Under most circumstances the EventSentry Configuration Assistant which is launched after every installation and/or upgrade automatically creates the EventSentryADMonitor service account with the correct permissions and rights in Active Directory. If the user could not be created during setup or you received warnings pertaining to the ...
Group Policy Management is required by the EventSentry ADMonitor Service to detect Group Policy changes and needs to be installed on the machine that is running EventSentry ADMonitor. Group Policy Management can be installed by opening an elevated PowerShell prompt and entering the following command: For Windows Servers Family: InstallWind...
EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a protected group see below. Unfortunately Windows does not remove the attribute if a user is subsequently ...
EventSentry ADMonitor uses the 39adminCount39 attribute to determine whether a user is an administrator. However since this attribute is not reset by Windows after a user is removed from an administrative protected group this can sometimes lead to inaccurate reports. You can read more about the 39adminCount39 attribute in KB article ...
For additional security you can restrict the EventSentryADMonitor account to only be allowed to be used on the EventSentry server and domain controllers and also block it from performing any sensitive functions RDP console service batch job etc on domain controllers. In Active Directory select the EventSentryADMonitor acco...
While ADMonitor itself does not rely on Windows auditing to detect actual changes made in Active Directory it does require access to the event log of a domain controller either remotely or locally in order to determine who made the change. ADMonitor utilizes both the Security and the Directory Services event log. Perform the fo...
Changes to group policies are detected by ADMonitor and recorded in the EventSentry database. As such both a report and a job in the web reports need to be setup in order to receive email notifications. The job interval will determine how frequently potential group policy changes are emailed and can be anywhere from every minute to hourly or d...
In rare cases the internal database for the ADMonitor component may to be reset. If support directs you to do so you can follow these steps to reinstall ADMonitor and reset its database. Local ADMonitor data will be removed during this process but data stored in the web reports will not be affected: 1 Open the EventSentry console to Home amp...
