For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is Active Directory monitoring and why is it important?

What is Active Directory monitoring?

Active Directory monitoring is the process of maintaining the health and operations of Active Directory (AD), the core identity and access management system used by most organizations today. It is a key element of a broader Active Directory management strategy.

What are the benefits of Active Directory monitoring?

Reduced risk of costly breaches

The average cost of a data breach now exceeds US$4 million. Robust, continuous Active Directory monitoring can help you reduce the risk of suffering a breach in the first place and reduce the impact of incidents that do occur.

The reason is simple: Active Directory is a key target of attackers because it is the primary authentication and authorization service for over 90 percent of the world’s enterprises. By taking over AD accounts, adversaries gain access to your organization’s vital systems and data, and by abusing AD functionality, they can elevate their privileges and even gain total control of your IT ecosystem. That includes cloud resources, since in most hybrid environments, AD identities are synched to Entra ID (formerly Azure AD).

With effective Active Directory monitoring, you can promptly identify suspicious changes and other activity, so you can immediately take steps to thwart an attack. In particular, AD monitoring looks for indicators of exposure (IOEs), which are clues that a vulnerability exists and could be exploited by attackers. It also looks for indicators of compromise (IOCs), which are signs that a breach has already occurred or is in progress.

Reduced risk of expensive downtime

Data breaches are not the only risk that organizations need to be concerned about.  Non-malicious events like errors by IT admins, power outages and equipment failures can also lead to IT system disruptions or downtime that affect business processes. The cost of such IT system outages — even without a data breach — can exceed $5 million per hour.

Accordingly, organizations need to focus not just on cybersecurity but on cyber resilience: keeping the IT environment up and running as much as possible, and getting it back up and running quickly when a disruption does occur. Active Directory monitoring is essential for cyber resilience because Active Directory is vital for users to do their jobs and for vital processes to run. Simply put, if your Active Directory is down, your business is dead in the water, and costs will quickly begin to mount.

Active Directory delivers a set of services, including Active Directory Domain Services (AD DS), which runs on special servers called domain controllers (DCs). Active Directory services are subject to the same performance issues as any other application, so IT pros need to keep a close eye on Active Directory health and performance through continuous Active Directory monitoring.

Fewer fines and penalties

Regulations like GDPR, HIPAA, PCI DSS, SOX, FISMA and GLBA differ in the types of data they protect, but they all share a core fundamental goal: controlling who can access regulated data and what they can do with it.

In a Microsoft environment, Active Directory is the core identity repository and provider of authentication and authorization services, making it the gatekeeper for access to regulated data. Robust Active Directory monitoring helps you ensure that only the right people are accessing regulated data. As a result, you can achieve, maintain and prove compliance with a wide range of legislative mandates and industry standards, and avoid steep fines and increased oversight.

Stronger customer satisfaction and loyalty

Customers today have choices about where they do business. If your IT systems are not available when they’re needed or your organization experiences a security breach that lands it in the headlines, customers will tend to bolt.

Active Directory monitoring helps you stand out from the competition by enabling you to maintain strong cybersecurity and keep your services up and running. This improved cyber resilience can reduce customer churn and is quite attractive to new clients as well.

What are the benefits of Active Directory monitoring

Why is it important to monitor Active Directory?

Active Directory monitoring is essential for a wide range of critical goals, including the following:

  • Faster threat detection and response — AD monitoring empowers you to promptly detect suspicious activity, such as multiple failed login attempts, unusual access to sensitive resources, and changes to critical objects like powerful security groups and Group Policy objects (GPOs). Quick threat detection is vital to limiting or even preventing damage from attacks and mistakes.
  • Accountability and compliance — AD monitoring provides a detailed audit trail of all changes and other activity, enabling organizations to hold individuals accountable for their actions and simplifying compliance with legal mandates and industry standards.
  • Performance optimization and capacity planning — AD monitoring helps you spot bottlenecks and other performance issues in your AD infrastructure so you can ensure a smooth user experience and efficient network operations. Plus, Active Directory monitoring can help you predict when the infrastructure is reaching its capacity limits and plan effectively to handle increasing workloads.
  • Business productivity — Active Directory monitoring helps you promptly identify login difficulties, resource access problems and other user-related issues so you can resolve them promptly to ensure smooth business operations. Moreover, using an enterprise-quality Active Directory security tool can empower your IT teams to be far more efficient and effective.

What should you monitor in Active Directory?

A comprehensive Active Directory monitoring strategy should address all of the following elements:

Domain controllers

Domain controllers (DCs) are special servers that run the Windows Server operating system and provide Active Directory services. In particular, be sure your Active Directory monitoring plan covers the following:

  • DC configuration — It’s vital to ensure that your DCs are configured properly and stay that way, since a single improper modification can result in everything from authentication slowdowns to catastrophic outages. For example, FSMO roles determine which domain controller handles key Active Directory functions like schema changes.
  • DC replication — Organizations normally have multiple DCs, and each one has a copy of the directory for the AD domain. Any change made to the directory on one DC (such as a user changing their password or a user account being locked out for too many incorrect passwords) is replicated to the other DCs so they all stay up to date. Issues with replication can result in users experiencing problems logging in or accessing the resources they need to do their jobs. Moreover, adversaries can abuse the replication process as part of a cyberattack; one example is a DCSync attack, which can be a key step in a broader Golden Ticket attack.
  • DC availability and resource utilization — It’s also vital to ensure that your DCs remain online and functioning properly. Be sure to establish normal baselines for metrics like CPU, memory, disk space and network bandwidth usage so you can spot suspicious changes. Tracking resources on your Windows servers over time also empowers to you avoid reaching warning thresholds and putting business continuity at risk.
  • DC activity It’s also vital to audit the activity on your DCs as part of AD monitoring. In particular, each DC hosts a copy of the domain directory, the NTDS.dit file. Because this file stores critical data about AD users, groups, computers, password hashes and directory configuration, adversaries often try to exfiltrate it; for instance, this technique can be an indication of an impending Golden Ticket attack.

Identity and privilege

Identity and access management (IAM) is vital to ensuring security, compliance, productivity and cyber resilience. Key areas of concern for any Active Directory monitoring strategy include:

  • Changes to privileged groups — Active Directory includes multiple built-in security groups that give their members significant power in the IT environment, such as Enterprise Admins and Domain Admins. Organizations can also create their own privileged AD groups to control access to sensitive data, applications and other IT assets. It’s critical to closely monitor any changes to the rights or membership of any of these powerful Active Directory security groups.
  • Changes to Azure AD roles — Assigning Azure AD roles to users empowers them to access and manage critical resources. It’s vital to promptly spot any unauthorized change to role membership or privileges, since it could be an adversary attempting to escalate their rights in the environment.
  • Creation of new user accounts — Creation of a new user account is not inherently suspicious, since many organizations are constantly onboarding new employees and contractors. But since an AD account typically grants access to critical resources, it’s vital to watch for unauthorized provisioning activity as part of your AD monitoring strategy.
  • Inactive accounts — Smart adversaries know that IT pros monitor AD account creation. To avoid getting caught, they often use another tactic to gain or expand their access: taking over inactive AD accounts. 


  • Activity of privileged accounts — Administrators and other privileged users can misuse their accounts, either accidentally or deliberately, and those powerful accounts are a prime target for takeover by attackers. Remember to also closely audit the activity of all service accounts that have elevated rights.
  • User account lockouts — Most user account lockouts are not a sign of a threat, but they can disrupt business processes, so it’s important to monitor them. However, a surge in account lockouts can be a sign of a brute-force attack on your network.
  • Authentication activity — Tracking user logon and logoff activity as part of Active Directory monitoring is vital because it helps you understand normal user behavior and spot unusual activity that could be a threat. It’s also important to monitor use of the older and riskier NTLM authentication protocol, and watch for attempts to exploit the Kerberos authentication protocol, which can indicate Golden Ticket and Pass-the-Ticket attacks.
  • Azure AD sign-ins — In a hybrid environment, it’s also crucial to track sign-in and sign-off activity in Azure AD. Ideally, you want to have this activity correlated with on-premises logon and logoff events to provide a coherent picture that can uncover more complex threats.
  • Changes to DNS — DNS is a critical service that translates computer names into their corresponding IP addresses. In particular, when an AD user logs on, DNS queries the DNS server to locate a Windows domain controller to perform the authentication. Because the DNS database is stored in AD, Active Directory monitoring is vital to detecting unauthorized DNS changes that could lead to a security incident or service disruption.

Group Policy

Group Policy is an exceeding powerful feature of Active Directory. It has literally thousands of settings that enable IT pros to control deploy software, enforce password policies, block use of less-secure Active Directory authentication protocols and much, much more.

Any improper modification to a GPO — whether it’s deliberate or accidental — can disrupt critical services and block legitimate user access to resources, hurting business operations. For example, a single change could give adversaries unlimited attempts to guess account passwords, enable unidentified users to connect to a network share that stores regulated data, or permit the use of USB devices that could unleash ransomware. Therefore, every Active Directory monitoring strategy needs to pay careful attention to Group Policy.

How can you monitor users in Active Directory?

Microsoft offers two types of audit policy settings for monitoring Active Directory users and activity. (Note that Microsoft advises not using both of these options together, since doing so can cause “unexpected results” in audit reporting).

The two types of settings are:

  • Basic audit settings— These nine settings are available in Security Settings\Local Policies\Audit Policy. They enable you control auditing of account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking and system events.
  • Advanced policy settings— The 53 settings in Security Settings\Advanced Audit Policy Configuration enable you to define a much more granular policy for auditing Active Directory. For example, you can audit when a group administrator has changed settings on a server that contains financial information. You can access these settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy.

For more comprehensive and effective auditing of user activity, many organizations invest in a third-party AD monitoring solution.

What are the key challenges of Active Directory monitoring?

Microsoft provides several Active Directory monitoring tools, including Microsoft System Center Operations Manager (SCOM), Windows PowerShell, Active Directory Users and Computers (ADUC), and the Active Directory Schema snap-ins for Microsoft Management Console (MMC).

However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone. Additional important include the following:

  • Limited visibility into access rights — Native AD monitoring tools and manual processes do not provide a deep understanding of who has access to what, how access was granted, who has elevated permissions, and which objects and systems are vulnerable to security threats. 
  • Lack of critical details — Native logs often fail to record important details about events. For example, while the log will show that a GPO was changed, it will not reveal the critical before and after settings.
  • Lack of context — Event details contain limited context, and there is no comprehensive view of all changes from all the many native log sources. Therefore, it can be hard to understand broader patterns or more complex attack strategies.
  • Lack of clarity about Tier 0 assets — Native tools fail to provide insight into the organization’s Tier 0 assets, such as domain controllers, other powerful servers, and accounts that have direct or indirect administrative control over the AD forest, domains or DCs. This includes not just members of powerful security groups like Domain Admins and Enterprise Admins, but accounts that could gain elevated privileges due to AD security weaknesses like nested group membership in a series of steps known as an attack path.
  • Cryptic and noisy logs — Native logs are notoriously cryptic and voluminous, so wading them requires a lot of time and effort. But even when performed by skilled IT pros, it is extremely prone to errors. It is nearly impossible to spot the truly suspicious events in the vast sea of data.
  • Lack of supporting capabilities — Native AD monitoring also does not offer the following important functionality:
    • There is no proactive alerting on suspicious events.
    • There is no reporting capability to satisfy internal security groups or external compliance requirements.
    • There is no way to prevent unwanted changes to the most sensitive Active Directory objects.

To address these limitations, some organizations implement a security information and event management (SIEM) system. However, many SIEM tools rely on the native system event logs, which do not provide a complete picture of what is happening in Active Directory — especially since attackers actively look for ways to circumvent logging in order to avoid detection.

Accordingly, for more comprehensive, reliable and accurate AD monitoring, organizations often invest in third-party Active Directory security solutions that do not rely solely on Windows event logs and that provide a broad suite of valuable functionality.

Active Directory monitoring best practices

For effective Active Directory monitoring, follow these best practices:

Establish a sound AD structure

AD monitoring is part of a broader Active Directory management strategy, which requires a solid foundation. Take a hard look at your Active Directory domains, organizational units (OUs) and schema, and consider how you can make it more manageable and structured. Develop and follow standardized naming practices, and clean up your Active Directory objects, including stale user accounts and Group Policy sprawl. These steps will dramatically simplify management while improving security and compliance.

In addition, it’s invaluable to be able to prevent changes to your most important AD objects, including powerful administrative security groups and crucial GPOs.

Identify your Tier 0 assets

Focus your Active Directory monitoring by clearly understanding your Tier 0 assets. In particular, map out the attack paths that could enable an attacker who compromises an ordinary user account to gain control of your domain in a handful of steps. Mitigate the choke points that attack paths share to limit risk, and closely monitor activity around all remaining Tier 0 assets.

Monitor AD health

An IT environment is a dynamic place; no matter how perfectly you plan your OUs and schemas, you can’t simply set up your Active Directory and forget it. Users, computers, printers and other Active Directory objects come and go, so you’ll need procedures for provisioning and deprovisioning, which should be automated as much as possible through approval-based workflows. You should also regularly identify inactive user and computer accounts so you can clean them up before they can be misused.

More broadly, you also need to monitor the health of your domain controllers and the replication of data between them in real time. Otherwise, users might very well experience problems logging in or accessing the resources they need to do their jobs.

Configure a robust audit policy

Configuring advanced audit policy enables you to granularly determine what events to collect, which reduces noise. Be sure to establish a reasonable security log size and a flexible retention policy to prevent information loss and overwrites.

Don’t rely on native logging alone

Improve your ability to spot attacks and conduct forensic analysis by collecting not just native logs but other critical audit information that is not logged there. Choose an AD monitoring solution that can consolidate and normalize the data to provide contextual information about activity across the IT ecosystem and give you insight into all stages of an incident, from logon to logoff. Ideally, you want a 360-degree view of all related activities across users and resources.

Pay attention to Group Policy

Group Policy is an incredibly powerful and useful tool. Unfortunately, native tools don’t make it easy to keep Group Policy under control, and adversaries are eager to misuse GPOs to further their attacks. Therefore, it’s wise to invest in an Active Directory security tool that provides effective Group Policy management capabilities.

Be sure you have effective analytics, alerting and reporting

Active Directory monitoring in and of itself isn’t useful — you need to be able to make sense of the immense volume of data collected and respond quickly to potential threats to security, performance or availability. Therefore, you need powerful analytics, advanced alerting, and comprehensive and customizable reporting.

Active Directory monitoring best practices

Powerful change monitoring

Start monitoring your AD today with Change Auditor.