Hey fellow admins! We've recently hit a point where our company needs to step up its audit game. Specifically, we need to track admin activities in Active Directory, like password resets, modifying groups, and unlocking accounts. It's important for compliance, and I'm looking for reliable tools or solutions that can help us log these actions effectively. Ideally, I prefer something user-friendly that allows for easy report generation. Any recommendations based on what you've used or are currently using? Just to clarify, we are working on a SIEM proof of concept for Entra and monitoring endpoint logs, but we're still missing logging for our on-prem AD. Looking forward to your suggestions!
5 Answers
If you have the right Microsoft licenses, you can go to Microsoft Defender's settings to enable auditing features for your on-prem AD actions, including password resets and group modifications. Just double-check if it covers all the specifics you need!
Have you checked out ManageEngine AD Audit Plus? It's got solid features for tracking AD changes and might fit your needs well! Also, they have a demo you can try out before committing.
Quest Change Auditor is another option. However, just a heads up, it doesn't come cheap.
You might find all those events logged in the Event Viewer by default. Setting up a centralized logging server for your domain controllers could help. You can collect relevant event IDs and customize filters to make sense of the logs. Using PowerShell, you can even automate exports to CSV or integrate with teams for alerts.
For on-prem AD options, Netwrix is worth considering. Just be aware that it can be a bit pricey though!
This could be a good fit for us since we already use other ManageEngine products!