Netwrix or what else?
Posted by thegreatcerebral@reddit | sysadmin | View on Reddit | 24 comments
Looking into some auditing tools and such and obviously the biggest name out there appears to be Netwrix. We don't have any 365/online presence like that, all on prem. Doing a search in this sub returns posts 2+ years old and not much love. Is this software dead? Is there something else/better/better way of doing it? My understanding is that I guess you can get there the same way with a SIEM (which we are looking at also) but these tools are supposed to be better/faster?
Looking at the web demos online it is hard to not like what you see.
So is there others? Are they trash? I did see stuff about their contracts but that was 2 years ago, don't know how it is today.
Thanks for any info.
dmuppet@reddit
Netwrix is pretty popular. Does it's job. Most EDRs also offer some form like Huntress/Crowdstrike I think.
thegreatcerebral@reddit (OP)
Thank you. I just don't hear much about it and looking at the tools I just didn't know if it was because if you move to 365 maybe you get some of that built in or there are other ways to do this now that are easier etc.
I mean the tools seem crazy good. But yet, I just never hear anything about them either way.
Derek-Netwrix@reddit
Hi u/thegreatcerebral! My name is Derek, and I'm the Netwrix community manager! If you're still curious about Netwrix and willing to DM me some details about your business & objectives, I can provide more tailored information!
humblequest22@reddit
Do you have a solution for small businesses? Paying thousands for our 20 or so users isn't feasible. We just have an on-prem AD and our M365 accounts to manage.
Derek-Netwrix@reddit
Hey there! We have Auditor Essentials edition, which is built for businesses with 25-150 employees. Let me know if you have any questions!
humblequest22@reddit
Thanks, that looks great! I assume that M365 signin/signout is tracked via the Entra ID, is that correct? So the base product would cover our AD and M365, right?
We have about 20 employees, but I know we have some additional accounts in AD that aren't actually people. Can I choose which accounts are covered by the 25 licenses or do I need to either reduce the number of accounts or purchase licenses to cover all of the active accounts?
Derek-Netwrix@reddit
Those are some great questions, I'm going to tag my colleague (u/MPurdin-Netwrix) who's better equipped to handle them :D
MPurdin-Netwrix@reddit
Hello u/humblequest22!
As u/Derek-Netwrix mentioned, I'll be helping you with the questions that you have.
Let me start by addressing the licensing question, and then I’ll explain how you can figure out your license count.
Netwrix Auditor is licensed based on the number of user objects you want to monitor, not the number of physical people in your organization. For example, if you have 20 users and 10 service accounts, you would need 30 licenses in total. Computer accounts do not count toward your license total.
You can exclude specific objects from your license, but keep in mind what that actually does. Excluding an account prevents Netwrix Auditor from tracking changes made to that account — not actions performed by that account. So, using the earlier example, if you excluded those 10 service accounts and someone deleted or modified one of them in Active Directory, there would be no record of that activity.
As for determining how many licenses you’ll need, unfortunately, the free Community Edition doesn’t include reporting capabilities — it only sends daily change summaries and doesn’t store the data needed for license analysis. However, we do have two articles that walk through different methods for determining your license count.
For Active Directory you can visit: Determining the Number of Enabled Active Directory User Accounts | Netwrix Product Documentation
For Entra ID, you can visit: How to count number of licenses required for auditing a Microsoft Office 365 tenant? | Netwrix Product Documentation
Those two resources should give you everything you need to calculate your license requirements. Let me know if you’d like me to clarify any of the steps.
humblequest22@reddit
Thanks for the reply and the simple tools! We have 22 M365 users and 28 AD users. Does that mean that we need 28 licenses because we just need to cover the higher number? Or are we at 50 or some other number?
MPurdin-Netwrix@reddit
You would need just 28. When you get those 28, you would also be covered for your 22 M365 users.
humblequest22@reddit
Thank you so much for your help!
MPurdin-Netwrix@reddit
Hello u/humblequest22!
As u/Derek-Netwrix mentioned, I'll be helping you with the questions that you have.
Let me start by addressing the licensing question, and then I’ll explain how you can figure out your license count.
Netwrix Auditor is licensed based on the number of user objects you want to monitor, not the number of physical people in your organization. For example, if you have 20 users and 10 service accounts, you would need 30 licenses in total. Computer accounts do not count toward your license total.
You can exclude specific objects from your license, but keep in mind what that actually does. Excluding an account prevents Netwrix Auditor from tracking changes made to that account — not actions performed by that account. So, using the earlier example, if you excluded those 10 service accounts and someone deleted or modified one of them in Active Directory, there would be no record of that activity.
As for determining how many licenses you’ll need, unfortunately, the free Community Edition doesn’t include reporting capabilities — it only sends daily change summaries and doesn’t store the data needed for license analysis. However, we do have two articles that walk through different methods for determining your license count.
For Active Directory you can visit: Determining the Number of Enabled Active Directory User Accounts | Netwrix Product Documentation
For Entra ID, you can visit: How to count number of licenses required for auditing a Microsoft Office 365 tenant? | Netwrix Product Documentation
Those two resources should give you everything you need to calculate your license requirements. Let me know if you’d like me to clarify any of the steps.
Busy-Mud-3865@reddit
Netwrix is hot garbage.
thegreatcerebral@reddit (OP)
Not trying to be rude but if you are going to make a statement like that can you at least tell me why you feel it is hot garbage. I would love to hear your thoughts and I simply can't go to management and say "No, we can't go with Netwrix"
"Why?"
"It's Hot Garbage."
"What do you mean? Why is it hot garbage?"
"Well... interestingly enough Busy-Mud-3865 said it was."
Please tell me why.
Alessar31337@reddit
All this happens because new managers don’t even know how the company’s products work. They fire entire teams saying they can be easily replaced with AI. As a result, the product stops working because there is no one to test it. People who have been doing this for years and who had the expertise are leaving the company.
JagFel@reddit
We looked at Netwrix and Varonis fore SIEM/log aggregation and alerting.
Varonis was more $, but superior.
Responsible-Mouse209@reddit
does these systems deliver a setup.exe file for admins to install their tool once we buy or how do they do exacly ?
alteredcarbon__@reddit
Basically the same, we moved on from Varonis due to cost, but it was much preferred over Netwrix.
We found ourselves not using it much now that we have SIEM and log aggregation tools, and have decided not to renew our contract with Netwrix.
Even prior to these new tools, we weren't getting much value out of it, but this may also be dependent on our environment/staffing.
SomeWhereInSC@reddit
what SIEM and log agg tools are you using that took the place of Netwrix?
alteredcarbon__@reddit
We don't have a SIEM, but utilize Arctic Wolf's managed detection and response service, which pulls most of the telemetry data from the different sources (on-prem and cloud) in our environment. We found that we haven't really missed Netwrix
EntitlementDrift@reddit
I feel like Netwrix has been circling the drain lately. Their most recent release was a mess ... buggy, unstable, and full of broken functionality that used to work fine. It’s what happens when QA is scattered across outsourced teams with little accountability. If you’ve ever had to explain to your boss why scheduled reports failed again or why the UI randomly breaks in Chrome, you know the pain.
Support? Good luck. Half the time you’re the one finding the bug and the fix. If you're 100% on-prem and just need basic audit logs, it technically “works.” But it's bloated, dated, and built like it hasn’t evolved since 2012.
If you're looking for something smarter... especially if you care about access visibility, least privilege, or identity risk.... there are newer platforms that go way beyond group membership dumps. They show what users and service accounts can actually do across AD, file systems, apps, and cloud infrastructure. No more guessing, no more stitching together logs. Just real-time access intelligence with a clean UI and meaningful insights.
These tools aren’t event log parsers like Netwrix.. they’re security-first, built for visibility, governance, and how modern orgs actually operate. If you're already exploring SIEMs and auditing tools, skip Netwrix. There are better, faster, and more integrated options out there
SomeWhereInSC@reddit
lots of info but no app names or recommends.... help a redditor out...
EntitlementDrift@reddit
we checked out varonis, lumos, and a couple other newer players. ended up going with varonis mainly because we were sick of netwrix auditor breaking and the price fit our budget, but after seeing more of what newer players like lumos and veza can do, i kind of wish we’d reconsidered the newer real-time visibility approach. siems are fine for event/change logs, but these tools build a live permissions map across ad, file servers, dbs, etc. which imo is wayy faster for audits, least-privilege cleanup, and catching stale or over-privileged accounts
SomeWhereInSC@reddit
There we go, thanks for the reply, it is very helpful.