Demo  Get Quote
 
 
 

What will you do if you want to find out what changes a certain help desk technician made in Active Directory over a week’s time? Or, extract a change audit trail for a certain user as a part of a security incident investigation?

PowerShell can help but will certainly require a great deal of effort to offer the kind of visibility and correlation required for an investigation, which is exactly what ADAudit Plus packs into its search utility.

User-based Consolidated Audit Trail
User-based Consolidated Audit Trail

ADAudit Plus provides you a search capability which enables you to instantly trace the footsteps of a specified user in the Active Directory. Simple and straightforward to use, this search takes three inputs –username for which you require an audit trail, domain, and time period – and instantly provides the following consolidated summary:

  • Object History: a summary of configuration changes to the account in question. Example, changes to the permissions of the specified account, or the number of times it was locked out, or recent attempts to reset its password.
  • Logon History: a summary of all kinds of access, interactive or remote, by the specified account.​
  • Actions: a summary of configuration changes that the said account carried out on other Active Directory objects for the selected time period.

Drilled-down Audit Data under the Hood

Every detail presented in the consolidated summary is a link, which further unfurls into an elaborate report. For example, while perusing the results for administrator activity over a week’s time, you can click open the GPO Modified report for a closer look, maybe for comparing old and new values.

All Valuable Info in One Place: The right mix of information for better investigation

From an incident investigation standpoint, this search capability strings together all the vital pieces of forensic information namely

  • What had been done with the perpetrator account (caller username)
  • What changes the said account (caller username) had made in Active Directory
  • Logon history for the account (caller username) to help you identify the computers from where it made those changes and also to identify any other computer access

When pieced and analyzed together, such information provides better context, thereby enabling you to connect the dots easily or even steer the investigation in the right direction. For example, assume that you suspect user A to have tampered with Active Directory. You use the audit trail search to investigate.

  • The result reveals that user A accessed Active Directory from computer X, created in Active Directory a new user account and then deleted it.
  • Then you use the search to track the deleted account’s actions. Results sum up and can be construed as follows:
Deleted account’s permissions have been inappropriately elevated by a help desk technician (HDT). Indicates involvement of the HDT as an accomplice.
Deleted account logged into and operated from computer Y. Also, it remotely accessed several other computers.

Helps you quickly isolate computer Y from where the deleted account made changes in Active Directory.

Sets you on a hunt for telltale signs of data theft and other kinds of invasions in the remotely accessed computers.

A summary of all the Active Directory objects affected by this deleted account. Enables you to undo or readjust the AD security configurations to neutralize the attack.

That’s the potential of ADAudit Plus’s Consolidated Audit Trail.

4 compelling reasons to choose ADAudit Plus

Widely recognized

ADAudit Plus has been recognized as a Gartner Peer Insights Customers' Choice for Security Incident & Event Management (SIEM) for four consecutive years.

Easy deployment

Go from downloading ADAudit Plus to receiving predefined reports and alerts in under 30 minutes, without any professional help.

Competitive pricing

ADAudit Plus is licensed per-server, unlike other IT auditors which are licensed per-user. With per-server licensing, even with a growing number of users each year, you can continue to ingest log data without additional costs.

Unified visibility

ADAudit Plus consolidates auditing, security, and compliance across Active Directory, Entra ID, Windows servers, workstations, and file servers into a single pane of glass, eliminating the need to juggle multiple tools.