

Grillenmeier contrasts those AD proxy-management auditing tools with AD auditing tools that gather security and auditing events from event logs on domain controllers (DCs)—such as Microsoft System Center Operations Manager or HP OpenView—and AD auditing tools that combine native event logs with AD data gathered by agents, such as Quest InTrust and Quest ChangeAuditor (formerly NetPro ChangeAuditor).

“Event-log–based [auditing] may be sufficient for many customers that need to meet specific compliancy requirements,” says Grillenmeier. “It’s mainly a matter of correctly setting up auditing in the directory itself, so that the changes are correctly logged in the event logs. Note that if proxy-management tools are used, you still have to combine the native event data with the data of the proxy tools to figure out which person actually performed a change in AD, since for changes done by the proxy tool the native event logs will only see the service account as the owner of the change.” Grillenmeier says that only products that combine event-log auditing with separate agents that gather AD data are capable of auditing all AD changes.

Tom Crane, a product manager for InTrust at Quest Software, says that the most useful products offer the ability to capture AD change information not provided by the version of Windows Server you’re using. “Some AD change information doesn’t appear in the event log. For example, some changes are consolidated down into a single event message, and that single event may contain multiple changes. Having a tool that is able to provide that information will help reduce time spent in troubleshooting AD auditing problems.”

Don’t Forget the Data

One important yet overlooked aspect of AD auditing is the massive amount of data the auditing process can generate. “For enterprise-scale customers, this easily amounts to many gigabytes per day of auditing data,” Grillenmeier says. “Tools that [have the capability] to efficiently store the auditing data in a compressed format and [automatically clean up that data over time] are a critical factor for large companies.” You’ll do well to consider your organization’s auditing needs, the number of AD changes it makes, and how granular those changes are. And you’d be well advised to pay attention to the security, backup, and disaster recovery of AD auditing data, just as you would for other types of data.

View the AD Auditing Tools Buyer's Guide table. [pdf]

End of Article

Reader Comments
THXS

excg2002 April 29, 2009 (Article Rating: )

A new version 5.1 of scriptlogic's active administrator includes an enhanced active directory auditing capabilities.

This tool does not require any agents to be installed on a domain controller and can collect “before” and “after” values for any attribute changes on active directory objects.

http://www.scriptlogic.com/products/activeadmin

GeraldLocklear May 27, 2009 (Article Rating: )

NetWrix Active Directory Change Reporter had this "agentless" technology with "before" and "after" values since the very first version. And this product even has a freeware version.

Product link:
http://netwrix-dev.netwrix.com/active_directory_change_reporting_freeware.html

P.S. Disclose of affiliation: I work for NetWrix.

fmike7 September 18, 2009 (Article Rating: )

Sorry, the correct link is: http://www.netwrix.com/active_directory_change_reporting_freeware.html

fmike7 September 18, 2009 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events WinConnections and Microsoft® Exchange Connections

Troubleshooting Active Directory

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement