The Enterprise IT “Swiss army knife”
I’ve recently had the chance to work with the newest version for LepideAuditor Suite which is a comprehensive tool that does more than the name states (auditing). Of course out of all the targeted products I chose to focus on Active Directory, Group Policy and Exchange 2013.
I am not going to go over the installation part because it’s pretty straight forward and Lepide already covers well all the installation steps involved.
Active Directory Auditing
The LepideAuditor for Active Directory comes with a built in Active Directory Health Monitor Dashboard view and integrated Backup and Restore solution. So this is something I really like; having not only audit information but also a view of the overall health and performance history of the AD environment and also the possibility to quickly restore from backup anything related to Active Directory. That is nice!
The first dashboard that opens up shows an overview of the changes in your environment at a glance.
In order to audit logon/logoff events in your environments there are some preliminary steps to configure. For this you can follow the steps described in this article which covers everything very well:
Once you have logon auditing enabled you can see for example when a User has logged on, from where and the type of logon that was performed. See below an example:
Another useful audit report is the Failed Logon report. Here you can see not only the number of failed logon attempts but also the reason why it failed. For Auditors this is the kind of information they are interested in. Below you can see an example:
You can check the uses that were created during a specified period of time. You can see an example below.
One of my favorites when tracking down a “resource access” issue or a “did not receive some email” issue is to see when Group membership was modified. For me this is very useful and I am sure that for some of you as well.
You can even monitor DNS changes and track down what happened to each individual DNS record.
Above you can see the typical STS record created for ADFS. And that is not all;
You can even see tombstoned DNS records! I remember having to remove some lingering objects related to tombstoned DNS records. This tool would have been really useful back then.
Looking into the GPO monitoring capabilities and available reports I must say I was impressed with the amount of built in Audit Reports. In a large environment with hundreds of Group Policy Objects where multiple Domain Admins (or delegated GPO admins) manage the settings, it can get hard to keep track of who changed what and when. So a good GPO auditing tool is more than welcomed in this case.
The Lepide GPO Auditor comes with the built in backup feature which can be extremely useful for restoring previous working GPOs to their initial state. By default the backup interval for GPOs is every 1 hour. If your environment doesn’t have a large number of GPOs or a lot of ‘hands’ working with them you can set this interval to something like every 8 hours.
In the restore tab you will be able to restore for example a deleted GPO which is pretty cool and fast.
This will restore the previously backed-up GPO with all settings as expected.
Above is a screenshot with all the available built in audit reports that make auditing GPOs really easy even for someone without a lot of Group Policy management experience.
You can easily setup alerts or scheduled reports whenever an event is recorded.
I like the Set Alert option as it allows to keep track of important GPO changes like the Default Domain Controllers Policy or the Default Domain Policy.
I did a lot of tests with the GPO monitoring part and I have to say that you cannot get any more detailed in terms of Auditing GPOs. I replicated a simple but common issue related to GPOs, when for example someone deletes a GPO link. By doing this, the GPO is not removed but the settings will no longer apply. If you use a complex OU structure and don’t link GPOs to the Domain Root and filter using groups, it can be hard to detect when this has happened.
Sure enough, the change is picked up quite quickly.
Another common one, when the GPO link is disabled (not removed).
Again the change is picked up fast.
I’ve also scheduled a report that sends periodically related to GPO Link changes. This works great as you can see below:
I am not sure about you but for me this is really helpful. Along with the integrated backup/restore feature for the GPOs I believe this is an invaluable tool to have.
Exchange server is the typical enterprise email solution for many companies and sometimes evaluating the health or monitoring the changes can be a difficult task without a specialized software. LepideAuditor for Exchange Server covers all these tasks and more.
When looking at the built in available audit reports you can instantly appreciate the usefulness of this tool.
Keep in mind that these are only the built in ones, you can easily create custom reports and alerts that meet your needs.
You can see for example when a send or receive connector was modified,
You can see when mailbox permissions were modified, database changes were performed, as you can see below
I did a simple test; we get mailbox and grant Full Access permissions to another user. Below are the default permissions.
And we see the change being picked up by Lepide. That is nice!
You can easily schedule an Alert based on this object change which would allow you to be informed in almost real time of the change.
I am not going to continue with all the options and possibilities that this tool can bring to the table, if I had to do that we would need a series of blog posts to show everything.
The LepideAuditor Suite is an invaluable toolset for any System Admin that wants full visibility into his environment in terms of auditing, server health monitoring, alerting, and backup history with fast restore capabilities. LepideAuditor Suite manages to put all these features under a single pane of glass.
You can download your trial version here:
More information about LepideAuditor Suite here: