Group Policy Management is required by the EventSentry ADMonitor Service to detect Group Policy changes and needs to be installed on the machine that is running EventSentry ADMonitor. Group Policy Management can be installed by opening an elevated PowerShell prompt and entering the following command: For Windows Servers Family: InstallWind...
EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a protected group see below. Unfortunately Windows does not remove the attribute if a user is subsequently ...
EventSentry ADMonitor uses the 39adminCount39 attribute to determine whether a user is an administrator. However since this attribute is not reset by Windows after a user is removed from an administrative protected group this can sometimes lead to inaccurate reports. You can read more about the 39adminCount39 attribute in KB article ...
For additional security you can restrict the EventSentryADMonitor account to only be allowed to be used on the EventSentry server and domain controllers and also block it from performing any sensitive functions RDP console service batch job etc on domain controllers. In Active Directory select the EventSentryADMonitor acco...
While ADMonitor itself does not rely on Windows auditing to detect actual changes made in Active Directory it does require access to the event log of a domain controller either remotely or locally in order to determine who made the change. ADMonitor utilizes both the Security and the Directory Services event log. Perform the fo...