Respected Eastern European publication carries review of Active Directory Change Reporter

Below is an English translation of a product review for the NetWrix Active Directory Change Reporter. This was originally posted by Damir Dizdarevic on his blog last month. It was also posted in the local Bosnian-Herzegovinian IT community on the Info.ba site. We are always delighted and proud to see IT professionals in other nations around the globe finding our solutions and experiencing their great value.
Active Directory Change Reporter goes international
Please feel free to post your comments below on this great product review of Active Directory Change Reporter which is an integrated component of the Change Reporter Suite. AS well, please be sure to visit Info.ba as well as Damir’s blog for localized IT expertise and commentary.

Product Review: NetWrix Active Directory Change Reporter

Supervising of the events in the Active Directory (in the literature generally known by the term Auditing) is one of the concerns of any Windows environment administrator. Although this is certainly not the first or the most important thing that administrators do, it is something that without which is difficult to imagine in a serious IT environment. Usually, the need for auditing occurs reactively – after usually some unwanted event, admins understand that auditing should have been implemented long ago.

My personal experience as an IT consultant and long-time lecturer, I am speaking in favor of exactly what I have outlined. Auditing the people generally does not deal with almost all, or at least not seriously enough that it could be considered a reliable source of information. Part of the credit for this laziness is that admins sometime don’t want to do something that de-facto does not functionally improves the system (but protects it), and partly because the techniques for auditing Active Directory are a fairly slow to develop. Specifically, Audit policies that as a result provide audit logs, almost more than 10 years have not substantially changed. Windows Server 2008 R2 has brought some improvement in terms of adding new policy settings that are now giving more precise control of what is monitored (to avoid over-auditing which is basically almost the same as you do not monitor anything), but the mechanism of applying the further group policy, and logs are still collected in the Security log on computers that keep track of what happens. Because the Security log is almost always full of a variety of other records, without good filtering techniques, audit logs will be very difficult to see. Fortunately, the new Event Viewer that we have in Windows Server 2008 delivers significant improvements in this field, although still not quite as we expected.

What is actually the goal of auditing in an Active Directory-based environment? The primary goal is to provide quality, focused and timely information on changes that have occurred in the IT environment (specifically in the AD), and to provide information about who made the change, when, where or on which resource. This is a reactive approach to auditing. In addition, auditing can be used proactively – that is, to observe events on the system, which could initiate to something that might happen in the future, we would like to prevent. Proactive monitoring, in addition to the techniques, however, requires a lot of analytic knowledge, but is certainly more desirable than reactive.

The theme of this article is that Active Directory Change Reporter is an extremely useful tool that is used for auditing purposes and to specific Windows Server-based environment that is based on Active Directory. It is produced by NetWrix, the company with many years of experience in this field, resulting in a number of tools which are used mainly for the purpose of auditing and logging. More information about the tools can be found via their website www.netwrix.com.

As its name says, this is a tool for tracking changes in Active Directory. Besides being monitored, this tool provides the possibility of extremely powerful reporting on what changes were recorded in various categories. Through a specially-developed console, administrators now have the ability to replace filters and filtration of hundreds of log entries and focus on the essence – and that is change, and the attributes that accompany the change itself (who, when, where and why). It performs all this without using the Event Viewer.

NetWrix Active Directory Change Reporter is composed of 4 components:
Active Directory Change Reporter
Group Policy Change Reporter
Exchange Change Reporter
Active Directory Object Restore Wizard
The very names of the components are sufficiently descriptive to see what was going on. Although the inside of functional groups Exchange Server is also mentioned, it’s actually working on tracking changes in Active Directory, but what relates to the Exchange, since this product most of its configuration holds exactly in Active Directory. There is also an Object Restore Wizard, which helps to restore deleted objects, or objects that are in the state in which they run tombstone life time. However, we should say that it is not an alternative interface for Active Directory Recycle Bin, but more like restoring deleted objects in the “old way” or the way it was possible prior to Windows Server 2008 R2 (which brings AD Recycle Bin). This means that this can be applied to older versions of Windows Server Active Directory. The only downside is that restored deleted objects lose all the attributes, but it is relatively easy to re-create, and retain the SID and SAMaccountName what is most important. Also, use this wizard to restore previously deleted objects deprives administrators need to use tools such as Ldp.exe or command line tools, which to put it mildly, not very popular.

Through these functional components, AD change reporter can do the following:
– In each notice of change, in addition to data on the revised property name it provides old and new value of the changed attributes (or more). The software can track and multiple changes within a single cycle of observation, and if changes occur in many different attributes values, everything will be remembered.
– Generate different types of web-based reports on registered changes in demand. It is also possible to create your own reports with many already predefined filters, or order additional reports from the manufacturer
– Monitor Active Directory snapshots and compare the situation in AD over time, in terms of reporting facilities and the changes that have accompanied them.
– Generate real-time alerts distributed via e-mail for all critical events that cannot wait to generate Report on a schedule (such as adding or removing someone from the Enterprise Admins group).
– Maintain logs and reports indefinitely long time
– Create “subscription” e-mails to various types of reports. This deprives the needs of the administrator to the console searches for statements that he wants to continuously monitor.

The administrative console is a classic MMC 3.0 and how it can be seen in the following figure, is quite intuitive, and none experienced administrator should not have problems using the same.

Technology that works in Change Reporter is not unknown. It is a well-known technology DirSync change tracking based on a change in the value of USN. Otherwise, DirSync is used to synchronize the changes that occur in different directory services, and here it is used to actually detect the change and instead synchronizing the change in another directory, it is actually recorded in the database.

USN is the Updated Sequence Number or value that changes when any change occurs in the domain, configuration or schema partition of Active Directory. Active Directory Change Reporter drives the process of controlling this type of data every 10 minutes. In this way achieves a moderate system load because data is collected in relatively small quantities, while it often enough that it does not happen any loss of data due to overwriting the old data in the security log.
Installation and configuration

Installing the AD Change Reporter software is very easy process. The console itself can be installed on any computer in the domain, and does not have to be located at the domain controller. It supports all versions of Active Directory from Windows 2000 onwards, which gives a very wide range of applications in most of today’s environment. Requirements for installation are not too large – it will be sufficient to have NET Framework 2.0, MMC 3.0, and that’s all it takes. If you want to use the advanced reporting, it is necessary to also install SQL Server Express or the full version of SQL Server with Reporting Services functionality. Of course, it is necessary to provide the account with appropriate privileges to connect to Active Directory, or to run the task, which generates reports at regular intervals.

After installation, you need to do the initial configuration. The first step is to create a Managed-object, which is the Active Directory domain that you will audit. After that, make a brief analysis of existing auditing settings, and one set to the required value, if not already configured. Once the software is connected to the domain, it remains to adjust the settings related to the Exchange server (if any), the settings for the SQL Server database (if you will use advanced reporting), and settings for notification via e-mail or subscribe to certain reports. Since the software comes with large number of pre-created samples for the reports, the first time probably will not need to create some new ones, at least until you don’t find what you. Upon completion of the configuration to make an initial snapshot and from that moment the system is ready for operation. These screenshots show some of the predefined reporting, and configurable settings for the most important settings.

As in the case of conventional auditing through the security logs in Event Viewer, and here it is recommended to avoid over-auditing. True, with this software it is much harder to over-audit, but not impossible. I suggest you to review the details provided with existing reports and to enable those you really need and to possibly create new one where needed. Making a new report is actually creating an appropriate filter on the object you want to track. For example, you can create a filter that report that will track changes in a particular security group in AD or the like.

Reports themselves are substantial and can be distributed via e-mail in some summary form, or called directly from SQL Server Reporting Services. Below you can see a couple of types of reports:

Conclusion

NetWrix Active Directory Change Reporter is a very useful piece of software. It is especially effective in environments where multiple people have privileges to real changes in Active Directory, and where necessary centralized monitoring of the changes that are happening. Also, its feature that uses SQL Server Reporting Services is a hit – which create the reports in this way, look great and give the very essence of what we want to see in this type of report. Perhaps one of the best features of this software is that it gives the exact of what you would expect, without too much complicating and without superfluous questions.

We also have to say something about the price of this product. If it is used in environments with up to 150 users (like the most in our country), the price is 8.70 USD per user. If the number of users increasing, the cost per user is even lower. Also available are special discounts for government institutions, educational Institutions and non-profit organization. If you want to include this change and Exchange reporter, added another 1.35 USD per user, also for environments up to 150 users. For accurate pricing, it is necessary (and advisable) to contact the manufacturer. In any case, the price that is listed here in general is not expensive if we take into consideration what you get, and that the license be purchased once.

For those who need to track changes in AD but find traditional approached ineffective or too complicated – this is the right choice.