1 of 1 people found this helpful
One of the big difference is auditing and reverting change states. LEM relies on the events to tell you something has changed, whereas server change auditing products tend to do regular checks that may be augmented with log data. With that, they can tell you what the value used to be at different times, who changed it, and what changed.
Some of these products do rely on log data, which makes them the same with regard to resolution/fidelity of data as LEM, but LEM just doesn't store the data so you can compare it side by side to see what it was yesterday and what it is today. When it comes to "something changed and here's when", the log data on Windows is pretty good for this.
There are also some things that you don't really see very well in log data, like OU and GPO changes, that these products may have better visibility to (provided they aren't just relying on log data).
thanks much - that seems to be my takeaway thus far as well. I appreciate the feedback.