ManageEngine ADAudit Plus is a UBA-driven auditor that bolsters your Active Directory (AD) security infrastructure. With over 250 built-in reports, it provides you with granular insights into what’s happening within your AD, such as all the changes made to objects and their attributes. This can include changes to users, computers, groups, network shares, and more. ADAudit Plus also helps monitor privileged user activities in the domain, track logons and logoffs on workstations, and provide visibility into AD account lockouts.

In this blog series, we’ll look at the numerous reports that ADAudit Plus provides.

The User Logon Reports category features 16 preconfigured reports that display granular audit details related to user logons, logon failures, users logged in to multiple computers, and more.

In this, our fourth blog of this series, we’ll discuss the next report in the User Logon category: the Domain Controller Logon Activity report. Before we begin, you can receive a quick refresher about the Users First and Last Logon By Computers report in the third blog in the series.

Before we deep dive into the report, let’s first quickly review what a domain controller is and why admins need to audit it in the first place.

Domain controllers are one of the most critical components for any organizations’ AD infrastructure and are the servers responsible for authenticating users and authorizing access to domain resources.

They are the gatekeepers who manage access to all the IT resources of a domain, making it critical for organizations to keep a constant watch on them. IT administrators should continuously monitor the DC logon events so that they can detect any anomalous activity, identify any misuse of privileges, and expedite the forensic analysis in case of a threat situation.

Say hi to James, an IT admin from ABC Corp., whose organization is a victim of a cybercrime and now wants to audit domain controller logon activity on the day of attack.

Problem: How can James track when a user performed the logon activity on a domain controller?

Solution: The Domain Controller Logon Activity report in ADAudit Plus helps James generate a report on the all the users who have performed a logon action on a domain controller.

Figure 1. This screenshot shows the Domain Controller Logon Activity report in ADAudit Plus

The report helps James by providing him with essential details like:

1. Username

2. The client IP address

3. Domain controller name

4. The date and time of the login attempt

5. The event type, i.e., success or failure

6. ‌Reason for the failure, in case the logon attempt failed

As seen in Figure 1, the generated report provides all the necessary information regarding the logon activity on the domain controller.

The report is extremely beneficial for admins like James for conducting a forensic analysis following a cyberattack, and to identify ‌which user’s system was compromised to execute the attack.

Further, James can perform the following actions on the generated report:

1. Select Export As to generate the report in any of the preferred formats (CSV, PDF, HTML, or XLS).

2. Schedule these reports to run at a preferred time for automatic, periodic reporting, and have them sent to his email address.

3. Use the Add/Remove Column feature available in the report to select additional attributes.

4. Generate reports by selecting multiple domains.

The who, when, and where information is critical for IT admins to receive a clear picture of what’s happening in their AD, which can be easily viewed using the extensive reporting module of ADAudit Plus.

Sign up for a personalized demo with our product experts to explore how ManageEngine ADAudit Plus can assist you with monitoring and securing your AD environment.