Configuration and Schema changes are being duplicated for all monitored domains in a forest and reported as made by System

Active Directory
Reporting
6.5 and older
7.0-8.5
9.0-9.7
9.8
https://kb.netwrix.com/2803
Copy Article URL Copied

Here is a typical Scenario:

Netwrix Auditor is set to monitor several domains in the same forest (for example one root and several child domains). The configuration or schema has been changed in one of the child domains but Netwrix Auditor reported several types of configuration changes in separate change reports for each of the monitored domains and only one report indicates who changed the configuration while other reports contain System.

For example: there is environment that consists of 3 child domains: DomainZ.domainx.local, DomainY.domainx.local, domainx.local and all these domains are monitored by Netwrix Auditor. Hub Transport settings were changed in the child domain Y, but Newrix Auditor included that change in reports for all three domains. The report for the Y indicated the user account that made the change while the other two reports showed that the change was made by System.

Child domain: DomainY.domainx.local
——————————————————-

Change Type Object Type When Changed Who Changed Where Changed Object Name Details
Modified Hub Transport/Receive Connector 12/20/2013 12:37:16 PM DomainY\Administrator DC02.DomainY.domainx.local \domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\Internal Receive mail from remote servers that have these IP addresses: Added: “192.168.70.0”

Child domain: DomainZ.domainx.local
——————————————————-

Change Type Object Type When Changed Who Changed Where Changed Object Name Details
Modified Hub Transport/Receive Connector unknown system unknown \domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\Internal Receive mail from remote servers that have these IP addresses: Added: “192.168.70.0”

Root domain: domainx.local
——————————————————-

Change Type Object Type When Changed Who Changed Where Changed Object Name Details
Modified Hub Transport/Receive Connector unknown system unknown \domainx\Administrative Groups\Exchange Administrative Group (FGYSJWDN23DJISW)\Servers\HB01-EX31\Protocols\SMTP Receive Connectors\Internal Receive mail from remote servers that have these IP addresses: Added: “192.168.70.0”

This is expected behavior that can be explained by Active Directory architecture.

Configuration and Schema partitions are shared between all domains in the forest and changes made to these partitions in one domain are replicated to other domains. However, corresponding Security Log events that Netwrix uses for detecting WHO CHANGED, are only generated in the domain where the changes were actually made. For all other domains the reports will show “System”.

Netwrix Auditor collects events only from domain controllers in the domains specified in the product (plus domain controllers in the root domain) and ignores domain controllers in the domains that are not selected for auditing. Netwrix Auditor collects changes and Security events separately and independently for each managed domain. In the example above, each domain had configuration changes (because of replication) but only Y had corresponding Security events from which Netwrix could get WHO value.

For more information regarding Active Directory architecture please refer to the following Microsoft kb article: http://technet.microsoft.com/en-us/library/bb727030.aspx

Go Up