Active Directory event
auditing with PRTG
Regain control of Active Directory audit events
Be notified of changes to group memberships
Watch for changes to Service Accounts
Capture changes to Windows security policies
What is Active Directory auditing?
Active Directory (AD) is a directory service created by Microsoft for use in a Windows Server environment. It provides authentication and authorization functions, as well as providing a framework for other such services. The directory itself is an LDAP database that contains networked objects.
One of the many functions Active Directory serves is that of “Gate-Keeper” – controlling which users can use resources on the network, and their level of interaction with those resources. File shares, applications, internet access, printers; all depend on Active Directory (AD) to permit, or deny access. This makes it vitally important for SysAdmins to keep track of how AD is protecting those resources.
Fortunately, Microsoft have included excellent audit facilities within AD. Logon/log off, object access, policy changes, account management and many other activities all leave detailed records in the Windows Security Event Log. Unfortunately, for even a small network, AD auditing can create HUGE numbers of log events, making it very difficult to keep track of the really important ones.
How can PRTG help you?
What is a sensor?
In PRTG, “sensors” are the basic monitoring elements. One sensor usually monitors one measured value in your network, e.g. the traffic of a switch port, the CPU load of a server, the free space of a disk drive. On average you need about 5-10 sensors per device or one sensor per switch port.
PRTG watches AD audit events
This is where PRTG can help. By using the Windows Event Log sensors which, like all our sensors, are included in every PRTG license (even the freeware version), you can get alerted to any significant AD audit events you need to watch.
Security is crucial
Unauthorised access to networked systems is an ever-increasing problem. Organisations of all sizes are investing heavily in security tools to identify and prevent data breaches. But comprehensive protection requires more than just protecting the network perimeter. Research shows that unauthorised system access from inside the network is more common than headline grabbing external hacking incidents.
The consequences of data breaches vary widely depending on the scale of the incident, the type of organisation affected and the nature of the compromised data. They can range from embarrassment and loss of customer confidence through to massive fines imposed by industry regulators.
Properly configured, AD Auditing can track and log access attempts to network resources regardless of whether the attempt is legitimate, accidental or malicious. Then, by having PRTG watch for specific events in the audit log, the IT Security Team can be notified as soon as any suspicious activity is identified, allowing remedial action to be taken immediately.
Two important sensors
PRTG provides two different sensors that can help. Firstly, the WMI Event Log sensor which allows a single Event ID to be monitored. Then the Event Log (Windows API) sensor allows multiple Event IDs to be combined in a single sensor.
Here’s an example of the Event Log (Windows API) sensor watching the Windows Security Event Log for changes to the Domain Admin Security Group:
PRTG detects AD audit events
As soon as matching Event IDs are written to the Security Event Log, PRTG detects them. If the number of events exceeds the limit (threshold) defined for the Warning/Error settings for the sensor channel, the sensor changes state, and notifications are sent to the Administrator to let him or her know that a change has been made to the Domain Admin Group:
This video explains Active Directory monitoring
PRTG solves typical Active Directory problems
Preventing replication errors
The first problem involves so-called replication errors. The replication of directory data between various domain controllers can be prone to error. In turn, the resulting errors can cause problems with authentication and with access rights to resources.
A variety of factors play a role in the occurrence of these errors, including the number of consecutive synchronization failures, the time of the last synchronization attempt, and the number of pending replication operations.
The PRTG Active Directory Replication Errors v2 Sensor monitors up to eight different parameters during the replication of directories and the synchronization of the various domain controllers, and intelligently sounds the alarm in the event of anomalies or errors.
Identifying logged-out and deactivated users
Another common problem associated with the use of an Active Directory involves logged-out or deactivated users. Maintaining an overview of such users is next to impossible with standard AD tools.
With PRTG, you’ll get a ready-to-use script for PRTG Network Monitor which searches the Active Directory for all logged-out and deactivated users, and then lists them in PRTG: https://kb.paessler.com/en/topic/57603-is-it-possible-to-monitor-active-directory-user-account-status
To use this script, PRTG requires the Active Directory PS module. A manual with information on how to install the module can be found here: Microsoft Manual.
With a Search-AD account, you can run the script with a number of different queries. For the switches, see Microsoft’s TechNet platform: TechNet Platform
Monitor AD Group Membership
Using a PRTG script, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.
If you want to know if someone joins an AD group like Domain Admins and get a notification when this happens: https://kb.paessler.com/en/topic/62616-can-i-use-prtg-to-monitor-ad-group-membership
PRTG simplifies your day
Our monitoring software works for you and promptly notifies you of potential issues.
It frees you to concentrate on your day-to-day tasks with peace of mind.
PRTG saves time
With PRTG, you get one central monitoring tool for your servers and entire network. Enjoy a quick overview of your whole infrastructure via our dashboard and app.
PRTG saves worry
Customizing PRTG is a breeze. Getting started or switching from another network monitoring tool is easy thanks to the auto-discovery and pre-configured device templates.
Active Directory Info at a glance – even on the go
PRTG can be started within minutes and it's compatible with many mobile devices.
Trusted by 500,000 users and recognized
by industry analysts as a leader
“We can all work with greater peace of mind knowing that our systems are constantly
Markus Puke, Network Administrator, Schüchtermann Klinik, Germany
Be alerted quickly
PRTG features a variety of alert types: E-mail, SMS, Pager, Apps, running an external application, etc. You can specify when and how each person is to be informed about network issues. To do so, you can add contacts and edit, delete, or pause your notifications at any time.
The notification system is built into the monitoring software and is available at no extra charge. Because of its integrated quality, configuring the alert feature is done in just a few clicks.
Want to read more? Please do!
SSL monitoring: PRTG determines the extent to which your connections are protected. You can therefore learn if your connections are strong, weak, or not protected at all.
QoS monitoring: Is your line choppy? Do your video calls keep getting dropped? If so, then you have a problem with your quality of service. PRTG lets you set up easy and effective QoS monitoring and monitor values such as latency and jitter.
MIB Browser: Read and analyze MIB files with PRTG and the free Paessler MIB Importer.
PRTG: The Swiss Army knife for sysadminsAdapt PRTG individually and dynamically to your needs relying on a strong API:
- HTTP API: Access monitoring data and manipulate monitoring objects using HTTP requests
- Custom Sensors: Create your own sensors for customized monitoring
- Custom Notifications: Create your own notifications to send alarms to external systems
- REST Custom Sensor: Monitor almost everything that provides XML or JSON
Still not convinced?
More than 500,000 sysadmins love PRTG
PRTG is used by companies of all sizes. Sysadmins love PRTG because it makes their job a whole lot easier.
Still not convinced?
Monitor your entire IT infrastructure
Bandwidth, servers, virtual environments, websites, VoIP services – PRTG keeps an eye on your entire network.
|Network Monitoring Software - Version 126.96.36.1995 (April 26th, 2022)|
|Download for Windows and cloud-based version PRTG Hosted Monitor available|
|English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese|
|Up to 100 sensors for free (Price List)|
|Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more|
Supported Vendors & Applications