netwrix change notifier for active directory quick-start guide

8/16/2019 Netwrix Change Notifier for Active Directory Quick-Start Guide

1/19

NETWRIX CHANGE NOTIFIERFOR ACTIVE DIRECTORY, EXCHANGE AND GROUP POLICY

Q UICK -START GUIDE

Copyright © 2014 Netwrix Corporation. All Rights Reserved.

February 2014

Product version: 7.5.873


2/19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

Page 2 of 19 Copyright © 2014 Netwrix Corporation. All Rights Reserved

Suggestions or comments about this document? www.Netwrix.com/feedback

Legal Notice

The information in this publication is furnished for information use only, and does not constitute a

commitment from Netwrix Corporation of any features or functions discussed. Netwrix Corporation

assumes no responsibility or liability for the accuracy of the information presented, which is subject

to change without notice.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrixproduct or service names and slogans are registered trademarks or trademarks of Netwrix

Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and

registered trademarks are property of their respective owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products.

Please note that this information is provided as a courtesy to assist you. While Netwrix tries to

ensure that this information accurately reflects the information provided by the supplier, please refer

to the materials provided with any non-Netwrix product and contact the supplier for confirmation.

Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete information

provided about non-Netwrix products.

© 2014 Netwrix Corporation.

All rights reserved.

http://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://www.netwrix.com/feedback


3/19




Table of Contents

1. INTRODUCTION ................................................................................ 4

1.1. Overview .............................................................................. 4

1.2.

Licensing .............................................................................. 4

1.3. How It Works .......................................................................... 4

2.

INSTALL NETWRIX CHANGE NOTIFIER FOR ACTIVE DIRECTORY, GROUP POLICY AND EXCHANGE 5

Deployment Options ......................................................... 5

Hardware Requirements .................................................... 5

Software Requirements ..................................................... 5

Supported Environments .................................................... 6

2.2. Installing Netwrix Change Notifier ................................................ 6

3.

CONFIGURE R IGHTS AND PERMISSIONS ......................................................... 7

4. CONFIGURE NETWRIX CHANGE NOTIFIER FOR ACTIVE DIRECTORY, GROUP POLICY ANDEXCHANGE .................................................................................... 9

5. MONITOR YOUR ENVIRONMENT FOR CHANGES ............................................... 12

5.1. Launch the Product Task Manually ................................................ 12

5.2. Modify the Product Task Schedule ................................................ 12

5.3.

View a Change Summary ........................................................... 12

5.4. Generating an On-Demand Change Summary ................................... 13

6. R EVERT UNWANTED ACTIVE DIRECTORY CHANGES ........................................... 15

6.1. Reverting Unwanted Changes ..................................................... 15



4/19




1. INTRODUCTION

1.1. Overview

Netwrix Change Notifier for Active Directory, Group Policy and Exchange tracks all changes to

the monitored Active Directory domain and emails daily Change Summaries listing all changes

that occurred over the last 24 hours, thus providing complete visibility across your ITinfrastructure.

1.2. Licensing

Netwrix Change Notifier for Active Directory, Group Policy and Exchange is a freeware

product with an unlimited license.

1.3. How It Works

The product data collection and reporting workflow is as follows:

1.

An administrator sets the parameters for automated data collection, choosing whichtarget system to report on:

Active Directory

o

Users configuration changes

o Changes to Active Directory groups

o Active Directory Configuration and Schema changes

o

Domain structure changes

o Changes to OUs

o

Additions to OUso Additions to domains

o Domains objects properties changes

Group Policy changes

o Group Policy Objects changes

o Group Policy Objects creation

o Group Policy Objects removal

Exchange Servers changes

o

Security policy violations

o Mailbox creation and removal

o Exchange objects and permissions changes

o

Unauthorized and unplanned changes

2. A dedicated scheduled task which is launched daily collects audit data and emails

Change Summaries to the specified recipients. You can also use the Change Viewer

tool to generate and view on-demand summaries.



5/19




2. INSTALL NETWRIX CHANGE NOTIFIER FOR ACTIVEDIRECTORY, GROUP POLICY AND EXCHANGE

Deployment Options

Netwrix Change Notifier for Active Directory, Group Policy and Exchange can be installed onany computer that belongs to the monitored Active Directory domain, but it is not

recommended to install it on a domain controller.

If you want to install the product on the computer which does not belong to the audited

domain, you must establish a trust relationship between the audited domain and the domain

where the product is installed.

Hardware Requirements

Before installing Netwrix Change Notifier for Active Directory, Group Policy and Exchange,

make sure that your hardware meets the following requirements:

Table 1: Netwrix Change Notifier Hardware Requirements

Hardware Component Minimum Recommended

Processor Intel or AMD 32 bit, 2GHz Intel Core 2 Duo 2x 64 bit,3GHz

Memory* 512 MB RAM 4 GB RAM

Disk space 50MB physical diskspace for productinstallation.

Additional space is

required for the AuditArchive and depends onthe number of ADobjects and changes perday.

Two physical drives with atotal of 1GB free space

* These are rough estimations. The actual required memory size depends on the

average number of changes per day in the monitored environment.

Software Requirements

This section lists the minimum software requirements for Netwrix Change Notifier for Active

Directory. Make sure that this software has been installed before proceeding with theinstallation.

Table 2: Netwrix Change Notifier Software Requirements

Component Requirement

Operating System Windows 7 and above

Additional software .NET Framework 3.5

Windows Installer 3.1 or above

Group Policy Management Console*

* Only required to track changes to Group Policy Objects.

http://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6http://www.microsoft.com/downloads/en/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6http://www.microsoft.com/downloads/en/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6http://www.microsoft.com/en-us/download/details.aspx?id=25http://www.microsoft.com/en-us/download/details.aspx?id=25http://www.microsoft.com/en-us/download/details.aspx?id=25http://www.microsoft.com/downloads/en/details.aspx?FamilyID=333325fd-ae52-4e35-b531-508d977d32a6http://www.netwrix.com/feedback


6/19




Supported Environments

This section provides a list of Windows and Microsoft Exchange Server versions supported by

Netwrix Change Notifier for Active Directory, Group Policy and Exchange.

Table 3:

Netwrix Change Notifier Supported Environments

Component Version

Active Directory environment

Windows Server 2003 (any forest mode:mixed/native/2003)

Windows Server 2008/2008 R2

Windows Server 2012

Microsoft Exchange Server Microsoft Exchange Server 2003

Microsoft Exchange Server 2007



2.2.

Installing Netwrix Change NotifierTo install Netwrix Change Notifier for Active Directory, Group Policy and Exchange, download

and run the Netwrix_Change_Notifier_for_Active_Directory.msi file. Follow the instructions of

the installation wizard. When prompted, accept the license agreement and specify the

installation folder.



7/19




3. CONFIGURE R IGHTS AND PERMISSIONS The account under which Netwrix Change Notifier for Active Directory collects data from the

monitored domain, must have the following rights and permissions:

The account must be a member of the Local Administrators group on thecomputer where the product is installed

The Log on as a batch job policy must be defined for this account (seeProcedure 1 To define the Log on as a batch job policy)

The account must be granted read permissions for the deleted objectscontainer (see Procedure 2 To grant permissions for the Deleted Objectcontainer)

Procedure 1. To define the Log on as a batch job policy

1. Open the Group Policy Management console on any domain controller in the

monitored domain: navigate to Start Administrative Tools Group Policy

Management.

2.

In the left pane, navigate to Forest: Domains

, right-click Default Domain Policy and select Edit from the pop-up

menu.

3. In the Group Policy Management Editor dialog, expand the Computer Configuration

node on the left and navigate to Policies Windows Settings Security Settings

Local Policies User Rights Assignment and locate the Log on as a batch job

policy:

Figure 1: Group Policy Management Editor

4.

Double-click this policy, select Define these policy settings and click Add User orGroup. Specify the account that you want to define this policy for.



8/19




5. Navigate to Start Run and type cmd. Input the gpupdate /force command and click

Enter to update the group policy.

Procedure 2. To grant permissions for the Deleted Object container

1.

Log on to any domain controller in the target domain with a user account that is

member of the Domain Admins group.

2. Open a command prompt: navigate to Start, type “command prompt” and click

Enter.

3. Type the following command and press Enter:

dsacls /

where “deleted_object_dn” is the distinguished name of the de leted directory

object.

Example:

dsacls "CN=Deleted Objects,DC=Corp,DC=local" /takeownership

4.

To grant permission to view the objects in the Deleted Objects container to a user ora group, type the following command and press Enter:

dsacls /G :

where “deleted_object_dn” is the distinguished name of the deleted directory

object, “user_or_group” is the user or group for whom the permission apply, and

“Permissions” is the permission to grant.

Example:

dsacls "CN=Deleted Objects,DC=Corp,DC=local" /G Corp\jsmith:LCRP

5. In this example, the user CORP\jsmith has been granted List Contents and Read

Property permissions for the Deleted Objects container in the corp.local domain.These permissions let this user view the contents of the Deleted Objects container,

but do not let this user make any changes to objects in this container. These

permissions are equivalent to the default permissions that are granted to the Domain

Administrators group.



9/19




4. CONFIGURE NETWRIX CHANGE NOTIFIER FOR ACTIVEDIRECTORY, GROUP POLICY AND EXCHANGE After you have installed Netwrix Change Notifier for Active Directory, Group Policy and

Exchange, enable and configure Active Directory, Group Policy and Exchange Server audit.

Procedure 3.

To configure audit

6. Navigate to Start All Programs Netwrix Freeware Netwrix Change Notifier

for Active Directory. The product configuration dialog will open:

Figure 2: Netwrix Change Notifier for Active Directory

Configuration Dialog



10/19




7. Specify the following settings and parameters:

Note: The table below describes configuration of the basic parametersrequired for the product evaluation purposes.

Table 4: Netwrix Change Notifier for Active Directory Settings

Parameter Instruction

Enable Active Directory ChangeReporter

Enable this option to activate Active Directoryaudit.

Enable Group Policy Change Reporter

Enable this option to activate Group Policy audit.

Note: Group Policy audit also requires theactivation of the Enable Active Directory ChangeReporter option.

Enable Exchange Change Reporter

Enable this option to activate Exchange Serversaudit.

Note: The Exchange Servers audit also requiresthe activation of the Enable Active Directory

Change Reporter option.Monitored Domain

Monitored domain:Enter the name of an Active Directory domainthat you want to audit. The name should be in theFQDN format, for example acme.com

Enable Lightweight AgentsThis option is not available in Netwrix ChangeNotifier for Active Directory.

Change Summary

Send Active Directory ChangeReporter Change Summary to:

Enter the email address of the Change Summaryrecipient; you can enter several addresses

separated by a semicolon.

Send Group Policy Change ReporterChange Summary to:

Enter the email address of the Change Summaryrecipient; you can enter several addressesseparated by a semicolon.

Send Exchange Change ReporterChange summary to:

Enter the email address of the Change Summaryrecipient; you can enter several addressesseparated by a semicolon.

SMTP server: Enter your SMTP server name.

Port: Specify your SMTP server port number.

Sender address:

Enter the address that will appear in the ‘From’

field in Change Summaries.To check the email address, click Verify. Thesystem will send a test message to the specifiedaddress and will inform you if any problems aredetected.

Configure advanced delivery optionsThis option is not available in Netwrix ChangeNotifier for Active Directory.

Audit Archive

Location

Leave the default setting or specify another pathto save the change history data. All audit datacollected by the product will be stored in the

corresponding subfolders of that folder.

Store audit data for x month Active the option and specify the number of



11/19




months for the audit data to be stored in AuditArchive.

Reports

Configure SSRS-based ReportsThis option is not available in Netwrix ChangeNotifier for Active Directory.

8. Save your configuration by clicking the Apply button. The Scheduled Task

Credentials dialog will be displayed.

9. Specify the account under which the product scheduled task will collect the changes

data and email Change Summaries to the specified recipients. Make sure that this

account has the required rights and permissions (see Chapter 3 Configure Rights and

Permissions)

10. Enter and confirm the account password and click OK . The NEXT STEPS: CHECKLIST

dialog will open; follow its instructions to get the first Change Summary right after

you have configured the product.

Note: To change the settings later, invoke the product configuration dialog

from the Start menu.



12/19




5. MONITOR YOUR ENVIRONMENT FOR CHANGES When the product has been configured, it starts collecting data on Active Directory, Group

Policy and Exchange Server changes from the monitored domain. By default, the data

collection task is launched daily at 3:00 AM. If required, you can launch the product

scheduled task manually or modify its schedule.

5.1.

Launch the Product Task Manually

Procedure 4. To launch the product scheduled task manually:

1. Launch Task Scheduler.

2. In the left pane, expand the Task Scheduler Library node. In the right pane, select

the task called Netwrix Management Console – Active Directory Change Reporter -

(where is the name of the domain you

specified in the configuration settings).

3. Right-click the task and select Run from the drop-down list. Alternatively, use the

Run option from the Actions menu.

5.2. Modify the Product Task Schedule

Procedure 5. To modify the product task schedule:

1. Launch Task Scheduler.

2. In the left pane, expand the Task Scheduler Library node. In the right pane, select

the task called Netwrix Management Console – Active Directory Change Reporter -

(where is the name of the domain you

specified in the configuration settings).

3. Right-click the task, select Properties Triggers and click Edit. Alternatively, use

the Properties option from the Actions menu.

5.3. View a Change Summary

After the first data collection task has finished, an email will be delivered to the specified

address notifying you that the initial analysis has been completed.

After that, you can make test changes to your environment to see how they are reported.

When the task is launched the next time (either automatically or manually), it detects the

changes made since the last data collection, generates and delivers the Change Summary to

the specified recipients. A Change Summary contains the following information:

Change type (Added/Removed/Modified)

Object type (for example, user, OU)

Object name (for example, the full user name)

Details (the modified properties and their before and after values)



13/19




Below is an example of the Netwrix Change Notifier for Active Directory Change Summary:

Figure 3: Netwrix Change Notifier Change Summary

Example

5.4. Generating an On-Demand Change Summary

You can generate Change Summaries for a specific period of time using the Change Viewertool.

Note: The product allows you to generate a summary of changes collectedwithin the last 4 days only.

Procedure 6. To generate an on-demand Change Summary

1. Navigate to Start All Programs Netwrix Freeware Netwrix Change Notifier for

Active Directory Advanced Tools and click Change Viewer. The following dialog is

displayed:



14/19




Figure 4: Change Viewer Dialog

2.

Select the audited system from the Module drop-down list and the time range youwant to generate the report on.

3. Click Generate. The Save as window appears allowing you to name your report and

select the location for it. Click Save.

4. The Change Summary is saved locally in the HTML format and displayed in your

default web browser.

Figure 5: Change Summary



15/19




6. R EVERT UNWANTED ACTIVE DIRECTORY CHANGESRestoring deleted objects and reverting unwanted or unauthorized changes to Active

Directory objects can be a difficult and error-prone task, and sometimes it is simply

impossible. In most cases, native and third-party Active Directory backup and recovery tools

require non-authoritative restore and domain controllers’ downtime. Moreover, they do not

always have object-level restore capabilities.

With Netwrix Change Notifier for Active Directory you can quickly restore deleted and

modified objects using the Active Directory Object Restore tool integrated with the product.

This tool enables AD object restore without rebooting a domain controller and touching the

rest of the AD structure.

6.1. Reverting Unwanted Changes

By default, when a user or computer account is deleted from Active Directory, its password is

discarded. When you restore deleted accounts with the Active Directory Object Restore tool,

it sets random passwords which then have to be changed manually. If you want to be able to

restore AD objects with their passwords preserved, you need to modify the Schema container

settings so that account passwords are retained when accounts are deleted.

This section provides detailed step-by-step instructions on how to:

Modify your Schema container settings to retain passwords for deletedaccounts

Revert unwanted changes to your AD objects

Procedure 7. To modify Schema container settings

Note: To perform this procedure, you will need the ADSI Edit utility. InWindows 2003 systems, this utility is a component of Windows Server

Support Tools. If it has not been installed, download Windows ServerSupport Tools from the official website. On Windows 2008 systems andabove, this component is installed together with the AD DS role.

1. Navigate to Start Programs Administrative Tools ADSI Edit. The ADSI Edit

dialog will open.

Figure 6: ADSI Edit dialog

2. Right-click the ADSI Edit node and select the Connect To option. In the Connection

Settings dialog, enable the Select a well-known Naming Context option and select

Schema from the drop-down list:

http://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://www.netwrix.com/feedbackhttp://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspxhttp://www.netwrix.com/feedback


16/19




Figure 7: Connection Settings Dialog

3.

Click OK .

4. In the left pane, expand the Schema node. Locate the

attribute called CN=Unicode-Pwd, right-click it and select Properties from the popup

menu:

Figure 8: CN=Unicode-Pwd Properties

5. Locate the attribute called searchFlags, double-click it and set its value to 8:



17/19




Figure 9: Attribute Editor

6. Click OK .

Now you will be able to restore deleted accounts with their passwords preserved.

Procedure 8. To revert changes to AD objects

1. Navigate to Start All Programs Netwrix Freeware Active Directory Object

Restore. The welcome page of the Active Directory Object Restore wizard will be

displayed. Click Next to proceed.

2.

On the Select Rollback Period step, specify the period of time when unwanted

changes that you want to revert occurred. You can either select a period between a

specified date and the present date, or between two specified dates. Note that the

product only keeps data on deleted Active Directory objects for the last 4 days.

Figure 10: Active Directory Object Restore Wizard: Select

Rollback Period



18/19




3. On the Select Rollback Source step, you must select a domain and the Rollback

Source:

Figure 11: Active Directory Object Restore Wizard: Select

Rollback Source

4. Two options are supported:

Restore from state-in-time snapshots: this option allows restoringobjects from configuration snapshots made by the product. This optionis preferable since it allows attribute-level object restore.

Restore from AD tombstones: this option is recommended when nosnapshot is available. This is a last resort measure as the tombstone

holds only the basic object attributes.5.

If you have selected to use a rollback point as a source, you can select the Select a

state-in-time snapshot option if you want to revert to a specific snapshot. Otherwise,

the product will automatically search for the most recent snapshot that will cover the

selected time period. Click Next to proceed.

6.

On the Analyzing Changes step, the product analyzes the changes made during the

specified time period. When reverting to a snapshot, the tool looks at the changes

that occurred between the specified snapshots. When restoring from a tombstone,

the tool looks at all AD objects put in the tombstone during the specified period of

time. When the analysis is complete, click Next to proceed.

7.

On the Select Changes to Roll Back step, the results of the analysis are displayed.Select a change to see its rollback details in the bottom of the window.

8.

To see detailed rollback information on an attribute, select it and click the Details

button. A window will popup showing what changes will be applied if this attribute is

selected for rollback:



19/19


Page 19 of 19C i ht © 2014 N t i C ti All Ri ht R d

Figure 12: Change Details

9. Specify the changes you want to revert by selecting the corresponding check boxes

and click Next to restore the selected objects to their previous state.

10. Wait until the tool has finished restoring the selected objects. On the last step,

review the results and click Finish to exit the wizard.

netwrix change notifier for active directory quick-start guide

Documents