netwrix · jake-mahon-netwrix · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -25,7 +25,7 @@ knowledge_article_id: kA00g000000H9SmCAK
 This article contains references to the most popular Active Directory, Exchange, and Group Policy changes which may be reported as made by **System** by Netwrix Auditor:
 
 - [Alert Reported Change Made by System](/docs/kb/auditor/reports-alerts-and-notifications/report-generation/alert-reported-change-made-by-system.md).
-- [System Changed Object Path after Account Name Change](/docs/kb/auditor/system-changed-object-path-after-account-name-change.md).
+- [System Changed Object Path after Account Name Change](/docs/kb/auditor/features-and-operations/glossaries-and-faqs/system-changed-object-path-after-account-name-change.md).
 - [System Changed Client Operating System](/docs/kb/auditor/system-changed-client-operating-system.md).
 - [System Changed Directory Objects for Foreign Security Principals](/docs/kb/auditor/system-changed-directory-objects-for-foreign-security-principals.md).
 - [Workstation Field Reported as Unknown](/docs/kb/auditor/workstation-field-reported-as-unknown.md)
@@ -34,3 +34,5 @@ This article contains references to the most popular Active Directory, Exchange,
 
 
 
+
+
@@ -38,7 +38,7 @@ The Netwrix Active Directory Object Restore tool recovers removed Active Directo
 
 The account used for recovery and restore is the same account used for data collection in your Netwrix Auditor Active Directory monitoring plan.
 
-<div>![Active](../../../images/servlet_image_3823966b1661.png)</div>
+<div>![Active](../../images/servlet_image_3823966b1661.png)</div>
 
 > **NOTE:** This tool should **NOT** be used to revert the changes caused by raising the forest functional level. For additional information, refer to the following article: Object Restore for Active Directory.
 
@@ -47,3 +47,4 @@ The account used for recovery and restore is the same account used for data coll
 - Object Restore for Active Directory
 
 
+
@@ -58,11 +58,11 @@ Refer to the following steps to exclude OUs and user objects from the monitoring
 2. Select the relevant AD monitoring plan and click **Edit**.
 3. Select the data source and click **Edit data source**.
 
-![Edit data source](../../../images/ka0Qk000000EIjS_0EMQk00000661ik.png)
+![Edit data source](../../images/ka0Qk000000EIjS_0EMQk00000661ik.png)
 
 4. In the left pane, select the **Objects** tab. Select the **Exclude these objects** checkbox, then click **Add** to exclude objects from the monitoring scope. After adding the objects, click **Save & Close**.
 
-![Exclude these objects](../../../images/ka0Qk000000EIjS_0EMQk000005FPXt.png)
+![Exclude these objects](../../images/ka0Qk000000EIjS_0EMQk000005FPXt.png)
 
 Refer to the following examples to learn about how the exclusion rules work for **Objects**. The same logic applies to the inclusion rules:
 
@@ -101,3 +101,4 @@ To exclude specific Entra ID users from the license count, populate the `omitUPN
 - [Microsoft Entra ID Monitoring Scope](https://docs.netwrix.com/docs/auditor/10_8)
 
 
+
@@ -52,3 +52,4 @@ After that, the **Netwrix Auditor Application Deployment Service** appears on th
 
 
 
+
@@ -47,3 +47,4 @@ The licensing data was corrupted.
 
 
 
+
@@ -63,3 +63,4 @@ If you are currently on a 10.5 version and build other than 10950, perform the p
 
 
 
+
@@ -52,7 +52,7 @@ Enable all symbolic link types.
 
     Once executed, you'll see the settings for symbolic links (enabled or disabled).
 
-    ![SymlinkEvaluation output](../../../images/servlet_image_3823966b1661.png)
+    ![SymlinkEvaluation output](../../images/servlet_image_3823966b1661.png)
 
 2. To enable a symlink type, run the following command:
 
@@ -65,3 +65,4 @@ Enable all symbolic link types.
 Learn more about fsutil syntax in the Microsoft documentation: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior (fsutil behavior ⸱ Microsoft)
 
 
+
@@ -32,10 +32,11 @@ The **Volume Shadow Copy Service** (hereafter **VSS**) can be enabled via **Netw
 1. Navigate to **Managed Objects -> your_File_Servers_Managed_Object_name -> File Servers.**
 2. Click **Configure** next to **Advanced Settings** and select the **Enable file versioning and rollback capabilities (based on Volume Shadow Copy).**
 
-![User-added image](../../../images/ka04u000000HcNV_0EM700000007LkF.png)
+![User-added image](../../images/ka04u000000HcNV_0EM700000007LkF.png)
 
 ## Where Shadow Copy data is stored
 
 The **Shadow Copy** data is stored on the audited file server. **VSS** is a built-in **Windows** service, and when you enable the VSS support, **Netwrix Auditor** just triggers creation of a snapshot. If you have not configured **VSS**, you may want to turn it off (especially if you do not have enough space on that server). To know precisely where the **Shadow Copy** data is stored, refer to the **Shadow Copy** information on the drive volume.
 
 
+
@@ -33,7 +33,7 @@ This attribute is based on the user’s logon ID within the current session. Bei
 
 Session IDs are used to identify changes made by users with unique logon ID's. Session IDs are a combination of both the logon ID itself and the current session associated with this logon ID, to help identifying who made the change. Thus, session ID can be changed due to the fact that Netwrix would count that as a separate activity record too.
 
-![User-added image](../../../images/ka0Qk0000001OrV_0EMQk000002Tph8.png)
+![User-added image](../../images/ka0Qk0000001OrV_0EMQk000002Tph8.png)
 
 In addition, Netwrix Auditor generates the following attribute besides Session ID, associated with the object and reserved for internal use:
 
@@ -46,3 +46,4 @@ Since the product associates Session IDs with the current session of the user, t
 - [How Does Merging Logon Activity Events Work?](/docs/kb/auditor/how-does-merging-logon-activity-events-work.md)
 
 
+
@@ -23,7 +23,7 @@ knowledge_article_id: kA00g000000H9YCCA0
 
 During installation of NetWrix Account Lockout Examiner on **Windows 2003**, a "Service 'NetWrix Account Lockout Examiner' (ALService) failed to start" message is received that the service cannot be started due to insufficient permissions. The account in use is a domain admin.
 
-![User-added image](../../../images/ka04u000000HcRH_0EM700000004wmJ.png)
+![User-added image](../../images/ka04u000000HcRH_0EM700000004wmJ.png)
 
 ## Cause
 
@@ -41,3 +41,4 @@ Also:
 3. Try entering another local admin or domain admin account during the installation.
 
 
+
@@ -38,7 +38,7 @@ You can manually delete the Service and its components. For that:
 
 1. Open the **Services** snap-in and open properties of the problematic service.
 2. Copy the full name of the service and the path to executable, for example, to a **Notepad** document.  
-   ![User-added image](../../../images/ka0Qk0000001hxN_0EMQk000002u2KX.png)
+   ![User-added image](../../images/ka0Qk0000001hxN_0EMQk000002u2KX.png)
 3. Run the command prompt as administrator and run the following command:
 
    ```bat
@@ -49,3 +49,4 @@ You can manually delete the Service and its components. For that:
 4. After that, navigate to the file path you copied earlier and delete all the files.
 
 
+
@@ -29,8 +29,9 @@ Netwrix Account Lockout Examiner can be set to monitor local machine event logs
 5. In the next dialog box, select the **Domain Controller** radio button and enter the the name of workstation local events of which you want to monitor  
 6. Press the **OK** button. Press the **OK** button again.
 
-[![User-added image](../../../images/ka04u000000HcWP_0EM700000004wxl.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAbY&feoid=00N700000032Pj2&refid=0EM700000004wxl)
+[![User-added image](../../images/ka04u000000HcWP_0EM700000004wxl.png)](https://netwrix.secure.force.com/kb/servlet/rtaImage?eid=ka40g000000kAbY&feoid=00N700000032Pj2&refid=0EM700000004wxl)
 
 **Note:** Make sure that the account used to run the Account Lockout Examiner service has administrative access to the machine you are adding.
 
 
+
@@ -64,3 +64,4 @@ For alternative backup and failover options, refer to the steps below.
 
 
 
+
@@ -35,6 +35,7 @@ In case you're planning the on-premise deployment, click **On-premises Deploymen
 
 For the VM deployment, proceed with the **Virtual Appliance** option and select the suitable package. Netwrix Auditor Access Reviews will come preinstalled for the VM of your choice.
 
-![pI1UIaaJkT.png](../../../images/ka04u00000116Ju_0EM4u000008LKrz.png)
+![pI1UIaaJkT.png](../../images/ka04u00000116Ju_0EM4u000008LKrz.png)
+
 
 
@@ -57,3 +57,4 @@ In most cases, yes it does. However, for the proper uninstallation of all compre
 
 
 
+
@@ -37,7 +37,7 @@ How to repair a Netwrix Auditor installation in our environment?
 2. Proceed to your **My Products** page to download the executable for the corresponding version. Refer to the following link: [Netwrix — My Products](https://www.netwrix.com/my_products.html).
 3. Run the downloaded executable. Once the files are extracted, a setup screen will be prompted.
 
-   ![Install Netwrix Auditor setup screen](../../../images/ka04u00000117fh_0EM4u000008MBTP.png)
+   ![Install Netwrix Auditor setup screen](../../images/ka04u00000117fh_0EM4u000008MBTP.png)
 
 4. Select **Install** under **Install Netwrix Auditor**.
 5. Click **Next**, and select **Repair**.
@@ -50,3 +50,4 @@ How to repair a Netwrix Auditor installation in our environment?
 - [How to Find Out My Netwrix Auditor Version](/docs/kb/auditor/how-to-find-out-my-netwrix-auditor-version.md)
 
 
+
@@ -41,7 +41,7 @@ Exchange Online relies on PowerShell gathering proxy settings from the network a
    netsh winhttp show proxy
    ```
 
-   ![netsh winhttp show proxy output](../../../images/ka0Qk0000000ws1_0EM4u000008MMY1.png)
+   ![netsh winhttp show proxy output](../../images/ka0Qk0000000ws1_0EM4u000008MMY1.png)
 
 2. If the system prompts **Direct settings**, configure the network adapter to use the correct proxy settings:
 
@@ -51,7 +51,7 @@ Exchange Online relies on PowerShell gathering proxy settings from the network a
 
    Replace the proxy server settings in the line with your actual settings.
 
-   ![netsh winhttp set proxy example](../../../images/ka0Qk0000000ws1_0EM4u000008MMY6.png)
+   ![netsh winhttp set proxy example](../../images/ka0Qk0000000ws1_0EM4u000008MMY6.png)
 
 ### Microsoft Entra ID (formerly Azure AD)
 
@@ -84,11 +84,11 @@ After editing:
 
 Before editing image:
 
-![Before editing configuration](../../../images/ka0Qk0000000ws1_0EM4u000008MMXd.png)
+![Before editing configuration](../../images/ka0Qk0000000ws1_0EM4u000008MMXd.png)
 
 After editing image:
 
-![After editing configuration](../../../images/ka0Qk0000000ws1_0EM4u000008MMYB.png)
+![After editing configuration](../../images/ka0Qk0000000ws1_0EM4u000008MMYB.png)
 
 Replace `***.***.***.***:port` with your actual proxy settings.
 
@@ -112,3 +112,4 @@ Replace `proxyaddress="***.***.***.***:port"` with your actual proxy settings.
 To use proxy server settings for the Teams audit, set up both Microsoft Entra ID and SharePoint Online settings.
 
 
+
@@ -45,8 +45,9 @@ Make sure you provided the same parameters in a Netwrix Auditor monitoring plan
 1. **Tenant name** in Netwrix should equal the `Directory (tenant) ID` in Microsoft Office 365 Admin center.
 2. **Modern authentication application ID** should equal `Application (client) ID` in Microsoft Office 365 Admin center.
 
-![00371273 O365 Tenant.PNG](../../../images/ka04u00000117A1_0EM4u000008LuEC.png)
+![00371273 O365 Tenant.PNG](../../images/ka04u00000117A1_0EM4u000008LuEC.png)
 
 For additional information on configuring Office 365 tenant, refer to the following article: Microsoft 365. Select the data source you want to audit and review the corresponding section.
 
 
+
@@ -46,15 +46,15 @@ To disable MFA for your data-collecting account in any Microsoft 365 source, use
      3. Select the service user to be used in the **Select excluded users and groups** window, and click **Select**.
      4. To complete the setup, click **Save** in the bottom left corner.
 
-     ![Exclude user from MFA policy](../../../images/ka0Qk0000001LLl_0EM4u000008MMJG.png)
+     ![Exclude user from MFA policy](../../images/ka0Qk0000001LLl_0EM4u000008MMJG.png)
 
    - To exclude an app from the MFA policy:
      1. Click the highlighted text under the **Target sources** section.
      2. Click the **Exclude** tab, and click the highlighted text under **Select excluded cloud apps**.
      3. Select the app to be used in the **Select excluded cloud apps** window, and click **Select**.
      4. To complete the setup, click **Save** in the bottom left corner.
 
-     ![Exclude app from MFA policy](../../../images/ka0Qk0000001LLl_0EM4u000008MMJL.png)
+     ![Exclude app from MFA policy](../../images/ka0Qk0000001LLl_0EM4u000008MMJL.png)
 
 Refer to the following articles for additional information on data-collecting account setup for your Microsoft 365 sources:
 
@@ -74,3 +74,4 @@ Refer to the following articles for additional information on data-collecting ac
 - Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6 https://docs.netwrix.com/docs/auditor/10_8
 
 
+
@@ -44,7 +44,7 @@ To determine the actual number of licenses you need to purchase from Netwrix, do
 3. Enter your Office 365 account credentials when prompted and click **OK**.
 4. When the script completes, you will see the number of mailbox accounts for which you need to purchase licenses:
 
-![User-added image](../../../images/ka04u000000HcMr_0EM0g000000hNsh.png)
+![User-added image](../../images/ka04u000000HcMr_0EM0g000000hNsh.png)
 
 ## For MFA-enabled account
 
@@ -62,3 +62,4 @@ $userMailboxes.count
 Original KB Article 2082
 
 
+
@@ -32,7 +32,7 @@ This article contains permission manifests for Microsoft 365 and Microsoft Entra
 3. Select the app you would like to configure.
 4. In the left pane of the new **Overview** window, select the **Manifest** tab. You can either edit the manifest in the web-based manifest editor, or select **Download** to edit the manifest locally to **Upload** it to reapply it to your application.
 
-   ![Manifest tab in the Overview window](../../../images/servlet_image_31a741be3a3d.png)
+   ![Manifest tab in the Overview window](../../images/servlet_image_31a741be3a3d.png)
 
 5. After opening the manifest file, replace the contents of **requiredResourceAccess** with the data provided below.
 6. Once changes are introduced, save the manifest and grant administrator permissions in the **API Permissions** tab.
@@ -41,15 +41,15 @@ You can use the following screenshots for permissions reference:
 
 - **SharePoint Online**
 
-  ![SharePoint Online permissions](../../../images/servlet_image_b88c6cd43443.png)
+  ![SharePoint Online permissions](../../images/servlet_image_b88c6cd43443.png)
 
 - **Exchange Online**
 
-  ![Exchange Online permissions](../../../images/servlet_image_a59a6a87d3a0.png)
+  ![Exchange Online permissions](../../images/servlet_image_a59a6a87d3a0.png)
 
 - **Microsoft Entra ID**
 
-  ![Microsoft Entra ID permissions](../../../images/servlet_image_bcb70814f4ea.png)
+  ![Microsoft Entra ID permissions](../../images/servlet_image_bcb70814f4ea.png)
 
 ### Manifest for SharePoint Online
 
@@ -195,3 +195,4 @@ You can use the following screenshots for permissions reference:
 - [Microsoft 365 — Permissions for Teams Auditing ⸱ v10.6](https://docs.netwrix.com/docs/auditor/10_8/configuration/microsoft365/teams/permissions)
 - [Microsoft Entra Admin Center ⸱ Microsoft 🡥](https://entra.microsoft.com)
 
+
@@ -50,7 +50,7 @@ Cannot find the application.
 
 - Review the Application ID provided. You can find the Application ID of your app in the **Overview** page once you select the app in the **App registrations** section. Refer to the following Netwrix Auditor article for additional information on the initial Azure app setup: Netwrix Auditor — Permissions for SharePoint Online Auditing − Creating and registering a new app in Microsoft Entra ID ⸱ v10.6. For additional information on creating an app for Teams auditing, refer to the following Netwrix Auditor article: Netwrix Auditor — Permissions for Teams Auditing − Create and Register a New App in Microsoft Entra ID ⸱ v10.6.
 
-![SPOAppID](../../../images/ka0Qk0000001L8r_0EM4u000008MV3l.png)
+![SPOAppID](../../images/ka0Qk0000001L8r_0EM4u000008MV3l.png)
 
 - Review the app API permissions granted. You can either specify API permissions manually or use a manifest. Refer to the following Netwrix Auditor article for additional information on granting permissions: Netwrix Auditor — Permissions for SharePoint Online Auditing − Granting required permissions ⸱ v10.6. For additional information on permissions for Teams auditing, refer to the following Netwrix Auditor article: Netwrix Auditor — Permissions for Teams Auditing − Grant Required Permissions ⸱ v10.6.
 
@@ -65,3 +65,4 @@ Cannot find the application.
 - Netwrix Auditor — Permissions for Teams Auditing − Grant Required Permissions ⸱ v10.6
 
 
+
@@ -31,20 +31,21 @@ To enable the app you will need to add the app to the **App Catalog** then deplo
 1. Navigate to the **App Catalog** → **Site Contents** and ensure you are using the classic experience.
 2. Click **Add an app** and select `conceptClassifierApp`.
 
-![User-added image](../../../images/ka04u000000HcXd_0EM4u000002D96q.png)
+![User-added image](../../images/ka04u000000HcXd_0EM4u000002D96q.png)
 
 3. Click **Trust It** to accept the app permissions and allow the app to be installed into the App Catalog.  
-   ![User-added image](../../../images/ka04u000000HcXd_0EM4u000002D975.png)
+   ![User-added image](../../images/ka04u000000HcXd_0EM4u000002D975.png)
 4. Once the app has been added to the App Catalog, configure the deployment by hovering over the app then clicking on the ellipsis in the top right corner of the app and clicking **Deployment**.  
-   ![User-added image](../../../images/ka04u000000HcXd_0EM4u000002D97U.png)
+   ![User-added image](../../images/ka04u000000HcXd_0EM4u000002D97U.png)
 5. Select how to deploy the app to a combination of specific Sire Collections, by pats, and by a template. Click **OK**.
 
    **Note:** The default order of the page is to show the newest app first, so you should see the app as one of the first options (if you do not you can search for “conceptClassifierApp”):
 
 6. The app will then be scheduled for deployment to the chosen Site Collections. This can take a few minutes and on completion, `conceptClassifierApp` will appear in the Site Contents of these Site Collections.
 
-![User-added image](../../../images/ka04u000000HcXd_0EM4u000002D97j.png)
+![User-added image](../../images/ka04u000000HcXd_0EM4u000002D97j.png)
 
 7. To complete the setup, navigate to the **Site Collection** → **Site Contents** and select `conceptClassifierApp`. This will complete the installation of the app on the Site Collection and allow you to configure the writing of classifications (if licensed).
 
 
+
Original file line number	Diff line number	Diff line change
Expand Up		@@ -52,3 +52,4 @@ After that, the Netwrix Auditor Application Deployment Service appears on th
Original file line number	Diff line number	Diff line change
Expand Up		@@ -47,3 +47,4 @@ The licensing data was corrupted.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -63,3 +63,4 @@ If you are currently on a 10.5 version and build other than 10950, perform the p
Original file line number	Diff line number	Diff line change
Expand Up		@@ -64,3 +64,4 @@ For alternative backup and failover options, refer to the steps below.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -35,6 +35,7 @@ In case you're planning the on-premise deployment, click **On-premises Deploymen

		For the VM deployment, proceed with the Virtual Appliance option and select the suitable package. Netwrix Auditor Access Reviews will come preinstalled for the VM of your choice.

		![pI1UIaaJkT.png](../../../images/ka04u00000116Ju_0EM4u000008LKrz.png)
		![pI1UIaaJkT.png](../../images/ka04u00000116Ju_0EM4u000008LKrz.png)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -57,3 +57,4 @@ In most cases, yes it does. However, for the proper uninstallation of all compre