Can Netwrix Auditor be configured to monitor only specific users in the AD domain and Exchange?
The product has the following ways to exclude Active Directory objects from being audited
The files are located under the Netwrix Auditor installation path, for example C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing\
1. Omitpathlist.txt contains a list of AD paths to be excluded from Change Reports.
- *USERS omits all objects in the Users OU located anywhere in the AD
- *USERS* omits all objects in the OU which name begins with USERS and the OU itself.
- *SacrementoUSERS* would be used if I only wanted to omit users in a very specific OU named USERS where I had multiple with the same name.
2. Allowedpathlist.txt contains a list of AD paths to be included in Change Reports. This file can be used, for example, if you only want to monitor specific OU(s) inside your AD domain, but not entire domain. In this case, put a wildcard (*) in omitpathlist.txt file to exclude all paths, and then specify the OU(s) you want to monitor in the allowedpathlist.txt file.
For example: If you add DomainUSERS to omitpathlist.txt list and add DomainUSERSEmployees into allowedpathlist.txt the contents of the Users OU will not be audited but the contents of the Employees OU and all its child objects will be monitored.
3. Omitallowedpathlist.txt contains a list of AD paths to be excluded from Change Summaries and Reports. This file can be used if you want to exclude certain paths inside those specified in the allowedpathlist.txt file. In this case, put a wildcard (*) in the omitpathlist.txt file to exclude all paths, then specify the OU(s) you want to monitor in the allowedpathlist.txt file, and then specify the paths you want to exclude from within them in the omitallowedpathlist.txt file.
Note: It is not recommended to omit changes made to service accounts from being audited as these accounts typically have elevated privileges and this is a security hole in your auditing. It must be stressed that when you omit objects from being audited it is not changes made BY these objects but rather TO these objects.