Ad Audit Plus Use Cases
Ad Audit Plus Use Cases
wertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwer
tyuiopasdfghjklzxcvbnmqwerty
uiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiop
ManageEngine ADAudit Plus
Workbook
asdfghjklzxcvbnmqwertyuiopas
dfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopas
dfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfgh
jklzxcvbnmqwertyuiopasdfghjkl
zxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcv
bnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnm
qwertyuiopasdfghjklzxcvbnmrt
yuiopasdfghjklzxcvbnmqwertyu
iopasdfghjklzxcvbnmqwertyuio
Active Directory Auditing with ADAudit Plus
Table of Contents
Table of Contents _____________________________________________________________ 1
Active Directory Auditing with ADAudit Plus _______________________________________ 2
Logon Auditing with ADAudit Plus_____________________________________________________ 3
Need to capture who logged in recently on which computer in the domain using terminal services. _______ 3
Have to check whether any user tried logging in to the computers they don't have permissions. __________ 5
What if any one logged into multiple computers at a time. _________________________________________ 7
I want to see a report on failure logins for a particular Group. ______________________________________ 9
User Object Change Auditing ________________________________________________________ 12
Report when Administrator's password is changed. _____________________________________________ 12
To know when a user is set with "Password never expires" _______________________________________ 16
Group Object Change Auditing ______________________________________________________ 18
Need to show when a user is added/removed from a security group. _______________________________ 18
Computer Object Change Auditing ___________________________________________________ 20
Every day we add few computers and we want to maintain the data for at least 6 months. _____________ 20
Organizational Unit Change Auditing _________________________________________________ 22
Need to know what are all the OU's added recently in the domain and get a report for the last one month. 22
Group Policy Object Change Auditing _________________________________________________ 24
I have already set a GPO for desktop customizations on all servers in the domain and would like to generate a
report on frequent changes especially “ who” did and “ When” . ___________________________________ 24
Domain Policy Change Auditing ______________________________________________________ 26
My account got locked out yesterday due to invalid logon attempt but I know that it was just 2 attempts,
however I came to know later that someone had changed the domain policy, I want to find out who. _____ 26
Address the most-needed security, audit and compliance demands; arm yourself with easily
comprehendible thorough reports and alerts- the right business add-ons to assist in the
execution of a change management action and export the results to xls, html, pdf and csv
formats to assist in interpretation and computer forensics.
For security reasons critical resources in the network like the Domain Controllers, access rights
are crucial, ADAudit Plus lists the entire information on users who have last logged on / logged
off or have attempted to breach access critical resources in the domain. Track user, GPO,
Computer, OU changes with 150+ detailed event specific reports and instant email alerts.
Track users Logon / Logoff, GPO, OU and Audit User Management Actions.
View user object life cycle changes - creation, modification and deletion of a user
object.
Admin can assign helpdesk tasks to track and monitor account changes in the domain
with reports and alerts.
Export the reports to desired formats xls, csv, pdf and html.
Need to capture who logged in recently on which computer in the domain using
terminal services.
ADAudit Plus Terminal Services logon reports can be advantageously used to overcome user
terminal services logon audit challenges. With a host of pre-configured reports to provide
answers to logon audit questions in the format desired and enhance Active Directory auditing
experience.
A bar graph is displayed. Each bar denotes an audit action on the server. The size of the bar
shows the number of events. Click on the bar graph to filter and view desired audit change on
the Terminal Servers.
2. Select the ‘Local Logon-Logoff’ Report Category from the Available list.
Have to check whether any user tried logging in to the computers they don't have
permissions.
Logon Failure Report provides information on the reason for logon failures over a selected
period of time. Multiple logon failure attempts (bad logon attempts) on User accounts in the
selected period of time equip administrators with information on possible attacks on "intruder
attack susceptible" accounts. Information on logon failure alike when a logon failure occured,
logon failed account, and possible failure reasons is reported.
A bar graph is displayed. Each bar denotes an audit action on the server. The size of the bar
shows the number of events. Click on the bar graph to filter and view desired audit change on
the Domain Controller.
2. Select the ‘User Logon’ Report Category from the Available list.
Windows Active Directory allows its domain users to login into multiple computers at any given
instant. Administrators, auditors and managers require advanced tools to track these logons to
ensure that resources are used as desired. ‘Users logged into multiple computers’
report provide the last logon data of user/users into multiple computers within a given time
frame.
The multiple computers access events are presented as refined data for a descriptive format to
ease in auditing who-did-what-from-where along with many filter options to help single-out the
user in question. Each event is an audit action on the server.
2. Select the ‘User Logon’ Report Category from the Available list.
Windows Active Directory allows its domain users to login into multiple computers at any given
instant. Administrators, auditors and managers require advanced tools to track these logons to
ensure that resources are used as desired. ‘Users logged into multiple computers’
report provide the last logon data of user/users into multiple computers within a given time
frame.
6. To View, select the configured Report from the Profile Based Reports.
One of the most critical reports, to help pin-point the authorized or unauthorized password
change for an administrator’s account! With the many filter attributes on offer, interpreting
and solving an otherwise bleak situation is very simple.
5. Select the Domain and Select the User ‘Administrator’ and Click Save.
6. To View, select the configured Report from the Profile Based Reports.
Alerts
Instant Event Alerts can be created, when the criticality is of the highest order in addition to the
scheduled emailing of reports.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
Note: A secure Active Directory password policy demands users to change their passwords on a
periodic basis. This is with a motive to ensure security of user logins and prevent attacks by any
intruder.
2. Select the ‘User Management’ Report Category from the Available list.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
2. Select the ‘Group Management’ Report Category from the Available list.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
Every day we add few computers and we want to maintain the data for at least 6
months.
Like user accounts, computer accounts provide a means for authenticating and auditing the
computer's access to the network and its access to critical domain resources. Auditing and
keeping a tab on the ‘access resources’ plays a vital role in curtailing unauthorized access and in
forensics.
2. Select the ‘Computer Management’ Report Category from the Available list.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
Need to know what are all the OU's added recently in the domain and get a report for
the last one month.
Auditing the organizational units, the smallest scope or unit to which Group Policy settings can
be assigned or to delegate administrative authority. Know when an OU was Created / Modified
/ Deleted. The History of OU Changes can be viewed in a single report.
2. Select the ‘OU Management’ Report Category from the Available list.
5. Select the Period. Custom Period (Last 30 Days) can also be selected.
Report listing the Recently Created OUs, Period Selected is Last 30 Days
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
I have already set a GPO for desktop customizations on all servers in the domain and
would like to generate a report on frequent changes especially “ who” did and “
When” .
Group Policy Objects comprises of top most critical ‘Group policies’ of user or computer
settings for an entire group of users or computers. Further, associated with Active Directory
objects such as sites, domains, or organizational units. Auditing this complex setup is indeed
very simple with ADAudit Plus.
2. Select the ‘GPO Management’ Report Category from the Available list.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
My account got locked out yesterday due to invalid logon attempt but I know that it
was just 2 attempts, however I came to know later that someone had changed the
domain policy, I want to find out who.
Domain Policy Changes holds the Domain-wide Security settings for handling authentication
and authorization of Active Directory security principals and helps streamline the user,
computers settings. The main policies under a domain policy are Password Policy, Account
Lockout Policy an Kerberos Policy. Domain policy is applied to all security principal accounts in
the domain, unless inheritance is specifically blocked or overridden by another policy.
2. Select the ‘Domain Policy Changes’ Report Category from the Available list.
Other Active Directory Auditing Reports (A few from the 150+ Reports)
Logon Duration | Logon Failures | Recently Deleted Security Groups | Logon History | RADIUS
Logon Failures (NPS) | RADIUS Logon History (NPS) | Terminal Services Activity | Domain
Controller Logon Activity | Member Server Logon Activity | Workstation Logon Activity |
Account Management (User, OU, Group, GPO, Computer) | User Object History | Domain Policy
Changes | GPO Link Changes | Logon Activity | Recent User Logon Activity | Last Logon on
Workstations | User's Last Logon | Users logged into multiple computers
Have to configure a report of share permission changes on folders and sub folders.
Other File Server Reports (File Audit | Server Based | User Based | Profile Based)
All File or Folder Changes | Files Created | Files Modified | Files Deleted | Successful File Read
Access | Failed attempt to Read File | Failed attempt to Write File | Failed attempt to Delete
Is there a way to a get report on process tracking on a particular server for a particular
time.
It is important to secure the member servers by diligently tracking server logons. This
commands for a setting that is not only secure internally but also audits every 'event' logged in
to the security log of Member Servers and reports them as and when in demand. Now an
administrator can audit much more on a Member Server.
2. Select the ‘Server Audit’ Report Category from the Available list.
A bar graph is displayed. Each bar denotes an audit action on the server. The size of the bar
shows the number of events. Click on the bar graph to filter and view desired audit change on
the Domain Controller.
Activity | System Changes - Start/Stop/Audit Log cleared | Process Tracking on Servers | Policy