6 Best Active Directory Auditing Tools

by Robert Allen

Looking for the best Active Directory Auditing Tool to track and report AD changes? Then look no further.

In this guide, I’ll show you the best auditing tools for Active Directory and Windows Servers.

Active Directory auditing can help you detect suspicious activity and prevent security breaches. In addition, they are essential to ensure you meet security compliance and audit requirements.

Table of Contents:

The best Active Directory Auditing Tools

Here are my top picks:

1. ManageEngine AD Audit Plus

manageengine ad audit plus

ManageEngine AD Audit Plus is a web-based Active Directory auditing and reporting tool. ManageEngine ADAudit Plus offers comprehensive visibility into all activities within your Windows Server, including Azure sign-ins, account lockout analysis, file access, and much more. 

ManageEngine is a reputable software company with over 20 years of experience developing user-friendly systems. This one, in particular, has won several awards, including Best Value for Price, best Feature Set, and Best Relationship from Trust Radius. 

ManageEngine ADAudit Plus features include:

  • Active Directory (AD): Overseeing logons, lockouts, and more.
  • Azure AD: Tracking Azure sign-ins and changes to group memberships.
  • File Servers: Monitoring file access and permissions.
  • Windows Server: Analyzing local logons, file integrity, and security.
  • Windows workstation: Monitoring active time, USB activity, and more.

Pricing:

The most basic edition of ManageEngine ADAudit Plus is completely free, while there’s a standard edition available for $525 annually and a professional version that starts at $945.

Website:

https://www.manageengine.com/products/active-directory-audit/

2. Quest Change Auditor

quest change auditor

Change Auditor is a comprehensive AD auditing tool from Quest, which sells numerous software solutions for cybersecurity and data management. The Quest Change Auditor program specializes in real-time auditing, providing in-depth data and security threat monitoring to help you quickly identify any suspicious activity within your Active Directory (AD). 

The Quest Change Auditor includes the following features:

  • Hybrid security monitoring: Auditing all security changes across AD and Azure AD.
  • Threat detection: Identifying threats to your system early to prevent cybercriminal attacks.
  • Threat prevention: Blocking unauthorized users from making changes to your groups.
  • Forensic reporting: Tracking every change made to your AD and Azure AD.
  • Normalized 5W audit details: Translating cryptic data logs into normal formatting.
  • Real-time alerts: Instant notifications of critical changes and suspicious patterns.
  • Account lockout: Simplifying troubleshooting for account lockouts.

Pricing:

Pricing information for Quest Change Auditor is not available; you must request it directly from the company.

Website:

https://www.quest.com/change-auditor/

3. Netwrix Auditor

Netwrix Auditor offers complete visibility into your Active Directory (AD) and Group Policy so that you never overlook an unwarranted activity. You’ll instantly know who deleted an account, when a user reset a password, and who abused their privileges within your AD. 

This application is available as an on-premises tool and a virtual appliance. It has an impressive track record, as big names like King’s Hawaiian and Allianz have employed it in their businesses.  

Netwrix Audit includes the following features:

  • Comprehensive change auditing: Identify every change in your Active Directory and Group Policy with in-depth details about what happened.
  • Logon auditing: Oversee access control for successful and failed logons.
  • Reporting on current configurations: View the current state of users and groups.
  • Active Directory security and compliance: See out-of-the-box reports on security and compliance.
  • Group policy monitoring: Understand changes to your audit policy settings.
  • Delegated user access reviews: Allow certain data owners to approve and deny permissions. 

Pricing:

Netwrix Auditor comes with a 20-day free trial. Then, the price starts at $9.50 per user. 

Website:

https://www.netwrix.com/auditor.html

4. Lepid Auditor

lepid auditor

See all critical Active Directory changes and security issues at a glance with Lepide, a user-friendly AD auditing tool. This platform makes it easy to understand the “who, what, when, and where” of your AD security so that you can quickly respond to threats and protect your vulnerable data from internal misuse. 

You can launch an in-browser Lepide demo to see how this platform could operate for your business. 

Lepid has the following features:

  • Risk assessment: Detailed insights into your AD security and potential for data breaches.
  • Threat detection: Real-time reporting with machine-learning anomaly spotting to detect threats faster.
  • Active Directory monitoring: Ongoing updates to your AD logins and permissions.
  • Effective permissions analysis: Alerts to permission changes that may lead to data leaks.
  • Security incident investigation: In-depth audit logs to simplify security audits.
  • Compliance monitoring: Pre-defined reports that detail compliance regulations ranging from HIPAA to GDPR.

Pricing:

Lepide starts at $229 per license and comes with a 14-day free trial. 

Website:

https://www.lepide.com/lepideauditor/

5. Specops

specops password audit

Looking for a tool specifically to monitor password-related vulnerabilities within your Active Directory accounts? Try Specops Password Auditor, a read-only program available for free download. 

Once you download the program, you’ll gain access to in-depth reports analyzing your password policies on AD. You can use these reports to make adjustments to your user passwords and keep your intellectual property more secure behind your Active Directory logins. 

Specops Password Auditor has the following features:

  • Password reports: See personalized reports of your password policies to determine whether they encourage users to create secure passwords.
  • Domain password policies: Analyze domain password policies for AD.
  • Fine-grained password policies: Create defined rules for user account password creation.
  • Password vulnerabilities: Identify weak passwords and user accounts that don’t adhere to the minimum password length.
  • Brute-force attack: Test your password policies against a mock attack to determine vulnerabilities.

Pricing:

Specops Password Auditor is completely free to download. 

Website:

https://specopssoft.com/product/specops-password-auditor/

6. Active Directory Pro Toolkit

ad pro toolkit

Includes over 200 reports for Active Directory users, computers, groups, group policy, and security reports. Active Directory reporting is critical for auditing and compliance requirements. In addition to reporting on Active Directory objects, you can create NTFS permission and group reports. This helps you determine who in Active Directory has access to what.

This tool is very easy to use, you can create a report with a few simple clicks of the mouse.

For example, to see all users that recently changed their password, click on user reports -> Users that changed their password in the last 7 days (30 or 60 days).

audit password last set

If you need a simple reporting tool then this is one of the most affordable solutions out there. But it does currently lack some auditing features such as who modified objects in Active Directory.

The AD Pro Toolkit includes the following features:

  • Last Logon Auditing: Create reports of when users last authenticated to the network.
  • Password Audit Reports: Bad password attempts and password last changed.
  • Inactive users: Find accounts that have not logged in for a period of time.
  • Group Membership: Report Get all users group membership, and find nested groups.
  • Audit Service Accounts: Scan your network and find where service accounts are being used.
  • Scheduled Reports: Create scheduled tasks and get daily, weekly, or monthly reports.
  • Audit Local Admin Rights: Scan all computers to find who has local admin rights.

Pricing:

The AD Pro toolkit starts at $299.

Download AD Pro Toolkit and see how easy it is to create reports.

How do I Audit Microsoft Active Directory

Step 1. Enable Audit Policies

The first step to auditing Active Directory is to define which events you want to audit and report on. You will then use the group policy management console to configure the audit policy settings that you require.

It is recommended to configure the audit policy settings in the default domain policy, you can also create a new GPO if needed.

1. Open the group policy management console.

2. Create a new GPO or modify an existing one.

3. Browse to computer configuration -> policies -> windows settings -> security settings -> Advanced Audit Policy Configuration.

You will see a list of several categories that control the audit policies. You will need to review each policy and determine which policies your organization requires.

audit policies

See the resources below to learn more about the audit policy settings.

Step 2. Collect Event Logs

When auditing is enabled it will generate event logs on your domain controllers and other systems (depending on what policies are enabled). You can view the logs by opening the event viewer on your domain controller, it will look like the screenshot below.

event logs

There is no way anyone has the time to open and review each event log. This is why you will need to install a 3rd party auditing tool, like the ones listed in this article.

A 3rd party auditing tool will collect all of the event logs and create easy to read reports.

3rd party audit tool

The screenshot above is showing recent user logon activity. To do this without a 3rd party auditing tool would be impossible.

To learn more about which audit policies to enable see the below:

Importance of Active Directory Auditing

Audit User Changes in Active Directory

Do you know who deleted a user or recently modified the administrator account?

Keeping track of user changes is a must and should be reviewed on a regular basis. Changes to user accounts could be done by a malicious actor and knowing who and when these changes occurred can be critical for investigation.

audit user changes in active directory

Auditing Group Policy Changes

Group policies control policy settings on your domain joined systems. One small change to a GPO can cause all kinds of problems if configured incorrectly and not tested. But which GPO was modified and by who?

GPO changes are stored in the security event logs on the domain controller. Look for a tool that will monitor these logs and create easy to read audit reports on changes to your GPOs.

audit group policy changes

Logon Auditing and Reporting

Do you know why employees are logging in after hours?

It is important to audit both logon failures and successful user logons. A high volume of failed logon attempts could be an attack on your network, you need to quickly be able to report and spot these spikes in logons.

In addition, most organizations will request an audit logon report. For example, HR would like to know when a certain employee last logged onto their computer.

audit logon failure and sucess

Audit Group Membership and user access permissions

Who modified the domain administrator group?

Active Directory groups are used to give a group of users access to files, applications, and systems. Someone could add a user to a group that gives them admin permissions to all workstations or full permissions to files and folders. You need the ability to track group changes, who modified the group, the time, and which users were added or removed.

audit group membership changes

Windows File Share Auditing

Who deleted all the files from the shared folder?

This one always made people mad. They demanded to know who deleted a specific file from the file server. Without auditing turned on and the right adulting tool, this is impossible.

audit windows file shares

Immediately Detect Password Changes

Can you detect a brute force password attack?

When many accounts try to change their password in a short period of time this could indicate a brute password attack. Hackers can use custom tools and scripts to launch an attack that tries to guess the password on hundreds of thousands of accounts. A good auditing tool can quickly detect password changes and send you a notification.

Audit Who has Privileged Access (Administrator Rights)

Do you know who has privileged access? Do you who is a local administrator on their workstation or laptop?

These types of permissions can easily get out of control. Having a tool that can scan computer systems and check group membership in Active Directory is essential.

audit local admin rights

Summary

In this article, I reviewed the best Active Directory Auditing Tools that are on the market today. As you can see there are many tools to choose from and each of their strengths and weaknesses. The best auditing tool is going to depend on your requirements, it will be best to download and test a variety of options. To learn more about audit policy settings see my article on the Windows audit policy best practices.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.