Paessler PRTG

Active Directory event
auditing with PRTG


  • icon check white 2
    Regain control of Active Directory audit events

  • icon check white 2
    Be notified of changes to group memberships
  • icon check white 2
    Watch for changes to Service Accounts

  • icon check white 2
    Capture changes to Windows security policies







What is Active Directory auditing?

 iActive Directory (AD) is a directory service created by Microsoft for use in a Windows Server environment. It provides authentication and authorization functions, as well as providing a framework for other such services. The directory itself is an LDAP database that contains networked objects.
Read more

One of the many functions Active Directory serves is that of “Gate-Keeper” – controlling which users can use resources on the network, and their level of interaction with those resources. File shares, applications, internet access, printers; all depend on Active Directory (AD) to permit, or deny access. This makes it vitally important for SysAdmins to keep track of how AD is protecting those resources.

Fortunately, Microsoft have included excellent audit facilities within AD. Logon/log off, object access, policy changes, account management and many other activities all leave detailed records in the Windows Security Event Log. Unfortunately, for even a small network, AD auditing can create HUGE numbers of log events, making it very difficult to keep track of the really important ones.


How can PRTG help you?

 i How PRTG defines sensors

In PRTG, “sensors” are the basic monitoring elements. One sensor usually monitors one measured value in your network, e.g. the traffic of a switch port, the CPU load of a server, the free space of a disk drive. On average you need about 5-10 sensors per device or one sensor per switch port.

View video (3:26 min.)

PRTG watches AD audit events

PRTG watches AD audit events

This is where PRTG can help. By using the Windows Event Log sensors which, like all our sensors, are included in every PRTG license (even the freeware version), you can get alerted to any significant AD audit events you need to watch.

Security is crucial

Security is crucial

Unauthorised access to networked systems is an ever-increasing problem. Organisations of all sizes are investing heavily in security tools to identify and prevent data breaches. But comprehensive protection requires more than just protecting the network perimeter. Research shows that unauthorised system access from inside the network is more common than headline grabbing external hacking incidents.

The consequences of data breaches vary widely depending on the scale of the incident, the type of organisation affected and the nature of the compromised data. They can range from embarrassment and loss of customer confidence through to massive fines imposed by industry regulators.

Get alarmed

Get alarmed

Properly configured, AD Auditing can track and log access attempts to network resources regardless of whether the attempt is legitimate, accidental or malicious. Then, by having PRTG watch for specific events in the audit log, the IT Security Team can be notified as soon as any suspicious activity is identified, allowing remedial action to be taken immediately.

Two important sensors

Two important sensors

PRTG provides two different sensors that can help. Firstly, the WMI Event Log sensor which allows a single Event ID to be monitored. Then the Event Log (Windows API) sensor allows multiple Event IDs to be combined in a single sensor.

Here’s an example of the Event Log (Windows API) sensor watching the Windows Security Event Log for changes to the Domain Admin Security Group:

Two important sensors

PRTG detects AD audit events

PRTG detects AD audit events

As soon as matching Event IDs are written to the Security Event Log, PRTG detects them. If the number of events exceeds the limit (threshold) defined for the Warning/Error settings for the sensor channel, the sensor changes state, and notifications are sent to the Administrator to let him or her know that a change has been made to the Domain Admin Group:

PRTG detects AD audit events


This video explains Active Directory monitoring


An introduction to Active Directory monitoring with PRTG 


PRTG solves typical Active Directory problems

Preventing replication errors

The first problem involves so-called replication errors. The replication of directory data between various domain controllers can be prone to error. In turn, the resulting errors can cause problems with authentication and with access rights to resources.

A variety of factors play a role in the occurrence of these errors, including the number of consecutive synchronization failures, the time of the last synchronization attempt, and the number of pending replication operations.

The PRTG Active Directory Replication Errors v2 Sensor monitors up to eight different parameters during the replication of directories and the synchronization of the various domain controllers, and intelligently sounds the alarm in the event of anomalies or errors.

Identifying logged-out and deactivated users

Another common problem associated with the use of an Active Directory involves logged-out or deactivated users. Maintaining an overview of such users is next to impossible with standard AD tools.

With PRTG, you’ll get a ready-to-use script for PRTG Network Monitor which searches the Active Directory for all logged-out and deactivated users, and then lists them in PRTG:

To use this script, PRTG requires the Active Directory PS module. A manual with information on how to install the module can be found here: Microsoft Manual.

With a Search-AD account, you can run the script with a number of different queries. For the switches, see Microsoft’s TechNet platform: TechNet Platform

Monitor AD Group Membership

Using a PRTG script, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.

If you want to know if someone joins an AD group like Domain Admins and get a notification when this happens:


PRTG makes your job easier

Our monitoring software frees you to focus on other tasks by promptly notifying you of potential issues.


time white

Save effort

PRTG gives you one central monitoring tool for your servers and entire network. Enjoy a quick overview of your whole infrastructure via our dashboard and app.

brain white

Save time

Getting started with PRTG is a breeze. Setting up or switching from another network monitoring tool is easy thanks to the auto-discovery and pre-configured device templates.

money white

Save money

80% of our customers report substantial cost savings with network monitoring. Your costs of licenses will likely pay for themselves within weeks.



Active Directory Info at a glance – even on the go

Set up PRTG in minutes and use it on almost any mobile device.


PRTG comes with all the features you need, plus more your IT infrastructure won't want to live without.



PRTG monitors these vendors and applications in one view!


vendors vm ware



Trusted by 500,000 users and recognized
by industry analysts as a leader


“Fantastic network and infrastructure monitoring solution that is easy to deploy and easier still to use. Simply the best available.”

Read more reviews

“Software is absolutely perfect, Support is superior. Meets all needs and requirements, this is a must have solution if you are needing any form of monitoring.”

Read more reviews

“The tool excels at its primary focus of being a unified infrastructure management and network monitoring service.”

Read more reviews


quote markus puke

“We can all work with greater peace of mind knowing that our systems are constantly
being monitored.”

Markus Puke, Network Administrator, Schüchtermann Klinik, Germany


Notification system:
Be alerted quickly



email white


PRTG features a variety of alert types: E-mail, SMS, Pager, Apps, running an external application, etc. You can specify when and how each person is to be informed about network issues. To do so, you can add contacts and edit, delete, or pause your notifications at any time.

link white


The notification system is built into the monitoring software and is available at no extra charge. Because of its integrated quality, configuring the alert feature is done in just a few clicks.

alarm white


PRTG won't wait to let you know if your "house is on fire." You define your own thresholds. If these are crossed, you'll receive a corresponding notification. This means you can intervene promptly before clients or coworkers are aware of any problems.


“Easy to implement and configure with good technical support.”

R. v. S., ICT Manager at Heinen & Hopman Eng BV


Create innovative solutions with Paessler’s partners

Partnering with innovative vendors, Paessler unleashes synergies to create
new and additional benefits for joined customers.


Paessler and Plixer provide a complete solution adding flow and metadata analysis to a powerful network monitoring tool.

Read more


IT that works constitutes a business-critical basis for a company's success. Availability and security must be defined for the respective purpose and closely monitored – by OT and IT alike.

Read more


With ScriptRunner, Paessler integrates a powerful event automation platform into PRTG Network Monitor.

Read more


Want to read more? Please do!

SSL monitoring: PRTG determines the extent to which your connections are protected. You can therefore learn if your connections are strong, weak, or not protected at all.

Ping monitoring: PRTG uses ping to check the availability of all your network devices. If the ping fails, you will be notified immediately.

QoS monitoring: Is your line choppy? Do your video calls keep getting dropped? If so, then you have a problem with your quality of service. PRTG lets you set up easy and effective QoS monitoring and monitor values such as latency and jitter.

MIB Browser: Read and analyze MIB files with PRTG and the free Paessler MIB Importer.


PRTG the multi-tool

PRTG: The multi-tool for sysadmins

Adapt PRTG individually and dynamically to your needs and rely on a strong API:

  • HTTP API: Access monitoring data and manipulate monitoring objects via HTTP requests
  • Custom sensors: Create your own PRTG sensors for customized monitoring
  • Custom notifications: Create your own notifications and send action triggers to external systems
  • REST Custom sensor: Monitor almost everything that provides data in XML or JSON format


Still not convinced?



More than 500,000 sysadmins love PRTG

Paessler PRTG is used by companies of all sizes. Sysadmins love PRTG because it makes their job a whole lot easier.

Still not convinced?


Monitor your entire IT infrastructure

Bandwidth, servers, virtual environments, websites, VoIP services – PRTG keeps an eye on your entire network.



Try Paessler PRTG for free

Everyone has different monitoring needs. That’s why we let you try PRTG for free. Start now with your trial.




Network Monitoring Software - Version (April 10th, 2024)


Download for Windows and cloud-based version PRTG Hosted Monitor available


English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese


Up to 100 sensors for free (Price List)

Unified Monitoring

Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more

Supported Vendors & Applications

cisco logo grey 40 dell logo grey 40 hp logo grey 40 ibm grey40 netapp grey40 linux grey40 aws grey40 windows grey40 vmware grey40 citrix grey40 exchange grey40 apache grey40 oracle grey40