Active Directory Security Audit Tool

Map Your Environment: First scan and map your entire AD environment so you know the details of existing accounts and permissions. From there you can begin triage. Focus on What Matters: Without an Active Directory permissions audit tool, it’s practically impossible to keep track of all the Active Directory changes that can be monitored.

Instead, you should prioritize the areas that could pose the most danger.

  1. Organizations often focus on Privileged AD Access, Privileged User Access, and Large Group Remediation. Review Memberships and Remediate Problems: Now you can begin reviewing group memberships and remediating problematic Active Directory folder permissions and conditions you uncovered.
  2. Review members to ensure that only the appropriate individuals and groups have access to sensitive data. Following the principle of least privilege helps ensure security. Create a Continuous Cycle: The AD auditing process should occur regularly, which is why it’s important you make this process repeatable.
  3. After you have gone through your top priorities, repeat the third step with the next highest priority, and so on. The action that's done. The user who took the action. The success or failure of the event, and the time that the event occurred.
  4. Configure an audit policy setting for a domain controller. When you configure an audit policy setting, you can audit objects, but you can't specify the object you want to audit.
  5. Configure auditing for specific Active Directory objects. After you specify the events to audit for files, folders, printers, and Active Directory objects, Windows Server 2003 tracks and logs these events.
  6. You must grant the Manage Auditing And Security Log user right to the computer where you want to either configure an audit policy setting or review an audit log.
  7. By default, Windows Server 2003 grants these rights to the Administrators group. The files and folders that you want to audit must be on Microsoft Windows NT file system (NTFS) volumes.
  8. Select Start > Programs > Administrative Tools, and then select Active Directory Users and Computers.
  9. On the View menu, select Advanced Features. Right-click Domain Controllers, and then select Properties. Select the Group Policy tab, select Default Domain Controller Policy, and then select Edit.
  10. Select Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.

In the right pane, right-click Audit Directory Services Access, and then select Properties.

Select Define These Policy Settings, and then select one or both of the following check boxes:. Success: Select this check box to audit successful attempts for the event category.

2. Active Directory Health Profiler

7. Administrative Security Groups Checker Tool

Failure: Select this check box to audit failed attempts for the event category. Right-click any other event category that you want to audit, and then select Properties. The changes that you make to your computer's audit policy setting take effect only when the policy setting is propagated or applied to your computer.

Complete either of the following steps to initiate policy propagation:.

Type gpupdate /Target:computer at the command prompt, and then press ENTER. Wait for automatic policy propagation that occurs at regular intervals that you can configure.

4. Account Lockout Examiner

By default, policy propagation occurs every five minutes. Open the Security log to view logged events. If you are either a domain or an enterprise administrator, you can enable security auditing for workstations, member servers, and domain controllers remotely.

  1. Select Start > Programs > Administrative Tools, and then select Active Directory Users and Computers.
  2. Make sure that you select Advanced Features on the View menu.
  3. Right-click the Active Directory object that you want to audit, and then select Properties.

Select the Security tab, and then select Advanced. Select the Auditing tab, and then select Add. Take one of the following actions:. Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then select OK.

In the list of names, double-click either the user or the group whose access you want to audit.

Select either the Successful or the Failed check box for the actions that you want to audit, and then select OK.

5. Semperis DS Protector

Select OK, and then select OK. Microsoft Active Directory is a widely used base technology that provides authentication and authorization services for business applications and networked resources.

The Windows Server feature ships with tools to manage entire aspects of an Active Directory environment, but the default range of tools available out of the box are not capable of identifying impending system failures, security risks, and issues that might cause an Active Directory environment to go down.

For example, Active Directory installation doesn’t provide any tool or utility that can be used to check permissions applied on all critical Active Directory objects and other objects such as security groups and users.

Similarly, no tools or utilities are available to examine how many accounts are getting locked out every day to avoid security risks.

9. Quest Change Auditor for Active Directory

An Active Directory environment traverses through several changes in a day. It is important to know what changes were done and by whom to mitigate the risks.

  • There are many uses cases and every tool that we see in the market today has been designed for some purpose.
  • For example, to examine account lockouts in an Active Directory domain, NetWrix’s Account Lockout Examiner is quite useful.
  • Similarly, to perform a complete health and risk assessment of an Active Directory Forest, Ossisto 365’s Active Directory Health Profiler is a powerful product.
  • While there are many Active Directory security tools in the market today, not all tools carry all the security functions you need.
  • As an example, how do you ensure that Active Directory Administrative Security Groups contain only members from an authorized list of users?
  • You could use the Active Directory Administrative Security Groups Membership Checker tool to ensure that only authorized users are part of the security groups in a given Active Directory domain.
  • Another issue when evaluating an Active Directory Security product is to make sure the tool follows compliance standards such as SOX, PCI-DSS, HIPPA and GDPR?and offers adequate reporting capabilities.

While you might have an enterprise Active Directory security product that could help you identify some of the security risks, remember that not every tool and product in the market provides the same functions.

That’s where our top Active Directory Security tools list can help.

6. Active Directory Last Logon Checker

Our list of top Active Directory security tools range from permissions, lockout and change monitors to broad risk and security assessment tools. It’s the permissions on Active Directory objects that let you access the Active Directory environment.

SolarWinds Permissions Analyzer is an effective tool for checking permissions assigned on Active Directory objects.

You may want to check how a user’s permission is inherited or browse permissions by a group or user, or perhaps analyze user permissions based on group membership and permissions.

The SolarWind Permissions Analyzer is also a very effective tool for analyzing permissions in a multi-domain Active Directory Forest.

It can help you mitigate security risks by quickly identifying which members of your team have access to sensitive data and Active Directory objects.

Top 9 Active Directory Security Tools

And best of all, SolarWinds Permissions Analyzer is absolutely free for use with Active Directory forests.

Ossisto’s Active Directory Health Profiler is a robust execution subsystem that is designed to do a complete risk and security assessment of Active Directory Forests.

AD Health Profiler can find security risks and help avoid disruptions in service.?AD Health Profiler?ships with 74 PowerShell-based Microsoft Active Directory Dynamic Packs to perform health checks of multiple Active Directory Forests.

All of the Microsoft Active Directory Dynamic Packs follow Microsoft recommendations for Active Directory best practices. Though the product is expensive, it might pay for itself by uncovering hidden security issues. Netwrix Auditor for Active Directory provides visibility into what’s happening inside your domain by tracking logons and changes to Active Directory users, groups, organizational units, Group Policy Object (GPO) settings and more.

Daily reports detail every change and logon that’s happened in the last 24 hours, including the before and after values for each modification.

A basic free edition of Netwrix Auditor for Active Directory is available, but the standard edition includes significantly greater functionality.

3. Netwrix Auditor for Active Directory

Read user reviews of Netwrix. Netwrix also offers the free Account Lockout Examiner, which deserves its own spot on the list. It provides alerts on account lockouts and helps you troubleshoot each event and determine the root cause so you can quickly restore vital services.

Accounts can be unlocked from the Netwrix Account Lockout Examiner console or from your mobile device.

8. SekChek Security Auditing

Semperis DS Protector is a change tracking tool for Active Directory. Semperis DSP leverages two separate data sources via Active Directory replication APIs to overcome shortcomings of traditional change tracking.

Semperis DSP database usage eliminates the need for a lengthy restoration process while providing high data integrity.

1. SolarWinds Permissions Analyzer

Semperis DSP can capture all changes to Active Directory even if native security logging is turned off, logs are deleted, agents are disabled, or agents stop working. It can also notify designated personnel when changes are made to sensitive security groups, privileged users, and so on.

You can quickly see who made each change, find all changes made by a particular user, and undo unwanted changes, all from a single console.

Specops Command

GPO, DNS, Configuration, and Schema Changes extend real-time change tracking and rollback (where applicable) to Group Policy and additional components of Active Directory.

Ossisto also makes our list multiple times. When you have a large number of users created in your Active Directory, it becomes important to get a report on user logins to ensure that only authorized users are logging onto your network.

Ossisto 365 offers a freeware tool that can be used to get last logon details for all users in your domain.

AD PHOTO EDIT

Active Directory Last Logon Reporter is capable of pulling reports in CSV format for reporting purposes.

Another one from Ossisto. Administrative Groups Checker tool?is designed to check members of Active Directory Security Groups that you specify and notify you via email if any changes in the membership occur.

This is one of the tools that every Active Directory administrator should have handy to ensure that only authorized members from a list are part of administrative security groups.

AD Info

The tool can collect and verify each member of the Security Group, with the members defined in a Health Set, which, in turn, helps you maintain the Group Members from an authorized list. If any changes occur to the group membership, the tool can notify you via email.

An Active Directory administrator knows the importance of auditing.

To be in compliance with SOX and HIPAA, you need to have an auditing system in place.

AD Query

SekCheck Security Auditing tool can help with auditing Active Directory environments and generating reports. The reports can then be measured against industry standards and best practices and assigned a rating.

If you are looking for a hybrid environment change auditing tool for Active Directory, Quest’s Change Auditor for Active Directory can help.

You can get a single and correlated view of all changes happening in both on-premises Active Directory and Azure Active Directory.

Recovery Manager for Active Directory

Apart from reporting on key configuration changes in the Active Directory environment, Quest Change Auditor can also protect against changes to the critical objects of Active Directory, such as preventing accidentally deleted organizational units and modified group policy settings.

Read user reviews of Quest Change Auditor. Nirmal Sharma is a MCSEx3, MCITP, and was awarded the Microsoft MVP award in Directory Services and Windows Networking.

He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products.

SysAdmin Anywhere

Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he enjoys helping others and sharing some of his knowledge by writing tips and articles on Microsoft technologies.

Previous articleCheck Point vs Palo Alto: Compare Top EDR Solutions. Next articleTokenization vs.

Encryption: Pros and Cons.

BeyondTrust PowerBroker Auditor

Related articles.

This is done through audits and alerting of AD configuration and changes in Real-time so you know exactly what is changing and how it effects your compliance and whether your at risk or not.

Official Site and Download: https://www.beyondtrust.com/products/powerbroker-auditor-for-active-directory/

Managed Service Accounts GUI

This little utility helps you configure Managed Service Accounts using a easy GUI interface and without the need of Powershell or any PS commands.

This utility cuts out the need to run 3 separate commands via Powershell and helps you create/delete new and Old Managed Service accounts with the click of a button.

Official Site and Download: http://www.cjwdev.com/Software/MSAGUI/Info.html

Microsoft Active Directory Topology Diagrammer

This topology mapper/diagram tool reads AD configurations and automatically Creates a Visio file of your AD topology using LDAP and maps out your entire Active Directory and Exchange Server Topology automatically within a easy to read Visio Diagram.

Official Site and Download: https://www.microsoft.com/en-us/download/details.aspx?id=13380

ManageEngine Free Active Directory Tools

ManageEngine offers several Great utilities for managing Active Directory – including the following tools that can be found at the URL below: AD Query Tool, CSV Generator (generate a csv file from any AD Attributes), Last Logon Reporter, Active Directory Replication Manager and Many more! Check out their Full list of tools at the link below.

Official Site and Download: https://www.manageengine.com/products/free-windows-active-directory-tools/free-active-directory-tools-index.html

Group Manager

This tool allows a user that is assigned as a Manager of a group to manage members and settings of that given group including adding and removing other users and exporting group member to a CSV file.

You additional configuration is required, the utility will automatically detect which groups you are a Manager of and allow you to make changes as necessary.

Official Site and Download: http://www.cjwdev.co.uk/Software/GroupMan/Info.html

Softerra LDAP Browser

This LDAP Browser is lightweight tool that supports Read-Only of your LDAP infrastructure and allows you to View, Browse, Search and Export information from LDAP.

Official Site and Download: http://www.ldapadministrator.com/download.htm

IT Environment Health Scanner

This Health Scanner from Microsoft is specifically targeted towards Admins and Engineers who want to get an Overview of their current Active Directory Health by scanning it for Problems and inconsistencies.

This tool is great for scanning your network infrastructure and pinpointing issues that could cause your AD from functioning correctly. You must be a member of the Domain Admins group to run this utility.

Official Site and Download: https://www.microsoft.com/en-us/download/details.aspx?id=10116

NetWrix Restore Deleted AD Users, Groups, Etc

Netwrix Restore tool helps your recover and restore deleted Active Directory objects with 3 Steps – Identify the Day/Time that you want to Restore back to – Select the Recovery/Rollback Source (either AD Tombstone or Netwrix Snapshot) – and Lastly choose the Changes you want to Revert back.

You have the ability to restore AD Deleted objects and if necessary, revert back to previous time periods if you made the wrong changes.

Official Site and Download: https://www.netwrix.com/active_directory_recovery_software.html

ADRestore.NET

AdRestore.NET is a GUI version of the ADRestore command line utility. AdRestore enumerates all Tombstoned objects in your Domain and gives you the option to restore them individually as needed per your selections.

This was all done through the command-line, until recently Guy Teverovsky created a GUI version of the program for those not comfortable or familiar with the command-line version.

Official Site and Download: https://docs.microsoft.com/en-us/sysinternals/downloads/adrestore

GUI Edition: Information: https://dani3lr.wordpress.com/2009/06/22/tombsone-reanimation-using-adrestore-exe-and-adrestore-net/

Direct Download:http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx

Active Directory Explorer

AD Explorer is an Advanced Viewer for searching, editing and viewing Active Directory objects and properties quickly and easily without having to drill down into each object individually. You can even create snapshots of AD to view offline if you would like to work off a snapshot rather than AD live.

Official Site and Download: https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

ADMX Migrator

ADMX Migrator is a Easy to Use GUI that comes in the form of a MMC Snap-in for converting your existing GPO ADM templates to the new ADMX file format.

Official Site and Download: https://www.microsoft.com/en-us/download/details.aspx?id=15058

BeyondTrust Privilege Explorer

Privilege Explorer is a utility that automates the process of Active Directory file permissions by analyzing and reporting on permissions levels. This program brings automation to permission analysis and reporting to one central location and assists with compliance and intrusion detection, as well verifying that all permissions are tight and minimizing excessive permissions for unauthorized users.

Official Site and Download: https://www.beyondtrust.com/products/powerbroker-privilege-explorer-for-active-directory-and-file-systems/

Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner does just what it says in the name – It is a Freeware utility that alerts IT personnel when an account has been locked out of Active Directory and allows you to unlock the account from within the GUI of the tool or your mobile device quickly.

Official Site and Download: https://www.netwrix.com/account_lockout_examiner.html

NetWrix Inactive or Stale Users Finder

This tool also does exactly what it says – automates that process of finding and locking down Stale or Inactive accounts in ADUC and helps you mitigate any risk of those accounts becoming compromised and being used for malicious activities.

Official Site and Download: https://www.netwrix.com/netwrix_inactive_user_tracker.html

ADREPLSTATUS

Active Directory Replication Status utility is a tool that helps your analyze the Replication of Domain Controllers in your network to ensure that replication is actually replicating. This tool helps you pinpoint with domain controller has errors and which ones are not replicating correctly.

Official Site and Download: https://www.microsoft.com/en-us/download/details.aspx?id=30005

AD Permissions Reporter

AD permissions reporter is used for extracting all permissions from within your domain for every object. You can additionally filter down certain objects or permissions you would like to analyze to get an understanding of their permission levels.

Official Site and Download:http://www.cjwdev.com/Software/ADPermissionsReporter/Info.html

Bulk Password Control

As the name of the software implies, this utility allows you to change passwords on Multiple/Bulk accounts at the same time using their Password generator feature. You can also use the same password for every account if needed as well. Additional features of this utility include enabling and disable active directory accounts in bulk, as well as Unlocking them in bulk.

Official Site and Download:http://www.wisesoft.co.uk/software/passwordcontrol/bulk_password_control.aspx

Lepide Active Directory Bulk Image Editor

Bulk Image Editor gives you the flexibility of uploading and managing images for Active Directory “thumbnailPhoto” and “jpegPhoto” attributes on the fly – and FREE!

You can also display images from all accounts, export existing images, upload images in bulk using the SAM or common name of accounts as well.

Official Site and Download:https://www.lepide.com/freetools/ad-bulk-image-editor.html

Lepide Last Login Report

Extracting Last Login information for Active Directory Users is Easier than ever with Lepide's Last Login Report tool – you can easily display information about users and their last Login time in bulk and export if necessary to CSV or HTML format for further processing.

You can also search individual login times and dates by searching any column for specific information.

Official Site and Download:https://www.lepide.com/freetools/last-logon-reporter.html

Lepide Active Directory Query

Easily query Active Directory to get detailed information about users and objects with Active Directory through this easy, GUI based utility. You can further export data to a CSV file and get individual reports as necessary.

Official Site and Download:https://www.lepide.com/freetools/active-directory-query.html

Specops Password Auditor

Specops Password Auditor is a free tool that scans Active Directory to detect password and privileged account security vulnerabilities. These insights can be used to reduce attack surface or maintain compliance.

The tool scans Active Directory to identify accounts that are utilizing leaked passwords against a list of close to billion previously leaked passwords, in addition to gauging password policy strength against brute force attacksand compliance requirements such as NIST and PCI.The tool can also pin-point stale or inactive admin accounts in addition to the following:

  • Accounts with identical passwords
  • Accounts that don't require passwords
  • Accounts that don't have password complexity requirements
  • Accounts with expired passwords
  • Accounts that have password expiration approaching

Password Policy relative strength

The collected information will be used to display multiple interactive reports depicting the aforementioned vulnerabilities. The reports are exportable to csv files and some useful display features include:

  • Sliding timeline to track days since last login for stale admin accounts
  • Sliding timeline to track days until password expiration

Compliance rating

Specops Password Auditor will only read information from Active Directory, it will not make any changes. It will compare password hashes against password hashes in the blacklist and read the Default Domain Password Policy and any Fine-Grained Password Policies if it’s run by a user with administrative privileges in Active Directory.

It will read the Default Domain Password Policy and any Fine-Grained Password Policies if it’s run by a user with administrative privileges in Active Directory.

Official Site and Download:specopssoft.com/product/specops-password-auditor/

AD FastReporter

AD FastReporter by Albusbit is a tools that assists you with Generating reports on your AD infrastructure.

You have the option to choose from several report categories including the following:

  • Users
  • Computers
  • Groups
  • Exchange
  • Contacts
  • Printers
  • Group Policy Objects
  • Organizational Units (OU)

They have pre-built reports that allow you to quickly run a report without much effort and output information that your looking for fairly quickly. Ad FastReporter utilizes a built-in Local database so there is no overhead or stress on your AD infrastructure when running reports and storing them.

Features that Ad FastReporter includes are as follows:

  • Compile and Export AD Reports
  • Email Reports directly from within Program
  • Custom Reports using Filters and Granular Options (Pro Version only)
  • Compatible from Windows XP Sp3 to 2003 Server
  • Over 200 Pre-Built Reports

They also give you the option to export reports to CSV, XLSX, and HTML and send reports via Email as well!

This Program has a FREE Version and a Paid version that allows for added Features and Automation (Windows Task Schedular, etc)

Official Site and Download:https://albusbit.com/ADFastReporter.php

AD Photo Editor

AD Photo Editor from Albusbit.com allows you import/upload custom images for Active Directory User and Contacts as either thumbnailPhoto or jpegPhoto attribute.

These Photos can then be used within the following programs that integrate with AD:

  • Outlook Emails
  • Outlook Contacts
  • Global Address List Photos (GAL)
  • Sharepoint
  • Lync
  • Skype for Business
  • and other other 3rd Party App

There are 2 Version of this software – a FREE Version and a Paid version.

The Free Version allows you to Find Accounts and Upload/Edit Photos within AD and the Pro Version allows you to Bulk Import/Export Photos to and from Active Directory!

You can Find/Import photos into Active using:

  • common name (cn),
  • username (sAMAccountName),
  • ambiguous name resolution (anr),
  • email address (mail),
  • employee ID (employeeID),
  • or add additional custom attributes

On top of all those benefits, you can also adjust and modify images at upload, including Changing Dimensions, Rotate AD Images, Change Quality (compression) of Images and Add Watermarks to AD images as well.

This program really does have a quite a few features that should Cost something, but in all reality is FREE! We definitely like the value in this AD tool!

Official Site and Download: https://albusbit.com/ADPhotoEditor.php

AD Administrator from AlbusBit

AD Administrator tools from AlbusBit was built with the sole purpose for quickly managing AD Users/Computers for a single interface.

This tool has the following features for Managing Active Directory:

  • Manage, Search, View and Edit AD Accounts/Users and Computers
  • 16 Built-In Functions for that can be Run against AD, including:
    • Disable
    • Delete
    • Enable
    • Move to OU
    • Set description
    • Set expiry date
    • Add to group
    • Remove from group
    • Remove from all groups
    • Hide from GAL
    • Set random password
    • Set password never expire
    • Delete home drive
    • Run external script
    • Clear custom LDAP attribute
    • Disable OWA
  • Find Inactive Users/Computer Accts that are Dormant
  • Manage Multiple Active Directory Domains from Single Interface
  • Export Reports to Excel, CSV and HTML

This is great all-in-one tool for managing AD Users and Accounts from a centralized location and gives you the ability to manage multi-domain environments as well!

Official Site and Download: https://albusbit.com/ADAdministrator.php

Sysmalogic AD Reporter Builder

We recently reviewed Symalogic AD Report builder here and wanted to add this software on this post as well, as they have a FREE Version that gives you some great features to use without having to upgrade to the full version.

To see a Full list of their Features, have a look at the link below – We'll highlight the features of their Free Versions here:

  • Full result view (no row limit)
  • No expiration date
  • Multi-domain use
  • All Built-in reports
  • Add or remove columns
  • Non-replicated reports
  • Set any search target
  • Grid text filters/column
  • Export report to CSV

This tool helps you audit Active Directory for Compliance as well as give you insights and reports into your AD infrastructure, Computers/Users and OU's!

Grab a Free Download from the site below to get started!

Official Site and Download: http://www.sysmalogic.com

Comments are closed.