Saturday, November 19, 2011

Tracking AD Groups Changes with Varonis

Varonis DatAdvantage tracks changes in Active Directory group membership by comparing the results of the nightly AD walks. If we want to see the changes that have been made to a user we can use the "1a - User Access Log report." The key filter to remember is that we want to show data from the "History of Differences." This shows the changes that have been picked up by the nightly jobs. Then we need to select the date range that we want to look at.

Then select the "Operation Type" filter. There are two operation types that we can select depending on what we are trying to track:

  • Membership Removed

  • Membership Added
Add the filter to look only at "Groups" for the Object Type.
The final piece is that the user affected by the change is identified in the "Change Description" field. Use the "Like" operator and remember to enter in the domain name before the start of the user name.

Run the report and you have the answer you were looking for.

Note: Starting in Version 5.6 of Varonis DatAdvantage we also have the "3e - Historical Group Membership" which will display the groups a user belonged to on a specific date. Great report for answering those tricky audit questions.