Active Directory is at the heart of all enterprise Windows networks. Since it controls access to your network and handles most kinds of user authentication, it is vital to make sure it is up and running.
It's also important to be aware of changes that are made in Active Directory during day-to-day system administration. This helps to coordinate the activities of your IT admin team and also provides a log that can be useful for auditing purposes.
In this tutorial, we will show you how to monitor for new and modified user accounts, how to detect when accounts have been locked out, detect changes in AD group membership, and more.
The first step for configuring an Active Directory Event Monitor is to select the devices that will be monitored. For Active Directory monitoring you need to select one of your domain controllers.
Selecting a Network Device
All domain controllers share the same view of the domain so typically you will want to select just one domain controller per Active Directory Event Monitor. If you select more than one, you will get duplicate alerts as each domain controller reports the same changes.
To handle the case where the selected domain controller is down for maintenance or other reasons, you can configure a second AD Event Monitor. If you set it to record its results to the event history but not to alert you otherwise, you'll avoid duplicate alerts while still having an audit trail.
The next value you need to specify is the base distinguished name which will be used when searching Active Directory. This value defines the starting point and scope of the search.
In small to medium-sized domains, it's usually feasible to search the entire domain using one Active Directory Event Monitor. Let's say your domain is "company.local" then your base distinguished name would be "DC=company,DC=local".
Base Distinguished Name
In larger organizations, it may be preferable to have multiple Active Directory Event Monitors using different base distinguished names to search specific sections.
The option under "Connectivity" controls the level of alert you'll receive if the network device you added can't be contacted.
Connectivity Section
One of the main features of FrameFlow's Active Directory Event Monitor is the ability to detect when users are added, modified, or removed. This can be very useful for detecting unexpected or unwanted changes to users. It also serves as an option for auditing and compliance requirements, allowing you to go back over time to see what changes were made at which points in time.
Monitoring Users in Active Directory
You can select to get alerts when users are added, modified, and removed. For each type of event, you can choose the alert status level.
Locked out accounts are a common headache for system administrators. If a user attempts to log in too many times with an invalid password, their account will be locked out. This can frequently result in a call to your front line staff which takes up valuable time and resources. FrameFlow can detect locked out accounts so your staff can be quickly aware of them and either unlock them or at least be better prepared for when support calls arrive.
FrameFlow's Active Directory Event Monitor also has options to check for accounts that are disabled, that have expired, or that have not been accessed for a long time.
More Active Directory Monitoring Options
All of these options help you to better manage and maintain your Active Directory.
Most organizations choose to configure comprehensive monitoring across all of Active Directory but sometimes there are special groups for which you need special monitoring.
For example, in a large organization where new employees are being hired on a regular basis, you may want to get Info status notifications when user accounts are added to Active Directory. But for the Domain Administrators group, you might want to assign a higher status level because it is usually rare to add members to this highly-privileged account group.
Monitoring Specific User Groups
To implement the above kinds of monitoring, the event monitor's option to only check a specific group can be used along with custom alert levels for each group.
The monitoring options we described above apply specifically to users and user groups but FrameFlow's Active Directory Event Monitor can monitor other kinds of groups too.
The "Check Group Membership" option lets you get alerts for the addition, modification, or deletion of the members of any arbitrary group.
Active Directory is also responsible for managing computers that are members of the domain. You can monitor AD computers in the same way as users and groups, getting alerts about additions, modifications, and deletions.
Monitoring AD Computer Changes
In this tutorial, we showed you how to use FrameFlow's Active Directory Event Monitor to monitor for changes affecting users, computers, and generic AD groups. We also showed you how to get alerts about locked out accounts, disabled accounts, and accounts that have not been accessed for a long time.
FrameFlow's Active Directory Event Monitor gives you a powerful and flexible means to record changes that have been made in AD and to get alerts about conditions that might require your attention. Check out our Active Directory Discovery Event Monitor to learn how to automatically onboard devices to your monitoring configuration. Refer to our Active Directory Event Monitor reference guide for more documentation on this event monitor.
More IT Monitoring Features