Please enable JavaScript to view this site.

The ADMonitor component requires very little customization and automatically configures itself during installation by doing the following:

 

Monitors the domain of which the computer is a member of

Finds the nearest domain controller

Downloads all Active Directory objects as well as the schema to obtain a baseline. The offline AD database is stored in the ADMonitor\DB sub directory.

 

Basic Configuration

The ADMonitor dialog in the management console supports setting the database for all AD changes, controlling the service and verifying that the ADMonitor service is working properly.

 

Store in Database

Stores all future changes to objects and group policies in the selected database action

 

Utilize Collector

When enabled, sends all ADMonitor data through the collector, useful and recommended only when ADMonitor is running on a host that has no direct network connection to the selected database.

 

clip0223

 

Check AD Passwords for Compromise

When enabled, retrieves the NTLM hash for all users from AD and determines whether a user password has been compromised in a data breach in the past. A compromised password does not mean that this user has been compromised in AD, it simply indicates that the password used by a user has also been used somewhere else (e.g. web site) where it was breached at some point.

 

This feature will also detect if more than one user in AD uses the same password.

 

When this feature is first enabled, ADMonitor will scan all users' passwords for compromise. After the initial discovery scan, the following timing is used:

 

ADMonitor will check every 15 minutes if a user's password has been changed in AD. If it has, ADMonitor will refresh the password hashes and re-check for compromise.

If no passwords are being changed, ADMonitor will refresh the password hashes and re-check for compromise every 48 hours regardless.

 

warning_24

Important Technical Details

 

ADMonitor is not able to retrieve the actual passwords, only NTLM hashes are retrieved
 

Only the first 5 characters of the NTLM hash are transmitted to https://api.pwnedpasswords.com
 

Accessing pwnedpasswords.com is currently free and does not require a subscription
 

NTLM hashes are not stored in EventSentry, only the SHA256 hash of the NTLM hashes are stored to allow the detection of duplicate passwords

 

 

If ADMonitor does not have access to the Internet, an offline NTLM hash database can also be downloaded from GitHub. Once downloaded, the full path to the decompressed file can be specified in the "Use local password .." field. Please note that the decompressed file has a size of at least 33Gb. Despite the large size of the offline file, using the offline database will not slow down ADMonitor.

 

Enhanced Configuration

The ADMonitor component supports additional configuration options that can be configured using the EventSentry ADMonitor Console application.