Netwrix Auditor For Active Directory Quick Start Guide
Netwrix Auditor For Active Directory Quick Start Guide
Netwrix Auditor For Active Directory Quick Start Guide
The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes
no representations or warranties about the Software beyond what is provided in the License
Agreement. Netwrix Corporation assumes no responsibility or liability for the accuracy of the
information presented, which is subject to change without notice. If you believe there is an error in this
publication, please report it to us in writing.
Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix
product or service names and slogans are registered trademarks or trademarks of Netwrix
Corporation. Microsoft, Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL
Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. All other trademarks and registered
trademarks are property of their respective owners.
Disclaimers
This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided
about non-Netwrix products.
2/31
Table of Contents
1. Introduction 5
5. Monitoring Plans 16
5.3.1. Domain 22
3/31
7.4. Browse Data with Intelligence Search 28
8. Related Documentation 31
4/31
Netwrix Auditor for Active Directory Quick-Start Guide
1. Introduction
1. Introduction
This guide is intended for the first-time users of Netwrix Auditor for Active Directory. It can be used for
evaluation purposes, therefore, it is recommended to read it sequentially, and follow the instructions in
the order they are provided. After reading this guide you will be able to:
NOTE: This guide only covers the basic configuration and usage options for auditing Active Directory with
Netwrix Auditor. For advanced installation scenarios and configuration options, as well as for
information on various reporting possibilities and other product features, refer to Netwrix Online
Help Center.
Netwrix Auditor includes applications for Active Directory, Active Directory Federation Services, Azure AD,
Exchange, Office 365, Windows file servers, EMC storage devices, NetApp filer appliances, Nutanix Files,
network devices, SharePoint, Oracle Database, SQL Server, VMware, Windows Server, and User Activity.
Empowered with a RESTful API, the platform delivers visibility and control across all of your on-premises
or cloud-based IT systems in a unified way.
Major benefits:
To learn how Netwrix Auditor can help your achieve your specific business objectives, refer to Netwrix
Auditor Best Practices Guide.
Netwrix Auditor for Active Directory detects and reports on all changes made to the managed Active
Directory domain, including AD objects, Group Policy configuration, directory partitions, and more. It
makes daily snapshots of the managed domain structure that can be used to assess its state at present
or at any moment in the past. The product provides logon activity summary, reports on interactive and
non-interactive logons including failed logon attempts. Also, Netwrix Auditor for Active Directory helps
address specific tasks—detect and manage inactive users and expiring passwords. In addition, Netwrix
5/31
Netwrix Auditor for Active Directory Quick-Start Guide
1. Introduction
Auditor for Active Directory provides a stand-alone Netwrix Auditor Object Restore for Active Directory
tool that allows reverting unwanted changes to AD objects down to their attribute level.
6/31
Netwrix Auditor for Active Directory Quick-Start Guide
To learn about Netwrix Auditor licenses, refer to the following Netwrix Knowledge Base article: Netwrix
Auditor Licensing FAQs. To learn how to install a license, refer to Licenses.
To learn about ports and protocols required for product operation, refer to Protocols and Ports Required
for Netwrix Auditor.
To learn about security roles and permissions required for product operation, refer to Configure Netwrix
Auditor Service Accounts.
Active Directory
Exchange
SharePoint
7/31
Netwrix Auditor for Active Directory Quick-Start Guide
Network devices
Databases
Windows server
VMware server
8/31
Netwrix Auditor for Active Directory Quick-Start Guide
l Netwrix Auditor client UI does not display any warnings and / or errors regarding to trail audit
mode operation
l If you are using Oracle Database 11g and Netwrix Auditor 9.9 (or earlier) and do not plan to
upgrade your deployment, you will have all 9.9 capabilities unchanged.
l If you are using Oracle Database 11g and have performed seamless upgrade to Newrix Auditor
9.96, the audit data collection will operate properly. However, consider General Considerations and
Known Issues and keep in mind Oracle Database 11g support expiration dates.
If you are using Oracle Database 12c or later, make sure you have Unified auditing mode enabled.
Otherwise, Netwrix Auditor may not operate properly. Refer to Migrate to Unified Audit for more
information.
l o Software Requirements
l Hardware Requirements
l Software Requirements
IMPORTANT! Consider that actual hardware requirements will depend on your monitored infrastructure,
the number of users in your environment, and activities that occur in the infrastructure per day. It
is strongly recommended that you go through the Deployment Planning section before you start
the installation.
Requirements provided in this section apply to a clean installation on a server without any additional
roles or third-party applications installed.
Below you can find rough estimations, calculated for evaluation of Netwrix Auditor for Active Directory.
Refer to Netwrix Online Help Center for more information on the Netwrix Auditor hardware
requirements.
9/31
Netwrix Auditor for Active Directory Quick-Start Guide
You can deploy Netwrix Auditor on a virtual machine running Microsoft Windows guest OS on the
corresponding virtualization platform, in particular:
l VMware vSphere
l Microsoft Hyper-V
l Nutanix AHV
Note that Netwrix Auditor supports only Windows OS versions listed in the Software Requirements
section.
2.2.1.0.1. Scenario 1
Netwrix Auditor and SQL Server instance will be deployed on different servers.
2.2.1.0.2. Scenario 2
Netwrix Auditor server and SQL Server instance will be deployed on the same machine.
IMPORTANT! In large and extra -large environments, installation of Netwrix Auditor and SQL Server on
the same server is not recommended. Instead, deploy an SQL Server instance on a separate
server or cluster that meets the requirement in Scenario 1. Refer to related Microsoft guidelines.
Processor 2 cores
RAM 8 GB
10/31
Netwrix Auditor for Active Directory Quick-Start Guide
Component Requirements
l Windows 10
l Windows 8.1
Export
To export SSRS- based reports, Internet Explorer must be installed on the machine where Netwrix
Auditor client runs.
Internet Options must be configured to allow file downloads for the Local intranet zone:
3. In the Settings list, locate Downloads >File download and make sure the Enabled option is
selected.
Printing
To print SSRS-based reports, SSRS Report Viewer and Netwrix Auditor Client require ActiveX Control to be
installed and enabled on the local machine. See this Knowledge Base article for details.
You can, for example, open any SSRS-based report using Internet Explorer and click Print. Internet
Explorer will prompt for installation of the additional components it needs for printing. Having them
installed, you will be able to print the reports from Netwrix Auditor UI as well.
11/31
Netwrix Auditor for Active Directory Quick-Start Guide
Network and target systems Test connectivity to your data source. Make sure you can access it by
or servers that work as your its NetBIOS and FQDN name from the computer where you intend to
data sources install Netwrix Auditor—use the nslookup command-line tool to look
up domain names. Domain controllers must be accessible as well.
SQL Server with Reporting Supported SQL Server versions are listed here.
Services (or Advanced
Consider maximum database size in different versions. Make your
Services) 2008 or higher.
choice based on the size of the environment you are going to monitor,
the number of users, and other factors. Remember that maximum
database size in Express editions may be insufficient.
Test account Netwrix recommends you to create a special account with extensive
privileges. This account should have sufficient permissions to:
NOTE: There is no need to perform any additional configuration steps to prepare your IT infrastructure
for auditing. Netwrix Auditor provides an option that automatically configures audit settings in
the target environment. For a full list of settings required for Netwrix Auditor to collect
comprehensive audit data and instructions on how to configure them manually, refer to Netwrix
Auditor Installation and Configuration Guide.
12/31
Netwrix Auditor for Active Directory Quick-Start Guide
NOTE: If you are going to enable integration with Netwrix Data Classification (NDC Provider), additional
server roles must be assigned to the account. See For NDC Provider for more information.
Starting with version 9.96, you can use group Managed Service Account (gMSA) as data collecting
account. Currently, the following data sources are supported: Active Directory (also for Group Policy and
Logon Activity), Windows Server, File Server (currently for Windows File Servers), SQL Server, SharePoint.
For more details about gMSA usage, see Using Group Managed Service Account (gMSA).
The gMSA should also meet the related requirements (see the table below).
NOTE: The information in this section is outside the quick-start guide scope and is provided for reference
only. For detailed instructions on how to configure the data collecting account to access your
audited platform or application, see Netwrix Auditor Online Help Center .
13/31
Netwrix Auditor for Active Directory Quick-Start Guide
2. Unpack the installation package. The following window will be displayed on successful operation
completion:
3. Follow the instructions of the setup wizard. When prompted, accept the license agreement.
6. On the Netwrix Customer Experience Program step, you are invited to take part in the Netwrix
Customer Experience Program. It is optional on your part to help Netwrix improve the quality,
reliability, and performance of Netwrix products and services. If you accept, Netwrix collects
statistical information on how the Licensee uses the product in accordance with applicable law.
Select Skip if you do not want to participate in the program.
NOTE: You can always opt- out of the Netwrix Customer Experience Program later. See Netwrix
Online Helpcenter for instructions on how to cancel participation in the program.
7. Click Install.
After a successful installation, Netwrix Auditor shortcut will be added to the Start menu/screen and the
product will start. Review the following for more information about the product navigation: First Launch.
14/31
Netwrix Auditor for Active Directory Quick-Start Guide
15/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
5. Monitoring Plans
To start auditing your environment and analyzing user behavior with Netwrix Auditor , create a
monitoring plan.
So, to collect data from your environment, you need to do the following:
1. Specify a data source and create a monitoring plan with a wizard. See Create a New Plan for more
information.
2. Add items to be monitored. An item is a specific object you want to audit. As soon as the item is
added, to the monitoring plan, Netwrix Auditor starts collecting data from it. See Add Items for
Monitoring for more information.
To keep users up-to-date on actual system state, Netwrix Auditor updates the latest snapshot on the
regular basis. Thus, only the latest snapshot is available for ongoing reporting in Netwrix Auditor.
However, you may need to generate reports based on the historical data. For that, you must import the
historical snapshots to the database.
NOTE: To import snapshots, you must be assigned the Global administrator or the Global reviewer role.
See Assign Roles for more information.
2. Select the required data source and click Edit data source on the right to open its properties.
5. In the Manage Snapshots window, select the snapshots that you want to import — use the arrows
to move the selected snapshots to the Snapshots available for reporting list. When finished, click
OK.
16/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
l Specify default SQL Server instance and configure the Audit Database to store your data
Option Description
Specify the account for Provide a user name and a password for the account that Netwrix Auditor
collecting data will use to collect data. By default, the user name is prepopulated with
your account name.
Make sure the account has sufficient permissions to collect data. For a full
list of the rights and permissions, and instructions on how to configure
them, refer to Data Collecting Account. Netwrix recommends creating a
special service account with extended permissions.
Enable network traffic If selected, this option instructs Netwrix Auditor to deploy a special utility
compression that will run on the audited computers and do the following:
This approach helps to optimize load balance and reduce network traffic.
So, using this option can be recommended especially for distributed
networks with remote locations that have limited bandwidth. See
Network Traffic Compression for more information.
Adjust audit settings Netwrix Auditor can configure audit settings in your environment
automatically automatically. Select Adjust audit settings automatically . In this case,
Netwrix Auditor will continually check and enforce the relevant audit
17/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
Option Description
policies. For some data sources (currently, Active Directory and Logon
Activity) you will be offered to launch a special utility that will detect
current audit settings, check them against requirements and then adjust
them automatically. See Audit Configuration Assistant for details.
You may also want to apply audit settings via GPO (for example, for
Windows Servers).
NOTE: If any conflicts are detected with your current settings, automatic
audit configuration will not be performed.
For a full list of audit settings and instructions on how to configure them
manually, refer to Configure IT Infrastructure for Auditing and Monitoring.
Launch Audit Click to launch a specially intended utility that will assess your
Configuration environment readiness for monitoring and adjust audit settings, if
AssistantConfiguration necessary. The tool will be launched in a new window. See Audit
Assistant Configuration Assistant for details.
Collect data for state- in- State-in-time reports are based on the daily configuration snapshots of
time reports your audited systems; they help you to analyze particular aspects of the
environment. State-in-time configuration snapshots are also used for IT
risks assessment metrics and reports.
l Active Directory
l File Servers
l Windows Server
l Group Policy
l SharePoint
l SharePoint Online
l Exchange Online
l SQL Server
l VMware
18/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
NOTE: Alternatively, you can instruct Netwrix Auditor not to store data to the databases but only to the
repository (Long- Term Archive) – in this scenario, you will only be able to receive activity
summaries. Reporting and alerting capabilities will not be provided.
NOTE: Make sure the Disable security intelligence and make data available only in activity
summaries checkbox is cleared.
l Install a new instance of Microsoft SQL Server Express automatically — this option is available at
the first run of the wizard. It allows you to deploy SQL Server 2016 SP2 Express with Advanced
Services on the local machine. This SQL Server will be used as default host for Netwrix Auditor
databases.
l Use an existing SQL Server instance — select this option to use an existing SQL Server instance.
NOTE: Local SQL Server instance is detected automatically, and input fields are pre-populated with
its settings.
Option Description
SQL Server instance Specify the name of the SQL Server instance to store audit data.
Authentication Select the authentication type you want to use to connect to the
SQL Server instance:
l Windows authentication
User name Specify the account to be used to connect to the SQL Server
instance.
19/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
IMPORTANT! If you want to use Group Managed Service Account (gMSA) to access the SQL Server
instance hosting the database, consider that in this case Netwrix Auditor will not be
able to generate SSRS-based reports (due to Microsoft limitations).
Make sure the Disable security intelligence and make data available only in activity summaries
checkbox is cleared and Use default SQL Server settings is checked.
Setting Description
Disable security intelligence ... Only select this option if you do not want your data to
be stored in the database. In this case, you will only be
able to receive activity summaries. Reporting and
alerting capabilities will not be provided.
20/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
Setting Description
Use default SQL Server settings Select this option if you want Netwrix Auditor to
connect to the SQL Server instance using the default
settings you specified Default SQL Server Instance .
Specify custom connection parameters Select this option to use custom credentials when
connecting to SQL Server. Specify authentication
method and the account that Netwrix Auditor will use.
Netwrix Auditor will connect to the default SQL Server instance and create a database with the specified
name on it.
NOTE: Global settings that apply to all databases with audit data (including retention period and SSRS
server used for reporting) are available on the Audit Database page of Netwrix Auditor settings.
See Audit Database for details.
21/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
NOTE: It is recommended to click Send Test Email. The system will send a test message to the specified
email address and inform you if any problems are detected.
To start collecting data, you should specify the objects (items) that belong to the target data source and
should be processed according to the settings of this monitoring plan. For example, for Exchange data
source the item will be your Exchange server, for Windows Server data source - computer, IP range or AD
container, and so on. To add items right after finishing the monitoring plan wizard, select the Add item
now checkbox. See Add Items for Monitoring for details.
Each data source has a dedicated item type. Netwrix Auditor automatically suggests item types
associated with your data source.
5.3.1. Domain
Complete the following fields:
Option Description
Specify Active Directory domain Specify the audited domain name in the FQDN format. For example,
"company.local".
Specify the account for Select the account that will be used to collect data for this item.
collecting data
22/31
Netwrix Auditor for Active Directory Quick-Start Guide
5. Monitoring Plans
NOTE: Not applicable to Netwrix Auditor for User Activity. For this data source, the product sends real-
time data about sessions and activity.
l An Activity Summary email will be generated and sent to the specified recipients. It will list all
changes that occurred since the last scheduled or on-demand Activity Summary delivery.
l Changes that occurred between data collections will be written to the Long-Term Archive and the
Audit Database, and become available in the Netwrix Auditor client.
NOTE: Depending on the size of the monitored environment and the number of changes, data collection
may take a while.
23/31
Netwrix Auditor for Active Directory Quick-Start Guide
NOTE: Before making any test changes to your environment, ensure that you have the sufficient rights,
and that the changes conform to your security policy.
24/31
Netwrix Auditor for Active Directory Quick-Start Guide
This chapter explains how to review your test changes with some of the Intelligence options and Activity
Summary. Review the following for additional information:
In order not to wait for a scheduled Activity Summary generation, force data collection and email
delivery.
2. Click Edit.
3. In the your monitoring plan settings, click Update in the right pane.
4. Check your mailbox for an email notification and make sure that the data collection has completed
successfully.
25/31
Netwrix Auditor for Active Directory Quick-Start Guide
After the data collection has completed, check your mailbox for an Activity Summary and see how your
test changes are reported:
Column Description
Action Shows the type of action that was performed on the object.
Item Shows the item associated with the selected monitoring plan.
Where Shows the name of the domain controller where the change was made.
Who Shows the name of the account under which the change was made.
Workstation Shows the name of the computer where the user was logged on when the change
was made.
Details Shows the before and after values of the modified object, object attributes, etc.
26/31
Netwrix Auditor for Active Directory Quick-Start Guide
After collecting initial data, making test changes to your environment and running data collection again,
you can get at-a-glance statistics for changes with the Active Directory Overview.
To see how your changes are reported with Active Directory Overview
1. On the main Netwrix Auditor page, navigate to the Intelligence section and click the Reports tile.
5. Click on any chart to jump to a table report with the corresponding grouping and filtering of data.
27/31
Netwrix Auditor for Active Directory Quick-Start Guide
Change and activity reports can be found under the Reports → Predefined → your data source type
and provide a narrower insight into what is going on in the audited infrastructure and help you stay
compliant with various standards and regulations (FISMA, HIPAA, PCI, SOX, etc.).
After collecting initial data, making test changes to your environment and running data collection again,
you can take advantage of the reports functionality.
1. On the main Netwrix Auditor page, navigate to Reports → Predefined → your data source.
28/31
Netwrix Auditor for Active Directory Quick-Start Guide
object name. You can create flexible searches that provide you with precise results on who changed what,
and when and where each change was made.
After collecting initial data, making test changes to your environment and running data collection again,
you can review changes in details with Intelligence search.
2. Add search filters to your search by clicking on a corresponding icon and providing a value. By
default, all entries that contain this filter value are shown. For an exact match, use quotation marks.
Filters are used to narrow your search results. To create a unique set of filters, you can:
l Add different filters to your search. Search results will be sorted by all selected filters since
they work as a logical conjunction (e.g., Who: Administrator AND Action: Added).
l Specify several values in the same filter to search for any of them (e.g., Action: Modified OR
Action : Removed). To do this, select a filter again and specify a new value.
NOTE: Refer to Netwrix Online Helpcenter for detailed instructions on how to apply filters and
change match types
3. Click Search.
4. Now, you can narrow your search and modify it right from the search results pane. Click any entry
that contains excess data, select Exclude from search in the Details section and specify a filter, e.g.,
Action: Modified to leave information on newly created users only.
Your Search field will be updated, the Action not equal to filter will be added. Make sure to click
Search again to update your search results.
l Click Save as report to save the selected set of filters. This search will be added to the Custom
section inside Reports, so that you will be able to access it instantly. Refer to Custom Search-
Based Reports for detailed instructions on how to create saved searches.
l Click Create alert to get instant email or SMS notifications on suspicious activity that matches
your current search criteria. You only need to specify a name for a new alert, add recipient and
assign a risk score. The selected set of search criteria will be associated with the new alert
automatically. Refer to Alerts for detailed instructions on how to create and configure alerts.
Try making more similar test changes to provoke an alert. For example:
29/31
Netwrix Auditor for Active Directory Quick-Start Guide
Once you have received the alert, click the Behavior Anomalies tile on the main Netwrix
Auditor page to see how the product identifies potentially harmful users and displays their risk
scores. Drill-down to user profile to review anomalies and mitigate risks. Refer to Netwrix
Online Helpcenter for more information on behavior anomalies and risk scores.
30/31
Netwrix Auditor for Active Directory Quick-Start Guide
8. Related Documentation
8. Related Documentation
The table below lists all documents available to support Netwrix Auditor for Active Directory:
Document Description
Netwrix Auditor Online Help Gathers information about Netwrix Auditor from multiple sources and
Center stores it in one place, so you can easily search and access any data you
need for your business. Read on for details about the product
configuration and administration, its security intelligence features,
such as interactive search and alerts, and Integration API capabilities.
Netwrix Auditor Installation Provides detailed instructions on how to install Netwrix Auditor, and
and Configuration Guide explains how to configure your environment for auditing.
Netwrix Auditor Provides step-by-step instructions on how to configure and use the
Administration Guide product.
Netwrix Auditor Intelligence Provides detailed instructions on how to enable complete visibility with
Guide Netwrix Auditor interactive search, report, and alert functionality.
Netwrix Auditor Integration Provides step-by-step instructions on how to leverage Netwrix Auditor
API Guide audit data with on-premises and cloud auditing solutions using RESTful
API.
Netwrix Auditor Release Lists the known issues that customers may experience with Netwrix
Notes Auditor 10, and suggests workarounds for these issues.
31/31