You are on page 1of 19

NETWRIX CHANGE NOTIFIER

FOR ACTIVE DIRECTORY,


EXCHANGE AND GROUP POLICY
QUICK-START GUIDE
Product version: 7.5.873
February 2014
February
February 2014
2014

Copyright 2014 Netwrix Corporation. All Rights Reserved.

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

Legal Notice
The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions discussed. Netwrix Corporation
assumes no responsibility or liability for the accuracy of the information presented, which is subject
to change without notice.
Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix
product or service names and slogans are registered trademarks or trademarks of Netwrix
Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and
registered trademarks are property of their respective owners.
Disclaimers
This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to
ensure that this information accurately reflects the information provided by the supplier, please refer
to the materials provided with any non-Netwrix product and contact the supplier for confirmation.
Netwrix Corporation assumes no responsibility or liability for incorrect or incomplete information
provided about non-Netwrix products.

2014 Netwrix Corporation.


All rights reserved.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 2 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

Table of Contents
1. INTRODUCTION ................................................................................ 4
1.1. Overview .............................................................................. 4
1.2. Licensing .............................................................................. 4
1.3. How It Works .......................................................................... 4
2. INSTALL NETWRIX CHANGE NOTIFIER FOR ACTIVE DIRECTORY, GROUP POLICY AND EXCHANGE 5
Deployment Options ......................................................... 5
Hardware Requirements .................................................... 5
Software Requirements ..................................................... 5
Supported Environments .................................................... 6
2.2. Installing Netwrix Change Notifier ................................................ 6
3. CONFIGURE RIGHTS AND PERMISSIONS ......................................................... 7
4. CONFIGURE NETWRIX CHANGE NOTIFIER FOR ACTIVE DIRECTORY, GROUP POLICY AND
EXCHANGE .................................................................................... 9
5. MONITOR YOUR ENVIRONMENT FOR CHANGES ............................................... 12
5.1. Launch the Product Task Manually ................................................ 12
5.2. Modify the Product Task Schedule ................................................ 12
5.3. View a Change Summary ........................................................... 12
5.4. Generating an On-Demand Change Summary ................................... 13
6. REVERT UNWANTED ACTIVE DIRECTORY CHANGES ........................................... 15
6.1. Reverting Unwanted Changes ..................................................... 15

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 3 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

1. INTRODUCTION
1.1. Overview
Netwrix Change Notifier for Active Directory, Group Policy and Exchange tracks all changes to
the monitored Active Directory domain and emails daily Change Summaries listing all changes
that occurred over the last 24 hours, thus providing complete visibility across your IT
infrastructure.

1.2. Licensing
Netwrix Change Notifier for Active Directory, Group Policy and Exchange is a freeware
product with an unlimited license.

1.3. How It Works


The product data collection and reporting workflow is as follows:
1.

2.

An administrator sets the parameters for automated data collection, choosing which
target system to report on:

Active Directory
o

Users configuration changes

Changes to Active Directory groups

Active Directory Configuration and Schema changes

Domain structure changes

Changes to OUs

Additions to OUs

Additions to domains

Domains objects properties changes

Group Policy changes


o

Group Policy Objects changes

Group Policy Objects creation

Group Policy Objects removal

Exchange Servers changes


o

Security policy violations

Mailbox creation and removal

Exchange objects and permissions changes

Unauthorized and unplanned changes

A dedicated scheduled task which is launched daily collects audit data and emails
Change Summaries to the specified recipients. You can also use the Change Viewer
tool to generate and view on-demand summaries.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 4 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

2. INSTALL NETWRIX CHANGE NOTIFIER FOR ACTIVE


DIRECTORY, GROUP POLICY AND EXCHANGE
Deployment Options
Netwrix Change Notifier for Active Directory, Group Policy and Exchange can be installed on
any computer that belongs to the monitored Active Directory domain, but it is not
recommended to install it on a domain controller.
If you want to install the product on the computer which does not belong to the audited
domain, you must establish a trust relationship between the audited domain and the domain
where the product is installed.

Hardware Requirements
Before installing Netwrix Change Notifier for Active Directory, Group Policy and Exchange,
make sure that your hardware meets the following requirements:
Table 1:

Netwrix Change Notifier Hardware Requirements

Hardware Component

Minimum

Recommended

Processor

Intel or AMD 32 bit, 2GHz

Intel Core 2 Duo 2x 64 bit,


3GHz

Memory*

512 MB RAM

4 GB RAM

Disk space

Two physical drives with a


total of 1GB free space

50MB physical disk


space for product
installation.

Additional space is
required for the Audit
Archive and depends on
the number of AD
objects and changes per
day.

These are rough estimations. The actual required memory size depends on the
average number of changes per day in the monitored environment.

Software Requirements
This section lists the minimum software requirements for Netwrix Change Notifier for Active
Directory. Make sure that this software has been installed before proceeding with the
installation.
Table 2:

Netwrix Change Notifier Software Requirements

Component

Requirement

Operating System

Windows 7 and above

Additional software

.NET Framework 3.5

Windows Installer 3.1 or above

Group Policy Management Console*

Only required to track changes to Group Policy Objects.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 5 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

Supported Environments
This section provides a list of Windows and Microsoft Exchange Server versions supported by
Netwrix Change Notifier for Active Directory, Group Policy and Exchange.
Table 3:

Netwrix Change Notifier Supported Environments

Component
Active Directory environment

Microsoft Exchange Server

Version

Windows Server 2003 (any forest mode:


mixed/native/2003)

Windows Server 2008/2008 R2

Windows Server 2012

Microsoft Exchange Server 2003

Microsoft Exchange Server 2007

Microsoft Exchange Server 2010

Microsoft Exchange Server 2013

2.2. Installing Netwrix Change Notifier


To install Netwrix Change Notifier for Active Directory, Group Policy and Exchange, download
and run the Netwrix_Change_Notifier_for_Active_Directory.msi file. Follow the instructions of
the installation wizard. When prompted, accept the license agreement and specify the
installation folder.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 6 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

3. CONFIGURE RIGHTS AND PERMISSIONS


The account under which Netwrix Change Notifier for Active Directory collects data from the
monitored domain, must have the following rights and permissions:

The account must be a member of the Local Administrators group on the


computer where the product is installed

The Log on as a batch job policy must be defined for this account (see
Procedure 1 To define the Log on as a batch job policy)

The account must be granted read permissions for the deleted objects
container (see Procedure 2 To grant permissions for the Deleted Object
container)

Procedure 1. To define the Log on as a batch job policy


1.

Open the Group Policy Management console on any domain controller in the
monitored domain: navigate to Start Administrative Tools Group Policy
Management.

2.

In the left pane, navigate to Forest: <domain_name> Domains


<domain_name>, right-click Default Domain Policy and select Edit from the pop-up
menu.

3.

In the Group Policy Management Editor dialog, expand the Computer Configuration
node on the left and navigate to Policies Windows Settings Security Settings
Local Policies User Rights Assignment and locate the Log on as a batch job
policy:
Figure 1:

4.

Group Policy Management Editor

Double-click this policy, select Define these policy settings and click Add User or
Group. Specify the account that you want to define this policy for.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 7 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
5.

Navigate to Start Run and type cmd. Input the gpupdate /force command and click
Enter to update the group policy.

Procedure 2. To grant permissions for the Deleted Object container


1.

Log on to any domain controller in the target domain with a user account that is
member of the Domain Admins group.

2.

Open a command prompt: navigate to Start, type command prompt and click
Enter.

3.

Type the following command and press Enter:


dsacls <deleted_object_dn> /<takeownership>
where deleted_object_dn is the distinguished name of the deleted directory
object.
Example:
dsacls "CN=Deleted Objects,DC=Corp,DC=local" /takeownership

4.

To grant permission to view the objects in the Deleted Objects container to a user or
a group, type the following command and press Enter:
dsacls <deleted_object_dn> /G <user_or_group>:<Permissions>
where deleted_object_dn is the distinguished name of the deleted directory
object, user_or_group is the user or group for whom the permission apply, and
Permissions is the permission to grant.
Example:
dsacls "CN=Deleted Objects,DC=Corp,DC=local" /G Corp\jsmith:LCRP

5.

In this example, the user CORP\jsmith has been granted List Contents and Read
Property permissions for the Deleted Objects container in the corp.local domain.
These permissions let this user view the contents of the Deleted Objects container,
but do not let this user make any changes to objects in this container. These
permissions are equivalent to the default permissions that are granted to the Domain
Administrators group.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 8 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

4. CONFIGURE NETWRIX CHANGE NOTIFIER FOR ACTIVE


DIRECTORY, GROUP POLICY AND EXCHANGE
After you have installed Netwrix Change Notifier for Active Directory, Group Policy and
Exchange, enable and configure Active Directory, Group Policy and Exchange Server audit.

Procedure 3.
6.

To configure audit

Navigate to Start All Programs Netwrix Freeware Netwrix Change Notifier


for Active Directory. The product configuration dialog will open:
Figure 2:

Netwrix Change Notifier for Active Directory


Configuration Dialog

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 9 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
7.

Specify the following settings and parameters:

Note: The table below describes configuration of the basic parameters


required for the product evaluation purposes.
Table 4:

Netwrix Change Notifier for Active Directory Settings

Parameter

Instruction

Enable Active Directory Change


Reporter

Enable this option to activate Active Directory


audit.

Enable Group Policy Change Reporter

Enable this option to activate Group Policy audit.


Note: Group Policy audit also requires the
activation of the Enable Active Directory Change
Reporter option.

Enable Exchange Change Reporter

Enable this option to activate Exchange Servers


audit.
Note: The Exchange Servers audit also requires
the activation of the Enable Active Directory
Change Reporter option.
Monitored Domain

Monitored domain:

Enter the name of an Active Directory domain


that you want to audit. The name should be in the
FQDN format, for example acme.com

Enable Lightweight Agents

This option is not available in Netwrix Change


Notifier for Active Directory.
Change Summary

Send Active Directory Change


Reporter Change Summary to:

Enter the email address of the Change Summary


recipient; you can enter several addresses
separated by a semicolon.

Send Group Policy Change Reporter


Change Summary to:

Enter the email address of the Change Summary


recipient; you can enter several addresses
separated by a semicolon.

Send Exchange Change Reporter


Change summary to:

Enter the email address of the Change Summary


recipient; you can enter several addresses
separated by a semicolon.

SMTP server:

Enter your SMTP server name.

Port:

Specify your SMTP server port number.

Sender address:

Enter the address that will appear in the From


field in Change Summaries.
To check the email address, click Verify. The
system will send a test message to the specified
address and will inform you if any problems are
detected.

Configure advanced delivery options

This option is not available in Netwrix Change


Notifier for Active Directory.
Audit Archive

Location

Leave the default setting or specify another path


to save the change history data. All audit data
collected by the product will be stored in the
corresponding subfolders of that folder.

Store audit data for x month

Active the option and specify the number of

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 10 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
months for the audit data to be stored in Audit
Archive.
Reports
Configure SSRS-based Reports

This option is not available in Netwrix Change


Notifier for Active Directory.

8.

Save your configuration by clicking the Apply button. The Scheduled Task
Credentials dialog will be displayed.

9.

Specify the account under which the product scheduled task will collect the changes
data and email Change Summaries to the specified recipients. Make sure that this
account has the required rights and permissions (see Chapter 3 Configure Rights and
Permissions)

10. Enter and confirm the account password and click OK. The NEXT STEPS: CHECKLIST
dialog will open; follow its instructions to get the first Change Summary right after
you have configured the product.

Note: To change the settings later, invoke the product configuration dialog
from the Start menu.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 11 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

5. MONITOR YOUR ENVIRONMENT FOR CHANGES


When the product has been configured, it starts collecting data on Active Directory, Group
Policy and Exchange Server changes from the monitored domain. By default, the data
collection task is launched daily at 3:00 AM. If required, you can launch the product
scheduled task manually or modify its schedule.

5.1. Launch the Product Task Manually


Procedure 4.

To launch the product scheduled task manually:

1.

Launch Task Scheduler.

2.

In the left pane, expand the Task Scheduler Library node. In the right pane, select
the task called Netwrix Management Console Active Directory Change Reporter <your_domain_name> (where <your_domain_name> is the name of the domain you
specified in the configuration settings).

3.

Right-click the task and select Run from the drop-down list. Alternatively, use the
Run option from the Actions menu.

5.2. Modify the Product Task Schedule


Procedure 5.

To modify the product task schedule:

1.

Launch Task Scheduler.

2.

In the left pane, expand the Task Scheduler Library node. In the right pane, select
the task called Netwrix Management Console Active Directory Change Reporter <your_domain_name> (where <your_domain_name> is the name of the domain you
specified in the configuration settings).

3.

Right-click the task, select Properties Triggers and click Edit. Alternatively, use
the Properties option from the Actions menu.

5.3. View a Change Summary


After the first data collection task has finished, an email will be delivered to the specified
address notifying you that the initial analysis has been completed.
After that, you can make test changes to your environment to see how they are reported.
When the task is launched the next time (either automatically or manually), it detects the
changes made since the last data collection, generates and delivers the Change Summary to
the specified recipients. A Change Summary contains the following information:

Change type (Added/Removed/Modified)

Object type (for example, user, OU)

Object name (for example, the full user name)

Details (the modified properties and their before and after values)

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 12 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
Below is an example of the Netwrix Change Notifier for Active Directory Change Summary:
Figure 3:

Netwrix Change Notifier Change Summary


Example

5.4. Generating an On-Demand Change Summary


You can generate Change Summaries for a specific period of time using the Change Viewer
tool.

Note: The product allows you to generate a summary of changes collected


within the last 4 days only.

Procedure 6.
1.

To generate an on-demand Change Summary

Navigate to Start All Programs Netwrix Freeware Netwrix Change Notifier for
Active Directory Advanced Tools and click Change Viewer. The following dialog is
displayed:

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 13 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
Figure 4:

Change Viewer Dialog

2.

Select the audited system from the Module drop-down list and the time range you
want to generate the report on.

3.

Click Generate. The Save as window appears allowing you to name your report and
select the location for it. Click Save.

4.

The Change Summary is saved locally in the HTML format and displayed in your
default web browser.
Figure 5:

Change Summary

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 14 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide

6. REVERT UNWANTED ACTIVE DIRECTORY CHANGES


Restoring deleted objects and reverting unwanted or unauthorized changes to Active
Directory objects can be a difficult and error-prone task, and sometimes it is simply
impossible. In most cases, native and third-party Active Directory backup and recovery tools
require non-authoritative restore and domain controllers downtime. Moreover, they do not
always have object-level restore capabilities.
With Netwrix Change Notifier for Active Directory you can quickly restore deleted and
modified objects using the Active Directory Object Restore tool integrated with the product.
This tool enables AD object restore without rebooting a domain controller and touching the
rest of the AD structure.

6.1. Reverting Unwanted Changes


By default, when a user or computer account is deleted from Active Directory, its password is
discarded. When you restore deleted accounts with the Active Directory Object Restore tool,
it sets random passwords which then have to be changed manually. If you want to be able to
restore AD objects with their passwords preserved, you need to modify the Schema container
settings so that account passwords are retained when accounts are deleted.
This section provides detailed step-by-step instructions on how to:

Modify your Schema container settings to retain passwords for deleted


accounts

Revert unwanted changes to your AD objects

Procedure 7.

To modify Schema container settings

Note: To perform this procedure, you will need the ADSI Edit utility. In
Windows 2003 systems, this utility is a component of Windows Server
Support Tools. If it has not been installed, download Windows Server
Support Tools from the official website. On Windows 2008 systems and
above, this component is installed together with the AD DS role.
1.

Navigate to Start Programs Administrative Tools ADSI Edit. The ADSI Edit
dialog will open.
Figure 6:

2.

ADSI Edit dialog

Right-click the ADSI Edit node and select the Connect To option. In the Connection
Settings dialog, enable the Select a well-known Naming Context option and select
Schema from the drop-down list:
Copyright 2014 Netwrix Corporation. All Rights Reserved
Suggestions or comments about this document? www.Netwrix.com/feedback

Page 15 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
Figure 7:

Connection Settings Dialog

3.

Click OK.

4.

In the left pane, expand the Schema <Your_Root_Domain_Name> node. Locate the
attribute called CN=Unicode-Pwd, right-click it and select Properties from the popup
menu:
Figure 8:

5.

CN=Unicode-Pwd Properties

Locate the attribute called searchFlags, double-click it and set its value to 8:

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 16 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
Figure 9:

6.

Attribute Editor

Click OK.

Now you will be able to restore deleted accounts with their passwords preserved.

Procedure 8.

To revert changes to AD objects

1.

Navigate to Start All Programs Netwrix Freeware Active Directory Object


Restore. The welcome page of the Active Directory Object Restore wizard will be
displayed. Click Next to proceed.

2.

On the Select Rollback Period step, specify the period of time when unwanted
changes that you want to revert occurred. You can either select a period between a
specified date and the present date, or between two specified dates. Note that the
product only keeps data on deleted Active Directory objects for the last 4 days.
Figure 10:

Active Directory Object Restore Wizard: Select


Rollback Period

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 17 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
3.

On the Select Rollback Source step, you must select a domain and the Rollback
Source:
Figure 11:

4.

Active Directory Object Restore Wizard: Select


Rollback Source

Two options are supported:

Restore from state-in-time snapshots: this option allows restoring


objects from configuration snapshots made by the product. This option
is preferable since it allows attribute-level object restore.

Restore from AD tombstones: this option is recommended when no


snapshot is available. This is a last resort measure as the tombstone
holds only the basic object attributes.

5.

If you have selected to use a rollback point as a source, you can select the Select a
state-in-time snapshot option if you want to revert to a specific snapshot. Otherwise,
the product will automatically search for the most recent snapshot that will cover the
selected time period. Click Next to proceed.

6.

On the Analyzing Changes step, the product analyzes the changes made during the
specified time period. When reverting to a snapshot, the tool looks at the changes
that occurred between the specified snapshots. When restoring from a tombstone,
the tool looks at all AD objects put in the tombstone during the specified period of
time. When the analysis is complete, click Next to proceed.

7.

On the Select Changes to Roll Back step, the results of the analysis are displayed.
Select a change to see its rollback details in the bottom of the window.

8.

To see detailed rollback information on an attribute, select it and click the Details
button. A window will popup showing what changes will be applied if this attribute is
selected for rollback:

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 18 of 19

Netwrix Change Notifier for Active Directory, Exchange and Group Policy Quick-Start Guide
Figure 12:

9.

Change Details

Specify the changes you want to revert by selecting the corresponding check boxes
and click Next to restore the selected objects to their previous state.

10. Wait until the tool has finished restoring the selected objects. On the last step,
review the results and click Finish to exit the wizard.

Copyright 2014 Netwrix Corporation. All Rights Reserved


Suggestions or comments about this document? www.Netwrix.com/feedback

Page 19 of 19