Interpreting Active Directory audit data, not so simple!

It had been a while since I needed to comb through event logs to figure out some change in Active Directory. Having just joined NetWrix, I thought it may be a good idea to spend some time reviewing Windows auditing and in particular What’s New Windows Server with AD DS (Domain Services) logging. I was surprised to see that despite the progress some AD DS logging problems persist.

I had already seen the new 2008 AD DS settings that provide before and after values for changes applied to AD objects, but what I didn’t know if this feature was usable or not. I found that the old adage “You may get more than you bargain for…” directly applied in this case. Some of the AD DS auditing issues were pretty tough to get around.

For simple data changes the native logging works fairly – well once you sort through the logs and find the correct event. Once you find the event you just need to review the details to figure out what changed – that is the easy part.

My experience with more complex changes was less intuitive than I expected due mainly to the way Windows writes event data. I made what I thought was a simple change by delegating a user security rights on a group. I then went to the event logs to hunt for the change. After filtering through a couple of dozen events I found the event that showed the actual change. When reviewed the event I found that it left the updated security details in the internal AD format rather than showing it in a human readable format. I was expecting to see the data like it is shown on the Security tab of the group, what I got was a bunch of mumbo-jumbo that left me with no understanding of what had changed.

As I started doing a little research I found other attributes that were also written to the event logs in some raw AD DS format that is totally un-intelligible. And so over the course of an hour or more of digging into this issue a little further I started to resent the fact that this information simply isn’t rendered in a way that is usable out of the box. I also had a vastly increased appreciation for the way our change auditing solution zeros-in on the right event(s) and quickly displays this data in a simple, efficient and human readable format.

Click here for more information on NetWrix Active Directory Change Reporter.

Robert is a former Director of Product Management at Netwrix. He combines 20 years of IT management and enterprise software experience to provide strategic vision to his high-performance teams through times of growth and change.