Chat now with support
Chat mit Support

Change Auditor 7.3 - Installation Guide

Installation Overview Install Change Auditor Add Users to Change Auditor Security Groups Connecting to the Clients Deploy Change Auditor Agents Upgrade Change Auditor Installation Notes and Best Practices Deployment Options Workstation Agent Deployment Agent Comparison Install an agent to audit ADAM (AD LDS) on workgroup servers Windows Installer Command Line Options

Permissions

Coordinator required permissions

User account performing the coordinator installation:

The user account installing the coordinator needs permission to perform the following tasks on the target server:
Windows permissions to create and modify registry values.
Windows administrative permissions to install software and stop/start services.

The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed.

Service account running the coordinator service (LocalSystem by default):
Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object running a coordinator.
Local Administrator permissions on the coordinator server.

By default, the Coordinator service runs as LocalSystem. To run the Change Auditor service as a Domain User or service account other than Local System, the Change Auditor SPN (Service Connection Point) must be removed from the Coordinator computer (local system) account and added to the Domain Account used to run the Coordinator service.

To do so, open a command prompt on a Domain Controller and perform the following:

1
Remove the SPN from the computer object by entering:
setspn -D NPRepository4(INSTALLATION_NAME)/SERVER.DOMAIN.TLD SERVERNAME
2
Add the SPN to the service account by entering:
setspn -A NPRepository4(INSTALLATION_NAME)/SERVER.DOMAIN.TLD USERNAME
INSTALLATION_NAME = Change Auditor Installation (Default name is DEFAULT)
SERVER.DOMAIN.TLD = FQDN of the coordinator server
SERVERNAME = Short name of the coordinator server
USERNAME = SAM account name of the service account
3
Update the Coordinator service to run under the user name context in question.
4
Restart the Coordinator service.

SQL Server database access account specified during installation:

An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:
Must be assigned the db_owner role on the Change Auditor database
Must be assigned the SQL Server role of dbcreator
Required permissions for deploying agents

The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation.

If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest.

All users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error.

Required permissions to deploy agents using the Windows Installer (MSIEXEC.exe)

The user account used to install the agent by running the Windows Installer directly on the domain controller or member server or workgroup server or workstation needs permissions to perform the following tasks on the server:
Windows permissions to create and modify registry values.
Windows administrative permissions to install software and start or stop services.

Other installation notes

Stopping MMC modules

Certain MMC modules disrupt or hinder the addition or removal of services, therefore, MMC modules can not be running (directly on the server or in a Terminal Services session) when installing or uninstalling Change Auditor. Stop the MMC files before installing or uninstalling Change Auditor.

Event Log Viewers in Windows 2008 (and higher) environments

Before installing or upgrading the coordinators or server agents, Quest recommends to close all Event Log Viewers. If a user has an Event Viewer open and opens a Change Auditor event log to load and display a message, the Windows EventLog locks the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services.

Microsoft .NET framework
Microsoft .NET 4.7.1 framework is required in the Change Auditor coordinator.
Microsoft .NET 4.6.1 framework is required in the Change Auditor clients.
Microsoft .NET 4.7.1 framework is required for agents (server and workstation).

If you try to install these components on a computer with an earlier version, the installation fails and you are notified that a newer version is required. To verify that you are running the appropriate version of Microsoft’s .NET framework, use Add or Remove Programs.

* 
NOTE: Links to the .NET framework are available in Change Auditor’s Autorun.exe redistributables.
Component installation order

Quest recommends installing the Change Auditor components in the following order:
Database (SQL Server) - Make sure the SQL server you are going to use is available and the installation account has SQL Server role as dbcreator. If you want to host the Change Auditor database on a SQL instance other than the default instance of the selected SQL Server, create the new instance before running the installer.
* 
NOTE: The database name must not include embedded spaces, special characters, or supplementary characters are also not allowed. For more details, see Microsoft’s database identifier documentation.
Coordinator - Install the coordinator. When prompted, specify the SQL server you are going to use and the installation account. The Change Auditor database is created remotely on this server during the installation.
Client - Once you have confirmed that the coordinator is functioning correctly, install the client.
* 
TIP: Quest recommends that you install the first coordinator and client, but do not deploy agents until after you have installed all of the additional coordinators required. When deploying agents you can select which installation is to be used for each of the agents.
* 
NOTE: During the coordinator installation, you can add the current user to the ChangeAuditor Administrators security group. If you selected not to add the current user during the installation process or want to add additional user accounts to the Change Auditor security groups, you need to add them prior to launching the Change Auditor client. Quest also recommends that you then add these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators - <InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators - <InstallationName> group to the ChangeAuditor_Operators role). See Add Users to Change Auditor Security Groups in the Change Auditor Installation Guide.
Agents - Start the client to deploy agents to your domain controllers and member servers. Also, if you have the Change Auditor for Logon Activity Workstation auditing module licensed, deploy agents to the domain workstations to be monitored for logon activity.
Web-based client — Optionally, install the web client on the IIS web server to allow users access to Change Auditor data through a standard or mobile browser. See the Change Auditor Web Client User Guide for information about installing and using the web client.
Deploying Change Auditor agents

For a complete and comprehensive Active Directory change auditing solution, Quest recommends deploying agents to every server in the forest.

For best results in capturing Group Policy changes, Quest recommends installing an agent on the domain’s PDC operations master role holder.

Security groups

During the coordinator installation, three installation-specific security groups are created in the domain where the member server hosting a coordinator resides.

ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of Change Auditor and to roll out Change Auditor agents.
ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except for making configuration changes.
ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Change Auditor Web Client User Guide for more information about sharing overviews.

Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest.

Add your user account to either the ChangeAuditor Administrators or ChangeAuditor Operators group before running the client. If multiple coordinators are installed in a mixed mode environment, to connect to each coordinator, add your user account to one of these groups on each of the member servers where a coordinator resides.

In addition, users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation.

During the coordinator installation, you are presented with the option to add the current user to the ChangeAuditor Administrators security group. If you selected not to do this during the coordinator installation process or you want to add more user accounts, add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups before running the client.

See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are created when the coordinator is installed.

* 
NOTE: When the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group to properly authenticate.

Change Auditor for Windows File Servers

Change Auditor for Windows File Server agents may fail to provide origin information if remote users are already connected when the agent is initialized or started. Therefore, it is suggested that you restart the server as soon as possible after an agent installation or upgrade.

Change Auditor for Exchange

Agent deployment

High volume Exchange Servers. Agent processing of large Exchange auditing and protection configurations may slow down initial user login access or cause timeouts if many user logins are occurring at the same time. To avoid this issue, Quest recommends that the following actions be performed during maintenance intervals or other periods of low user mailbox activity:
Change Auditor Exchange agent deployment
Change Auditor Exchange agent upgrade
Change Auditor Exchange Mailbox auditing or protection configuration changes

Before the system returns to a normal load, one user should log in to Outlook Web Access (OWA), Outlook, and Exchange Web Services (EWS, Outlook for Mac) clients. This triggers the Change Auditor agent to process Exchange Mailbox auditing and protection configuration changes when the fewest logins are occurring.

Exchange 2013/2016. Exchange 2013/2016 stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller captures all these change actions. However, Microsoft changed how they process configuration changes. Therefore, in order for Change Auditor for Exchange to retrieve the correct ‘who’ information for these Active Directory based events it now audits Windows PowerShell. So you can:
Deploy an agent to all Active Directory domain controllers in the forest. However, the ‘who’ value is missing (reported as the Exchange server computer account) from all the Exchange 2013/2016 Active Directory based events.
Depending on the Exchange version you are running, deploy an agent to Exchange servers as described below. This captures the correct ‘who’ value for many of the Exchange 2013/2016 Active Directory based events, but not all Exchange 2013/2016 events are being audited in this scenario.
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 servers with the Mailbox role.
Recommended: Deploy an agent to all Active Directory domain controllers and to all required Exchange servers. However, duplicate events are generated for Exchange Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value).

To capture Exchange mailbox access events:
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 Mailbox role servers.

Deploy agents to all Exchange Servers. When a Change Auditor 5.6 (or higher) agent is deployed on Exchange Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies to all Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that an agent be installed on all Exchange servers to ensure that all servers are using the same scripting agent.

* 
NOTE: If the scripting agent was not enabled on your Exchange servers before deploying agents, you should perform backups of your Exchange servers in accordance with your company’s disaster recovery plan once you have successfully deployed agents to all your Exchange servers.

If you need to restore your Exchange servers and they were NOT backed up after you deployed agents that enabled the scripting agent, you will need to disable the CmdletExtensionAgent BEFORE recovering your Exchange 2013/2016 servers.

If Change Auditor cannot be installed on all your Exchange servers, use the following procedure on all Exchange servers where an agent is not yet deployed:

1
Create an empty ScriptingAgentConfig.xml file under the following directory:
%ProgramFiles%\Microsoft\Exchange Server\V14\Bin\CmdletExtensionAgents\
Enter the following text into this ScriptingAgentConfig.xml file:
<?xml version="1.0" encoding="utf-8"?>
<Configuration version="1.0"/>
2
Save and close the file.

Exchange cluster node servers. When deploying or upgrading agents on Exchange cluster node servers, use the following recommended procedure:

1
Deploy or upgrade the agent on the passive Exchange cluster nodes.
2
Perform a scheduled fail-over on the active cluster nodes.
3
Then deploy or upgrade the agent on the newly passive cluster nodes.
If you find the need to deploy or upgrade an agent on an active cluster node, schedule the deployment during low-utilization periods. A visual check of the server utilization to ensure that utilization is below 20% should be sufficient.
Exchange 2003, 2007, and 2010 — Not supported

Exchange 2003, 2007, and 2010 are no longer supported. For supported versions, see the Change Auditor Release Notes.

SMTP authentications and alerts on Exchange

Exchange denies authentication to all well-known accounts, including ‘Administrator’. Use Hub Transport servers to allow SMTP email to go through. This references the setting for My Server Requires Authentication on the SMTP Configuration pane on the Coordinator Configuration page (Administration Tasks tab) in the Change Auditor client. It may also be necessary to configure more Transport settings (authentication and permissions) to allow email relay from the Change Auditor coordinator machine to receive SMTP alerts.

Microsoft Outlook 2000 and 2002 — Not supported

Change Auditor for Exchange does not support Microsoft Outlook 2000 or 2002.

Change Auditor Exchange Server monitoring and Outlook cached mode

For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is enabled by default when you configure an email account for Exchange Server. To disable this setting, select the Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.

While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook Web Access clients, this is not the case with cached-mode Outlook.

User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the timing and order of Exchange requests is not obvious or intuitive.

A few of the effects you will see when monitoring an Outlook cached connection to Exchange Server include:

Cached-mode Outlook frequently defers message copy, move and delete requests until seconds or even minutes later.
When opening cached-mode Outlook, several folders may be ‘opened’ at the same time. Outlook examines all folders with recent changes at startup.
When opening cached-mode Outlook or selecting a different mail folder, several message read events may occur at the same time. Outlook reads all new Inbox messages as they become available (independent of user activity) and then keeps local copies for reading.
When opening messages that have previously been read (or selecting messages with the preview pane enabled) you will not see a ‘message read’ event. Since cached-mode Outlook keeps local copies of the messages they never need to be read from the server again, even after closing and re-starting Outlook. The original read from the server does produce a ‘message read’ event.
When deleting messages (moving them to the Deleted Items folder), instead of ‘message deleted and moved to the Deleted Items folder’ events as in non-cached mode you will receive two events: ‘message created’ in the Deleted Items folder, and ‘message permanently deleted’ in the original folder. This is an accurate report of how cached-mode Outlook implements message deletions to the Deleted Items folder.
When permanently deleting messages (emptying the Deleted Items folder) you will see a ‘message read’ event as cached-mode Outlook obtains information from the message followed somewhat later by a ‘message permanently deleted’ event.
If the user closes cached-mode Outlook before it has a chance to synchronize permanently deleted items with the Exchange Server, it will do so the next time Outlook is started. Other clients viewing the mailbox will be able to access the ‘deleted’ items until cached-mode Outlook synchronizes with the server.

You will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen