Group Policy Management is required by the EventSentry ADMonitor Service to detect Group Policy changes and needs to be installed on the machine that is running EventSentry ADMonitor. Group Policy Management can be installed by opening an elevated PowerShell prompt and entering the following command: For Windows Servers Family: InstallWind...

KB-ID 392
Category: ADMonitor
Applies to: 4.0 and later

EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a protected group see below. Unfortunately Windows does not remove the attribute if a user is subsequently ...

KB-ID 412
Category: ADMonitor
Applies to: 4.0 or newer

EventSentry ADMonitor uses the 39adminCount39 attribute to determine whether a user is an administrator. However since this attribute is not reset by Windows after a user is removed from an administrative protected group this can sometimes lead to inaccurate reports. You can read more about the 39adminCount39 attribute in KB article ...

KB-ID 417
Category: ADMonitor

For additional security you can restrict the EventSentryADMonitor account to only be allowed to be used on the EventSentry server and domain controllers and also block it from performing any sensitive functions RDP console service batch job etc on domain controllers. In Active Directory select the EventSentryADMonitor acco...

KB-ID 444
Category: ADMonitor
Applies to: 4.0 and newer

While ADMonitor itself does not rely on Windows auditing to detect actual changes made in Active Directory it does require access to the event log of a domain controller either remotely or locally in order to determine who made the change. ADMonitor utilizes both the Security and the Directory Services event log. Perform the fo...

KB-ID 503
Category: ADMonitor
Applies to: 5.0 and later