Netwrix Auditor 5.0 Review

In an economic climate where IT budgets are down, but demands are up, the subject of auditing is a tricky one. Virtually all IT pros realize that auditing the components of the IT infrastructure is a critical task. The dilemma is how to find the time and resources to conduct an effective audit. Enter the latest version of Netwrix Corp.’s flagship product: Netwrix Auditor 5.0.

According to their website, Netwrix Auditor 5.0 was released earlier this year with the claim of “delivering the most complete offering with the broadest coverage of audited systems and applications available.” If the product lives up to this claim and is straightforward to use, it will go a long way toward helping overworked IT admins pull off comprehensive audits in their organizations. There’s only one way to know for sure and that’s to put the product through its paces! Over the past few weeks I did just that, and now I’m going to share the results with my fellow Petri IT Knowledgebase readers.

Netwrix Auditor 5.0 Walkthrough

I could tell you all the possible things Netwrix Auditor 5.0 can report on, but suffice it to say it would probably take less time to list the seemingly few items it cannot audit. Whether it be VMWare infrastructure, EMC SANs, Active Directory, or just basic Windows Events, Netwrix Auditor 5.0 does a great job giving IT pros detailed introspection into their IT environments.

Installation is easy and straightforward. A choice can be made to install just an individual feature or with one click install everything. A few more clicks and that’s all there is to getting the product installed.

Netwrix Auditor 5.0


The product doesn’t have many prerequisites, but if it does happen to need something that isn’t installed, an alert will pop up. For instance, the .NET Framework 3.5 is required; if it isn’t present, a simple message will remind you that .Net Framwork 3.5 should be installed from the Windows Control Panel.

Netwrix Auditor 5.0

Now that the install is complete, it’s time to take the product out for a drive.

Since Active Directory is possibly one of the most commonly audited products in existence, I’ll begin by testing some of Netwrix Auditor’s AD functionality. This only make sense since AD is often the gateway of authentication, authorization, and accounting for many of an organization’s systems. From machine accounts to distribution groups, odds are activity on a Microsoft-based network starts and ends with AD.

Create a New Managed Object in Netwrix Auditor

Auditing AD begins by creating a new managed object from within the Netwrix Auditor 5.0 console.

Netwrix Auditor 5.0

By selecting AD as the system to audit from within Netwrix Auditor, the New Managed Object Wizard will fire up. From there select Domain as the new managed object and then configure the email server settings that will allow sending reports and alerts. I always like when vendors include a method to test email settings during configuration. This can save a boatload of troubleshooting later. Netwrix Auditor has a verify function, and if all is well, a message will display that a test email was successfully sent.

Configure the new managed object by setting the AD domain name to be audited as well as the account for the software to use when working with this managed object. This defaults to the Administrator account, but it can be changed now or later. In any case, if you use a different account, refer to the Netwrix Auditor documentation to know exactly what rights and permissions must be set.

The next step is to decide if reports should be enabled. For reporting, an existing SQL Server Instance can be used or the software will automatically download, install, and configure a new instance of the free Microsoft SQL Server 2012 Express Edition with Advanced Services product. Choosing this option is super simple, just to be prepared to wait as the somewhat large file is downloaded from the Internet. Once downloaded and installed, select the audit database location and report server URLs.

One little thing I really like is that throughout the software, handy links give you extra information on how and why to set things up. For instance, on this screen there’s a link taking you to more information on how to configure SQL Server to allow remote connections. Most people won’t need this extra information, but it’s great that Netwrix has placed it there for those that do.

Another nifty feature that can be selected when creating the new AD managed object is the ability to create State-In-Time reports. This feature takes a daily snapshot of the monitored system and then enables both, comparing Active Directory in its present state versus a previous state. It also reviews the exact condition of AD at a chosen date sometime in the past. Very handy when the need arises.

Netwrix Auditor can run agentless, but the preferred method is to allow the use of a lightweight agent. Using the agent results in significantly less data transfer and thus lower network impact and faster collection time. The agent doesn’t produce a noticeable performance hit on the target systems. As far as I’m concerned, the agent is the way to go.

Finish off the New Managed Object wizard by selecting what alerts to send and of course, where to send them. There are predefined alerts, such as demotion of a domain controller, and the ability to create custom alerts for almost any AD event. Once the wizard is complete and the new managed object is created, the Netwrix Auditor console gives the ability to run an initial data collection.

Netwrix Auditor 5.0: managed object

Once complete, Netwrix Auditor’s reporting functionality can immediately be utilized to garner some great information. Mind you, there won’t be any real audited change information present since the system was just turned on, but there’s still oodles of other valuable information. Take for instance the very valuable “Administrative Groups With Their Members” report. This report quickly shows what accounts are assigned to both the Domain Admins and Enterprise Admins groups along with whether each account is enabled or disabled.

Netwrix Auditor 5.0: managed object report

Of course, Netwrix Auditor’s bread and butter is in its ability to audit changes. The product doesn’t disappoint in this regard. Looking at the reports available for the AD Managed Object created earlier, it’s possible to view changes from the highest level to the lowest. Anything from a chart exposing all AD changes over a given period to a detailed report showing changes to a specific computer account. Auditing AD just became a whole lot quicker and easier!

Netwrix Auditor - All AD changes chart


It’s also possible to subscribe to a report allowing it to automatically be sent to specified recipients on a schedule. A great way to stay in the know without much on-going effort!

Inactive User Tracking Feature

One of my favorite features of Netwrix Auditor 5.0 is the Inactive User Tracking feature. Tracking inactive users is one of those mundane tasks most of us AD admins are supposed to be doing. I say “supposed to” because the unfortunate reality is that many admins are doing a fairly poor job of it. In all fairness, this isn’t really the AD admin’s fault. It’s because the Active Directory attributes commonly used to track when a user account last logged in, namely lastlogon and lastlogontimestamp, aren’t fully replicated by AD. In a nutshell, this means that in order to “do it right,” those attributes for a user have to be queried from every domain controller in the domain and the most recent values used. Manually this is a pain and thus an oft-skipped part of the process.

Netwrix’s Inactive Users Tracker provides a trifecta of benefits when it comes to user management. The software reviews all the user accounts in a specified AD domain, sends a report to any email address specified, and even automatically disables accounts that have been inactive more than a specified number of days. The software can be configured to do far more, such as setting random passwords or deleting accounts, but the one, two, three punch described above will improve user management at many organizations and requires little more than just installing the software and running the basic configuration wizard.


It’s almost a conundrum to expect software to be both full featured and simple to use. Netwrix Auditor 5.0 is precisely both. The number of possible products to audit is staggering – even more so when you look at the level of detail that is available for each audited product. If I wrote about every component, this review would quickly become a full-on white paper! Even so, the software has very quick and simple, wizard-driven interfaces for most functions. This isn’t to say advanced interfaces aren’t available, because they absolutely are. My point is simply that it took less than a half hour for me to install the product, configure necessary components, and start gleaning very useful information. I’ll admit, this exceeded my expectations by far.

If there’s anything that remotely detracts from my glowing impression, it’s the price. Currently pricing starts at $25 per seat with a 150 seat minimum. Some small organizations might consider that pricey. Just remember the old adage, “you get what you pay for.” With Netwrix Auditor 5.0 you definitely get a lot.

[Editor’s note: $25 per seat refers to licensing the full Netwrix All-in-One suite product with all components. Pricing for individual components can vary, starting at $2.50 for user (with a minimum of 150 users) for Netwrix Auditor for Windows Server only.]

Netwrix Auditor 5.0 Report Card

Pros: Simple to setup and use. Audits virtually everything and anything. Excellent documentation.

Cons: Some organizations may consider the pricing a wee bit high. Current pricing starts at $25 per seat, 150-seat minimum.

Bottom line: Without a doubt, I am a fan of Netwrix Auditor 5.0. I give the product a full five out of five stars and recommend anyone with an AD environment give the product a whirl. With trial versions available there’s little risk and I’ll bet from the first report on, you’ll be a fan too.