There are some things that Microsoft builds into their product that are just amazing, while other things that are just pathetic! When it comes to monitoring Active Directory, we have both. However, by using the good and supplementing the bad with other options, a fantastic solution can be achieved!
The Good and Bad of Active Directory Monitoring
The good that Microsoft provides with regard to Active Directory monitoring is with regard to the detailed logs that can be generated. Microsoft provides both “Auditing” and “Advanced Auditing” for domain controllers that are running Windows Server 2008 R2 and greater. When auditing is configured for the different objects (users, groups, computers, Group Policy, etc.) in Active Directory, nearly any created, modified, or deleted object will generate an entry in the security log.
That is the good part!
The bad part is that you have no good option to analyze, report, or find the entries that you are looking for. There are many reasons for this:
The security log size is limited to 4GB, and Microsoft suggests that it not be larger than 300MB!
With the log size at 4GB, you will generate 3 to 10 logs, per domain controller per day
Each domain controller will have a unique set of logs, as the logs are not replicated between domain controllers or consolidated in any way
The filtering capabilities in Event Viewer do not provide granular filters, only filters down to the Event ID level
Alerting is possible, but only at the specified Event ID level, which could create many false positives for most objects you want to track
With all of these severe limitations, it is really not feasible to use the Event Viewer for analysis and reporting.
Supplement the Bad
Instead, you can use a product that leverages the amazing detail that is in the logs! A product like ADAudit Plus does just this!
Interested in overcoming the limitations that you have with the Microsoft only solution?
Please join me in my upcoming webinar! I will go over the details for setting up auditing for Active Directory and even showing you how you can use Event Viewer to “attempt” to analyze and report on this information. Then, I will show you how quick and efficient ADAudit Plus is, not to mention how easy it is to install and inexpensive it is to obtain.
The original article/video can be found at Monitoring of Active Directory Changes Made Easy