I have experience with quite a few change monitoring systems on the network. I am distinguishing change monitoring vs change management in that “management” always implies some measure of “control.”
Some quick Pros and Cons of various Systems:
For Active Directory, I have used:
- ManageEngine AD Audit+: This is a web based application that can monitor and alert on changes to Active Directory objects, including Group Policy Objects. It can send regular reports that will list the principle who made the change, the object that was changed, and,both the before and after values. The AD specific application is priced by the number of Domain Controllers in your environment. This can be cheaper for environments with thousands of objects, but fewdomain controllers.
- Lepide AD Auditor: Lepide’s offering is a thick client application that connects to each Domain Controller. It has all the same features as AD Audit + for monitoring Active Directory objects. It is priced based on the number of objects in your environment, so may be cheaper for smaller environments with under 100-ish bbjects.
- Netwrx: Poor User Interface, scalable, and costs as if it were made of gold. But an add-on module includes vSphere monitoring, which we found very useful.