Netwrix Auditor 6.5 review

Netwrix Auditor sets a high standard for change auditing in the enterprise

Netwrix logo

IT Pro Verdict

Excellent auditing software that works perfectly on so many levels. It’s easy to install and use, the modular design keeps costs down and its powerful reporting capabilities won’t be beaten.


  • +

    Easy to deploy; Detailed reporting; Modular design; Central management console


  • -

    Lengthy setup for file server module

There's no shortage of enterprise change auditing products on the market today but Netwrix Auditor is one of the most comprehensive and intuitive we've seen. Naturally, Active Directory (AD) auditing is at the top of its agenda but it can do so much more than this.

A feature we like is Auditor's modular design which allows you to purchase only the bits you need. Costing 8 per user, the AD module includes auditing for Group Policy plus inactive users and password expirations.

Optional modules are available for Exchange, SQL Server, SharePoint plus Windows Servers and Auditor 6.5 can now monitor and report on changes to Windows file shares. Network storage options include NetApp filers plus EMC storage devices while for virtualised environments, Netwrix can audit VMware vCenter, vSphere, ESX and ESXi systems.

Auditor's console is well designed and provides easy access to every module and report

Easy installation

We loaded Auditor on a Windows 7 desktop without any problems. This was a member of the lab's domain managed by a Windows Server 2012 R2 domain controller which included other Server 2012 R2 file servers plus Exchange 2013 and SQL Server 2014 systems.

Along with installing a SQL 2012 Express database for report storage, the wizard configured snapshots for State-in-Time reporting services and native auditing on all target systems. Auditor's lightweight agent can be automatically installed on audited systems where it gathers data and compresses it before sending it to the host.

Real time alerts for critical domain changes can be set up during this phase. We also chose the number of days after which users were considered inactive, applied actions such as forcing password changes or account deletion and sorted out alerting for password expirations.

The Enterprise Overview dashboard shows all the activity on audited systems

A slick console

It's been a couple of years since we last looked at Auditor and we were bowled over by the new console. Every module now snaps in seamlessly to the same console and its left pane provides swift access to them along with all reporting tools.

First time audits are easy to set up with a wizard taking us swiftly through the audit process for our AD domain, Group Policy and Exchange organisation. Some manual labour is required for Group Policy auditing as we had to load the Microsoft Group Policy Management Console (GPMC) on our host system but this is well covered in the manual.

Further managed objects are easily added as you choose from domain, VMware, OU, SharePoint Farm or computer collection and add the systems you want to group together. Our SQL Server 2014 system was declared in under a minute with a simple quick-step wizard that just required the database instance and alert recipients.

The console opens with an Enterprise Overview of graphs and charts which can be filtered to suit. We could also swap to views showing just our Exchange organisation or SQL Servers but a minor complaint is the console doesn't rescale its contents when you change the window size.

The Active Directory module provides extremely detailed reports

Active Directory unveiled

For detailed AD change auditing look no further as Auditor provides a wealth of information. The AD overview pane provides graphs showing all changes for the selected time period along with the most modified domain controllers, the users making all the changes and objects being changed the most.

Netwrix includes hundreds of predefined reports that provide complete insight into AD activity. We could view anything from object changes and the workstation they originated from to modified computer accounts plus organisational, schema and site changes the list is endless.

We could see what was changed, who changed it and precisely when it occurred. Data collections can be set for daily intervals and we used the subscription service to email regular reports to selected Exchange users.

Even better, Auditor uses its snapshots to provide a rollback and recovery service. Accessed from the same console, we could browse snapshots and use them to restore anything from a single user to a complete OU.

The File Server module is capable of providing a lot of valuable information about network share access

File server patience

The File Server module takes a while to configure especially for large numbers of monitored file shares. Creating a new audit object for Group Policy is the easy bit but then we had to configure the advanced security settings for each share we wanted to audit and create managed objects in Auditor for each one.

Our patience was rewarded, though, as Auditor provided detailed information about all share activity. The dashboard overview kept us appraised of all changes being made, the most active servers and users and the number of file reads and changes.

Reporting is extensive as we could view lists of all files that had been added, changed or deleted, see when each event occurred and which users were responsible. The same applied to our Exchange and SQL server systems as we could view all message management activities for the selected period and keep a close eye on changes to databases, schema, objects and tables.


Netwrix Auditor 6.5 is a top-notch IT change auditing solution that's sure to satisfy any external auditor. We found it remarkably easy to use and the modular design means it can easily be customised to suit your requirements and budget.


Excellent auditing software that works perfectly on so many levels. It’s easy to install and use, the modular design keeps costs down and its powerful reporting capabilities won’t be beaten.

Windows 7 or Server 2008 R2 upwards, 2GB RAM, 1TB hard disk space

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.