Netwrix Auditor, your super hero to the rescue
Junie Johwa | TrustRadius Reviewer
Updated October 18, 2019

Netwrix Auditor, your super hero to the rescue

Score 9 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with Netwrix Auditor

It is used by two departments, the User Department where I belong and the Security Team along with our Manager and CIO. It addresses auditing who did a change and what changes accounts are privileged do and can review a session of a user who logged into a server at maybe odd hours which could be suspicious.
  • Who has done the changes on systems
  • Password lockouts where it will tell you exactly where a person is locking which can be frustrating if it occurs too many times for one user.
  • It can show you things we rarely look at in our environment e.g on Active Directory things like duplicate group policy settings, empty security groups, computers which have not logged in in a long time thus helping you with your computer inventory.
  • Being able to get the actual device a user is locking in from Exchange Server because if a user is found to be locking out from an Exchange Server we have to look at Exchange Server IIS logs and parse through them using other tools like Log Parser looking for wrong password report. We need to use one product and that is Netwrix Auditor.
  • The software could also show when a server was restarted or rebooted.
  • Standby people no longer have to struggle to know where the user's account is locking.
  • Group policies were able to be troubleshot better due to being able to see duplicate settings from other group policies which avoided the clashing of group policies.
  • Removing clutter and risks on Active Directory e.g empty security groups, privileged accounts that shouldn't have privileges in the first place.
This was using its logs e.g IIS logs and loading them to Log Parser. Netwrix Auditor has all the audit tools you need, there are no fetching logs somewhere and loading to it manually. The reporting is robust and you can see an executive summary of risks in your environment in one screen. The software is modular which means you can add other systems e.g Sharepoint, SQL Server, etc as systems you want to monitor and have a one-stop-shop software for your organization without having disparate systems to audit other software packages.
They are very responsive and they can assist you remotely when you are stuck!!

Do you think Netwrix Auditor delivers good value for the price?

Yes

Are you happy with Netwrix Auditor's feature set?

Yes

Did Netwrix Auditor live up to sales and marketing promises?

Yes

Did implementation of Netwrix Auditor go as expected?

Yes

Would you buy Netwrix Auditor again?

Yes

When there have been changes to server configuration (User Activity logs this too) you are able to tell who has done them and where the changes were made. It is less appropriate in situations where there is an email missing in one's mailbox and they claim mail has been deleted as this is not captured.

Using Netwrix Auditor

10 - Security Team - To do the auditing e.g users who hasn't logged for past 30 days, privilege account group membership changes, track what privilege users change and do (auditing Infrastructure Analysts)
Infrastructure Analysts - to do auditing on AD and Exchange Changes. Keep on check who is created and when they are disabled when a user is terminated, checking things like empty security groups to reduce clutter in AD including duplicate Group policies which can help troubleshoot our group policy issues
Help Desk - Use the tool to be sure where a user account locks out, to be on alert of any user they create and disable for termination. They are the user account creators in the organisation
Skills on managing all the modules we have - all minus SQL Server and Oracle Database
People whose main job is IT auditing which we dont have
Security training in things like intrusion detection
  • Easily see where an account is locking
  • Refer back to changes made if YOU MADE A MISTAKE IN THAT CONFIGURATION TO EASILY ROLL BACK!
  • Reconcile users who have left the organisation to check whether they are not on AD
  • Troubleshoot duplicates on Group Policies which can lead to problems. It works nicely
  • Clear old data and clutter, as far as 5 years ago (e.g old service accounts and old users who have left the organisation!)
  • After account is disabled (when a person is terminated) we use the report to delete them after 60 days and this is helpful in reconciling our user account inventory to make sure that terminated users are removed
  • Our privileged account users are kept on check, this makes sure that there are no unauthorized changes (we have a change management process)
  • We are able to see "problem users" who require account unlocks frequently and most are locked on the Exchange server from their devices by not updating new password, but to tell what device we have to use a 3rd party tool (Log Parser) with Exchange IIS logs
  • Better risk definitions on the product
We have renewed already the licensing of the product minus SQL Server and Oracle Database because the organisation believes the modules are very expensive and have identified a different product for auditing Databases
Other modules are very important like the User Activity monitor, AD queries that we can not get from the native AD itself or you have to run complicated powershell scripts!
Easy to use interface
Pre-defined Reports
Easy way to subscribe to important alerts e.g Privilege account group membership changes

Evaluating Netwrix Auditor and Competitors

  • Product Features
  • Product Usability
  • Product Reputation
Product features - There was so much to offer in terms of predefined queries from AD or Exchange or User Activity. Most Exchange and AD queries were difficult to get because native Microsoft tools required you to have knowledge of Powershell and complex Powershell queries. Netwrix Auditor takes care of that from the logs it gets from the Domain Controllers.
You didnt have to have knowledge of powershell
Queries were off the shelf
Could record user activity during internal investigations
Check first if sometimes you won't require another product to further dig deeper on an investigation. The one in question is as stated before when a user gets locked out (our threshold is 10 times of bad password) from a device e.g IPad the product won't tell you BUT will tell you it is from the Exchange Server and you don't have sufficient information, you only get the final piece of the puzzle by using a third party tool (Log Parser) and Exchange Server IIS log files to parse through for password errors and you get the answer including the device name and software version

Netwrix Auditor Implementation

Make sure you trial the software and understand the fundamentals of each module that you are interested in
Make sure you get the buy in from both Management and most importantly your team members (the product users) for a successful implementation
Watch the webinars of the product from the product website
Yes - It was initially used to check where accounts lock
Then other modules were licensed such as Exchange Server and further usage of the AD module, User Activity and this was difficult because there was a lot of trial and error and with the help of Netwrix Support then the software became user friendly to our eyes as we saw it and realised that it was actually easy to use. Therefore there were two phases 1. Setting up AD Maintenance Plan ourselves 2. The rest of the modules with the assistance of Netwrix Support
Change management was a small part of the implementation and was well-handled - Management was supportive looking at the fact that we chose the product from research on the Internet. Management also wanted to have a product that will help us with easy report generation for IT audits as mostly it was a manual process and the IT audit team felt we were taking long to provide information. Netwrix Auditor enabled us to get instant reporting for IT Audits and there is a very fast turn around time for IT Audit report requests
  • Lack of Training or Trialing before buying
  • Finding the product difficult at first as we didn't quite understand the way it really works e.g it has to get the event log from the Domain Controller
  • Learning the product through the Netwrix Support
  • Lack of interest from some team members in using it at the beginning

Netwrix Auditor Support

ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
None
Yes - Because we don't have anyone clearly trained. The training is not done in the country BUT we do watch some training webinars on the Netwrix website. We do try first line of all else fails we escalate to Netwrix Support.
When the software was first installed and learned from the first support call and it was the initial response which didnt take long, it was how to trace where a user account is locking. We were not using the correct pre-defined report!

Using Netwrix Auditor

ProsCons
Like to use
Relatively simple
Easy to use
Well integrated
Feel confident using
Inconsistent
Lots to learn
  • Pre-Defined Reports
  • User Activity Monitoring
  • Executive Dashboard
  • Ascertaining a device (e.g IPad, Samsung, iPhone) which user account is locking on
  • Executive Dashboard sometimes not accurate e.g last time user logged in
  • Database management
The product has user friend pre-defined queries which takes off the stress and horrors of having to query Active Directory with complex Powershell scripts!
You can subscribe to certain functions when they are done and you get an alert e.g privileged accounts actions and you don't need to have programming skills
The product has a desktop version of the software and donot have to login to the server all the time you need to use it.
You can see very fast the posture of your environment of the overview screen and deduce what exactly is wrong and what has to be done