Working with Windows and Active Directory is definitely a full time job: monitoring and maintenance are ongoing for adds/moves/changes of users and other objects. For help with managing these tasks on a regular schedule, I’ve been trying out some of the products available. Previously, I posted a spotlight review of ScriptLogic’s Active Administrator for managing Active Directory, and one of the competing products mentioned there was Active Directory Change Reporter by NetWrix. Since it is another option among the tools to help you manage Active Directory smarter rather than harder, I figured it deserved a fair shake as well.
Active Directory Change Reporter comes in two flavors, a commercial version and a freeware version. The tool is identical in functionality with a few exceptions, which I will cover below. The fact that there is a fully functional freeware version of this tool scores big points for me. The commercial version of the tool also starts around $4.50 per user account up to 150 accounts and gets cheaper from there, which makes it fairly affordable.
Supported operating systems:
- Windows XP
- Windows Vista
- Windows 7
Active Directory Change Reporter supports all versions of Active Directory in mixed and native mode.
There are no hardware specific requirements for the application. If your environment runs Active Directory, this tool will be able to help you.
Who’s it for?
Network Administrators working with Microsoft Active Directory will see a great return using this tool. Being able to monitor changes as they happen within the Active Directory infrastructure will help them see exactly what is happening in their environment and enable more proactive correction of issues that may arise.
What problem does it solve?
Like other similar products AD Change Reporter monitors Active Directory and ensures that administrators and those with the permissions to modify it are being looked after by keeping logs on the things that these users do within Active Directory. Troubleshooting a problem inside a complex application like AD is very time consuming and any tool that can help audit items within AD and show the IT staff what is going on is certainly something worthy of a test run.
Once configured, the administrator can run the application to gather information about the AD environment and create output reports detailing the findings of the application. These reports can then be sent out via email to interested or responsible parties, making it very easy to keep a watchful eye on the organization’s Active Directory environment.
To get reports going after collecting information, expand AD Change Reporter in the left hand pane of the console and select the type of report you are looking for:
The fact that AD Change Reporter can be used as freeware and still provide a great deal of information about your environment is a huge feature. Keep in mind that the freeware version is limited as compared to the commercial version in the following ways:
- “Who” and “when” information is not recorded for every change.
- Advanced reporting using SQL reporting services is not available.
- No Custom Reports
- Only the names are provided for Group Policy Settings.
- Archiving is only available for the current day and previous day.
- Limited enterprise scalability
- Change rollback is not available.
- No reporting on Active Directory Password Resets
- Support provided only in the support forums
Another interesting feature of the application is something I will refer to as tagging. Change Reporter will identify, with an asterisk, who changed what and when they changed it. This feature makes it very easy for an administrator to see that Derek made a change to the Users OU and when he did it. Other tools do this too, but this one presents it in plain English and in a very easy to follow format, which I found to be very helpful.
Managing Exchange and Active Directory objects is also possible from within the setup file, which limits the amount of downloading necessary to use the tools.
In many cases there may not be an account configured for auditing in Active Directory (or it may be there but not be known to all of the administrators). In this case Active Directory Change Reporter will allow you to modify the configuration of the software (and permissions within the environment) to function correctly using the Audit Configuration Wizard, making it very easy to get back on track. Simply specify which account to use and ADCR will check to see if the account you chose is allowed to audit Active Directory; if not, another click and the application will correct the problem for you.
Active Directory Change Reporter Configuration
When you install Change Reporter it presents you with the option to use the trial version for 20 days, or to register it right away. For this post I selected the trial version. Then, you need to tell it about your environment by providing the following:
- Managed Domain
- Data store location
- Enable long term archiving *
- Use agents to collect data from domain controllers *
- An email address to use when sending AD reports
- Collect group policy information *
- Collect Exchange information *
- Email addresses for Group Policy and Exchange Reports
- The SMTP server information and a sender address
*Enable/Disable options configured with a checkbox.
Once all of this is configured, click the start button to open the console.
If you are setting up AD Change Reporter on a computer already connected to the domain, the configuration dialog is populated with the information found at startup. When I completed it, the email and AD Domain items were populated based on my user id.
Who did it… and when
Not much. This tool is a great bang for the corporate buck. The more Active Directory accounts there are in your environment the cheaper the paid version becomes. I did however, when setting this up on a 32-bit Windows 7 installation, encounter a problem with the Advanced Reporting Configuration Wizard. The wizard was unable to download and install the SQLExpress files needed to store the information gathered. There is an included link to a PDF showing the Vista/IIS7 workaround for the issue, but it would be a great fix to correct this inside the wizard.
Note: The Group Policy features are a separate license altogether. These licenses can be added to the freeware version of the tool.
- ScriptLogic Active Administrator
- Microsoft Active Directory Management Tools
Bottom line for business
For any organization running an Active Directory environment, a tool to aid in the management of the environment as a whole is a great add for any administrator. Depending on the size of your organization and your familiarity with Active Directory, Change Reporter might be the tool for you. I like this tool a great deal, but for shops with limited IT budgets, the additional cost of Group Policy components and the added features provided in the commercial version might be a bit of a reach. The freeware version of the tool will be a great start in monitoring your environment. Many will be all set with the toolset provided for free, which is great, but depending on your needs, may not provide enough tool out of the box.