Reading the Audit Log
Open the audit log
Click Audit in the left navigation. The log shows all operations performed through DirWarden, newest first.
What is logged
Every write operation creates an audit entry. Each entry records:
| Field | Description |
|---|---|
| Timestamp | Date and time (UTC) when the operation was applied |
| Operator | The Windows account that performed the action |
| Role | The operator’s role at the time (Auditor / Operator / Administrator) |
| Operation | What was done (Unlock, Enable, Disable, Reset Password, etc.) |
| Target | The SAMAccountName of the affected AD account |
| Count | Number of accounts affected (for bulk operations) |
| Result | Success or failure, with an error code if failed |
Read-only operations (browsing users, exporting reports, page navigation) are not written to the audit log.
Filtering entries
Use the filter bar above the log:
- Date range — pick a start and end date.
- Operator — filter by the Windows account that performed actions.
- Operation type — limit to specific operations (e.g. show only password resets).
- Target — search by SAMAccountName or display name.
Click Clear filters to reset to the full log view.
Audit log integrity
The audit log uses a cryptographic hash chain: each entry includes the hash of the previous entry. This means any tampering or deletion of a middle entry is detectable.
If the chain integrity check fails, a red warning banner appears at the top of the Audit page. Do not dismiss this warning — it indicates the log file may have been modified outside of DirWarden. Contact your security team.
Log storage location
Audit entries are stored locally in %AppData%\DirWarden\audit\. Each day produces a separate file (audit-YYYY-MM-DD.json). Files are rotated automatically and are never deleted by DirWarden — remove old files manually if disk space is a concern.
Exporting the audit log
To export entries as CSV, use the Export reports feature.