Please enable JavaScript to view this site.

The console application lets users configure the following:

 

Toggle the monitoring of sub or parent domains

Filter AD changes deemed noise

Setup alerts

Manage data files

 

clip0347

 

Monitoring Service

Shows the status of the EventSentry ADMonitor service along with the user account the service is running under

 

Set WHO Search Mode

ADMonitor supports multiple methods to determine who made a change to an AD object, this is configurable in the Set WHO Search Mode dialog.

 

clip0353

 

The Enable Detection of "WHO made a change to an Active Directory object" simply toggles recommended default settings, the check box itself is not tied to any actual setting. Settings are controlled via the 3 child check boxes below:

 

Analyze "Account Management" events from the security event log

Utilizes events from the security event log with the "Account Management" category.

 

Analyze "Directory Service Access" events from the security event log

Utilizes events from the security event log with the "Directory Service Access" category.

 

Analyze "Directory Services" event log

Utilizes events from the "Directory Services" event log (only available on domain controllers) which requires additional diagnostic logging to be enabled in this event log; ADMonitor automatically activates this. The volume of additional events logged depends on the network, installed 3rd party software and user activity. This is the most accurate way to determine WHO made a change to an object.

 

warning_24

Activating this setting will enable additional logging under HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics which will affect the volume of events generated in the directory services event log.

 

Monitoring Status / Monitoring additional domains

Additional domains can be monitored if the host where ADMonitor is installed on is part of a domain that has parent or child domains. By default, only the domain of which the computer where ADMonitor is running on is being monitored. Additional domains are displayed in the Monitoring Status area but not monitored by default. Monitoring of additional domains can be activated by double-clicking the domain and checking the "Monitor subdomain.maindomain.com" check box.

 

Global Filters

By default all changes to AD attributes and objects are recorded. To suppress noise the global filter can be used to filter out certain changes, for example changes made to specific objects or attributes. For example, by default changes to the lastLogonTimestamp and msDS-LastSuccessfulInteractiveLogonTime attributes are ignored by default to reduce noise in the AD change history.

 

Filters can be configured by clicking the Filter button.

 

Managing Data Files

Since ADMonitor stores all changes to AD objects in the local cache it may be necessary to either:

 

Delete old files

Compress old files

Move files to a different location (local or network share)

 

Regardless of the selected option, data file management always runs at 2:30am.

 

Checking the "Share for remote Viewer access" check box will share the local DB sub directory as EventSentryADMonitorDB$ (a hidden share) with read access to Domain Admins. This share is utilized by the ADMonitor Viewer to access archived data files remotely. Consequently, this action should be performed on the host where the data files are located. Clearing the check box will remove the share again.

 

info_48

When choosing Network Storage, the target share needs to permit write access to the EventSentryADMonitor user. For enhanced security it's highly recommended to only permit write access to the directory (write-only permission on shares is not supported) as shown in the screen shot below.

 

clip0348

 

Notifications

The recommended way to review changes to AD objects is via the web reports which support on-demand searches as well as scheduled reports. For cases where immediate alerts to AD objects are required, notifications can be setup in the console on the Notifications tab.