User-based Consolidated Audit Trail: Input a username and find out what the user did in Active Directory

What will you do if you want to find out what changes a certain help desk technician made in Active Directory over a week’s time? Or, extract a change audit trail for a certain user as a part of a security incident investigation?

PowerShell can help but will certainly require a great deal of effort to offer the kind of visibility and correlation required for an investigation, which is exactly what ADAudit Plus packs into its search utility.

ADAudit Plus provides you a search capability which enables you to instantly trace the footsteps of a specified user in the Active Directory. Simple and straightforward to use, this search takes three inputs –username for which you require an audit trail, domain, and time period – and instantly provides the following consolidated summary:

• Object History: a summary of configuration changes to the account in question. Example, changes to the permissions of the specified account, or the number of times it was locked out, or recent attempts to reset its password.
• Logon History: a summary of all kinds of access, interactive or remote, by the specified account.​
• Actions: a summary of configuration changes that the said account carried out on other Active Directory objects for the selected time period.

Drilled-down Audit Data under the Hood

Every detail presented in the consolidated summary is a link, which further unfurls into an elaborate report. For example, while perusing the results for administrator activity over a week’s time, you can click open the GPO Modified report for a closer look, maybe for comparing old and new values.

All Valuable Info in One Place: The right mix of information for better investigation

From an incident investigation standpoint, this search capability strings together all the vital pieces of forensic information namely

• What had been done with the perpetrator account (caller username)
• What changes the said account (caller username) had made in Active Directory
• Logon history for the account (caller username) to help you identify the computers from where it made those changes and also to identify any other computer access

When pieced and analyzed together, such information provides better context, thereby enabling you to connect the dots easily or even steer the investigation in the right direction. For example, assume that you suspect user A to have tampered with Active Directory. You use the audit trail search to investigate.

• The result reveals that user A accessed Active Directory from computer X, created in Active Directory a new user account and then deleted it.
• Then you use the search to track the deleted account’s actions. Results sum up and can be construed as follows:

That’s the potential of ADAudit Plus’s Consolidated Audit Trail.