Active Directory Monitoring Scope
You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Active Directory monitoring scope. You can apply restrictions to monitoring scope via the UI. See the Objects topic for additional information.
RECOMMENDED: Configure monitoring scope restrictions on the Active Directory monitoring plan page. See the Active Directory topic for additional information.
Follow the steps to exclude data from the Active Directory monitoring scope:
Step 1 – Navigate to the %Netwrix Auditor installation folder%\Active Directory Auditing folder.
Step 2 – Edit the *.txt files, based on the following guidelines:
- Each entry must be a separate line.
- A wildcard (*) is supported. You can use * for cmdlets and their parameters.
- Lines that start with the # sign are treated as comments and are ignored.
| File | Description | Syntax |
|---|---|---|
| addprops.txt | Contains a list of properties that should be included for newly created AD objects. When a new object is added, Auditor does not show any data in the Details column in the Activity Summary emails. If you want to see the information on certain attributes of a newly created object, specify these attributes in this file. | Object type:property: For example, to show a group description on this group’s creation, add the following line: group:description: |
| allowedpathlist.txt | Contains a list of AD paths to be included in Activity Summaries, reports, and search results. | Path The path must be provided in the same format as it is displayed in the What column. For example, if you only want to monitor specific OU(s) in the AD domain, but not the entire domain. You can put a wildcard (*) in the omitpathlist.txt file to exclude all paths, and then specify the OU(s) you want to monitor in the allowedpathlist.txt file. Adding the widlcard (*) to omitpathlist.txt will not allow Netwrix Auditor to run AD state-in-time data collection. |
| omitallowedpathlist.txt | Contains a list of AD paths to be excluded from Activity Summaries, reports, and search results. This file can be used if you want to exclude certain paths inside those specified in the allowedpathlist.txt file. | Path The path must be provided in the same format as it is displayed in the What column. For example, you can put a wildcard (*) in the omitpathlist.txt file to exclude all paths, then specify the OU(s) you want to monitor in the allowedpathlist.txt file, and then specify the paths you want to exclude from within them in the omitallowedpathlist.txt file. Adding the widlcard (*) to omitpathlist.txt will not allow Netwrix Auditor to run AD state-in-time data collection. |
| omitexchangeserverlist.txt | Specify the Microsoft Exchange 2010 servers to be excluded from data collection. | FQDN_server_name NOTE: You can use the wildcard (*) when specifying servers for exclusion. |
| omitobjlist.txt | Contains a list of object types to be excluded from Activity Summaries, reports, and search results. | Object type For example, to omit changes to the printQueue object, add the following line: printQueue. |
| omitpathlist.txt | Contains a list of AD paths to be excluded from Activity Summaries, reports, and search results. | Path The path must be provided in the same format as it is displayed in the What column. For example, to exclude changes to the Service Desk OU, add the following line: *\Service Desk\*. |
| omitproplist.txt | Contains a list of object types and properties to be excluded from Activity Summaries, reports, and search results. | object_type.property_name If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example to exclude the adminCount property from reports, add the following line: *.adminCount. |
| omitreporterrors.txt | Contains a list of errors to be excluded from Netwrix Health Log. Thus, these errors will not appear in the Activity Summary emails. | Error message text For example, if you have advanced audit settings applied to your domain controllers policy, the following error will be returned in the Activity Summary emails: Auditing of Directory Service Access is not enabled for this DC. Adjust the audit policy settings using the Active Directory Audit Configuration Wizard or see the product documentation for more information. Add the text of this error message to this file to stop getting it in the Activity Summary emails. |
| omitsnapshotpathlist.txt | Contains a list of AD paths to be excluded from AD snapshots. | Path The path must be provided in the same format as it is displayed in the What column. For example, to exclude data on the Disabled Accounts OU from the Snapshot report, add the following line: *\Disabled Accounts*. |
| omitstorelist.txt | Contains a list of object types and properties to be excluded from AD snapshots. | object_type.property_name If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example to exclude data on the AD adminDescription property, add the following line: *.adminDescription. |
| omituserlist.txt | Contains a list of users you want to exclude from search results, reports and Activity Summaries. | domain\username For example, *\administrator. |
| processaddedprops.txt | Contains a list of properties that should be included for newly created AD objects. When a new object is created, Auditor does not show any data in the Details column in reports. If you want to see the information on certain attributes of a newly created object, specify these attributes in this file. | object type:property: For example, if you want a user’s Description property to be displayed in the reports when a user is added, add the following line: User:Description: |
| processdeletedprops.txt | Contains a list of properties that should be included for deleted AD objects. When an object is deleted, Auditor does not show any data in the Details column in reports. If you want to see the information on certain attributes of a deleted object, specify these attributes in this file. | object type:property: For example, if you want a user’s Description property to be displayed in the reports when a user is deleted, add the following line: User:Description: |
| propnames.txt | Contains a list of human-readable names for object types and properties to be displayed in Activity Summaries, reports, and search results. | classname.attrname= intelligiblename For example, if you want the adminDescription property to be displayed in the reports as Admin Screen Description, add the following line: *.adminDesciption=Admin Screen Description |
Example
To exclude the "corp/Administrator" user from being audited, use the following syntax in the omitusers.txt file:
# Specify users whose activity you want to exclude from Active Directory search results, reports and Activity Summaries.
# Syntax: Domain\Username
# Note: Wildcard * is supported and can replace any number of characters.
# Example:
# Corp\Administrator