Active Directory Event
Auditing with PRTG
- Regain control of Active Directory audit events
- Be notified of changes to group memberships
- Watch for changes to Service Accounts
- Capture changes to Windows security policies
What is Active Directory Auditing?
One of the many functions Active Directory serves is that of “Gate-Keeper” – controlling which users can use resources on the network, and their level of interaction with those resources. File shares, applications, internet access, printers; all depend on Active Directory (AD) to permit, or deny access. This makes it vitally important for SysAdmins to keep track of how AD is protecting those resources.
Fortunately, Microsoft have included excellent audit facilities within AD. Logon/log off, object access, policy changes, account management and many other activities all leave detailed records in the Windows Security Event Log. Unfortunately, for even a small network, AD auditing can create HUGE numbers of log events, making it very difficult to keep track of the really important ones.
How can PRTG
iWhat is a sensor?
In PRTG, “Sensors” are the basic monitoring elements. One sensor usually monitors one measured value in your network, e.g. the traffic of a switch port, the CPU load of a server, the free space of a disk drive. On average you need about 5-10 sensors per device or one sensor per switch port.
PRTG watches AD audit events
This is where PRTG can help. By using the Windows Event Log Sensors which, like all our sensors, are included in every PRTG license (even the freeware version), you can get alerted to any significant AD audit events you need to watch.
Security is crucial
Unauthorised access to networked systems is an ever-increasing problem. Organisations of all sizes are investing heavily in security tools to identify and prevent data breaches. But comprehensive protection requires more than just protecting the network perimeter. Research shows that unauthorised system access from inside the network is more common than headline grabbing external hacking incidents.
The consequences of data breaches vary widely depending on the scale of the incident, the type of organisation affected and the nature of the compromised data. They can range from embarrassment and loss of customer confidence through to massive fines imposed by industry regulators.
Properly configured, AD Auditing can track and log access attempts to network resources regardless of whether the attempt is legitimate, accidental or malicious. Then, by having PRTG watch for specific events in the audit log, the IT Security Team can be notified as soon as any suspicious activity is identified, allowing remedial action to be taken immediately.
Two important sensors
PRTG provides two different sensors that can help. Firstly, the WMI Event Log Sensor which allows a single Event ID to be monitored. Then the Event Log (Windows API) Sensor allows multiple Event IDs to be combined in a single sensor.
Here’s an example of the Event Log (Windows API) Sensor watching the Windows Security Event Log for changes to the Domain Admin Security Group:
PRTG detects AD audit events
As soon as matching Event IDs are written to the Security Event Log, PRTG detects them. If the number of events exceeds the limit (threshold) defined for the Warning/Error settings for the sensor channel, the sensor changes state, and notifications are sent to the Administrator to let him or her know that a change has been made to the Domain Admin Group:
An Introduction to
Active Directory Monitoring with PRTG
PRTG solves typical
Preventing Replication Errors
The first problem involves so-called replication errors. The replication of directory data between various domain controllers can be prone to error. In turn, the resulting errors can cause problems with authentication and with access rights to resources.
A variety of factors play a role in the occurrence of these errors, including the number of consecutive synchronization failures, the time of the last synchronization attempt, and the number of pending replication operations.
The PRTG Active Directory Replication Errors Sensor monitors up to eight different parameters during the replication of directories and the synchronization of the various domain controllers, and intelligently sounds the alarm in the event of anomalies or errors.
iActive Directory (AD) is a directory service created by Microsoft for use in a Windows Server environment. It provides authentication and authorization functions, as well as providing a framework for other such services. The directory itself is an LDAP database that contains networked objects. Active Directory uses the Windows Server operating system. Read more ...
Identifying logged-out and deactivated users
Another common problem associated with the use of an Active Directory involves logged-out or deactivated users. Maintaining an overview of such users is next to impossible with standard AD tools.
With PRTG, you’ll get a ready-to-use script for PRTG Network Monitor which searches the Active Directory for all logged-out and deactivated users, and then lists them in PRTG: https://kb.paessler.com/en/topic/57603-is-it-possible-to-monitor-active-directory-user-account-status
To use this script, PRTG requires the Active Directory PS module. A manual with information on how to install the module can be found here: Microsoft Manual.
With a Search-AD account, you can run the script with a number of different queries. For the switches, see Microsoft’s TechNet platform: TechNet Platform
Monitor AD Group Membership
Using a PRTG script, you can enumerate how many people are in a group and then set up channel limits to put the sensor into an error status when the number of members exceeds the intended amount.
If you want to know if someone joins an AD group like Domain Admins and get a notification when this happens: https://kb.paessler.com/en/topic/62616-can-i-use-prtg-to-monitor-ad-group-membership
Active Directory Info at a glance –
even on the go
PRTG can be started within minutes and it's compatible with many mobile devices.
PRTG simplifies your day
Our monitoring software works for you and promptly notifies you of potential issues.
It frees you to concentrate on your day-to-day tasks with peace of mind.
PRTG saves time
With PRTG, you get one central monitoring tool for your servers and entire network. Enjoy a quick overview of your whole infrastructure via our dashboard and app.
PRTG saves worry
Customizing PRTG is a breeze. Getting started or switching from another network monitoring tool is easy thanks to the PRTG auto-discovery and pre-configured device templates.
Be alerted quickly
PRTG features a variety of memory alerts:
e-mail, SMS, Pager, Apps, running an external application, etc. You can specify when and how each person is to be informed. To do so, you can add contacts and edit, delete, or pause your notifications at any time.
The notification system is built into the Active Directory Monitor and is available at no extra charge. Because of its integrated quality, configuring the alert feature is done in just a few clicks.
PRTG won't wait to let you know if "your RAM load is on fire." You define your own thresholds. If these are crossed, you'll receive a corresponding notification. This means you can intervene promptly before clients or coworkers are aware of any problems.
Award winning solution
We work hard on making our software as powerful and easy-to-use
as possible for our customers each and every day.
Of course it makes us proud when we get awards for that.
PAESSLER AG –
German quality engineering
Administrators must compare monitoring tools or search for a free one. There are several suppliers on the market.
PRTG comes with a full range of advantages:
1. Free trial version: PRTG is available in a free trial version. Use this version to get a feel for our network monitoring tool with no risk whatsoever.
2. Over 200,000 administrators: whether in large or small businesses, authorities, colleges or administrations - all around the world, more than 200,000 administrators put their trust in our network monitoring tool, and can therefore also monitor their bandwidth. Read our case studies here.
3. Support: do you have a question? We respond in a jiffy! You can already access a great deal of information online by consulting our FAQs, manuals, videos, webcasts, or knowledge base. You can of course also send us a message. We'll do our best to get back to you within 24 hours on business days.
PRTG – your network monitoring tool
PRTG is the PAESLLER AG's all-in-one network monitoring tool. Our software is used by more than 200,000 administrators worldwide, whether it be to monitor their hardware- and server performance , their virtual environments, or the accessibility of their websites. Use PRTG for database monitoring or sql monitoring. PRTG is a one fits all network analyzer tool.
Save time, worry, and money. PRTG is configured in a matter of minutes. The trial version is offered free of charge. And you can upgrade whenever you like.
|Network Monitoring Software - Version 184.108.40.2062 (July 13th, 2018)|
|Download for Windows and hosted version available|
|English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese|
|Up to 100 sensors for free (Price List)|
|Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more...|
Supported Vendors & Applications