User account performing the coordinator installation:
The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed.
Service account running the coordinator service (LocalSystem by default):
To do so, open a command prompt on a Domain Controller and perform the following:
SQL Server database access account specified during installation:
An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:
• |
Must be assigned the db_owner role on the Change Auditor database |
• |
Must be assigned the SQL Server role of dbcreator |
The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation.
If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest.
Before installing or upgrading the coordinators or server agents, Quest recommends to close all Event Log Viewers. If a user has an Event Viewer open and opens a Change Auditor event log to load and display a message, the Windows EventLog locks the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services.
Quest recommends installing the Change Auditor components in the following order:
• |
NOTE: During the coordinator installation, you can add the current user to the ChangeAuditor Administrators security group. If you selected not to add the current user during the installation process or want to add additional user accounts to the Change Auditor security groups, you need to add them prior to launching the Change Auditor client. Quest also recommends that you then add these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators - <InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators - <InstallationName> group to the ChangeAuditor_Operators role). See Add Users to Change Auditor Security Groups in the Change Auditor Installation Guide. |
• |
Agents - Start the client to deploy agents to your domain controllers and member servers. Also, if you have the Change Auditor for Logon Activity Workstation auditing module licensed, deploy agents to the domain workstations to be monitored for logon activity. |
• |
Web-based client — Optionally, install the web client on the IIS web server to allow users access to Change Auditor data through a standard or mobile browser. See the Change Auditor Web Client User Guide for information about installing and using the web client. |
• |
ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of Change Auditor and to roll out Change Auditor agents. |
• |
ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except for making configuration changes. |
• |
ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Change Auditor Web Client User Guide for more information about sharing overviews. |
Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest.
See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are created when the coordinator is installed.
NOTE: When the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group to properly authenticate. |
High volume Exchange Servers. Agent processing of large Exchange auditing and protection configurations may slow down initial user login access or cause timeouts if many user logins are occurring at the same time. To avoid this issue, Quest recommends that the following actions be performed during maintenance intervals or other periods of low user mailbox activity:
Exchange 2013/2016. Exchange 2013/2016 stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller captures all these change actions. However, Microsoft changed how they process configuration changes. Therefore, in order for Change Auditor for Exchange to retrieve the correct ‘who’ information for these Active Directory based events it now audits Windows PowerShell. So you can:
• |
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 servers with the Mailbox role. |
• |
Recommended: Deploy an agent to all Active Directory domain controllers and to all required Exchange servers. However, duplicate events are generated for Exchange Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value). |
To capture Exchange mailbox access events:
• |
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 Mailbox role servers. |
Deploy agents to all Exchange Servers. When a Change Auditor 5.6 (or higher) agent is deployed on Exchange Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies to all Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that an agent be installed on all Exchange servers to ensure that all servers are using the same scripting agent.
Exchange cluster node servers. When deploying or upgrading agents on Exchange cluster node servers, use the following recommended procedure:
Exchange denies authentication to all well-known accounts, including ‘Administrator’. Use Hub Transport servers to allow SMTP email to go through. This references the setting for My Server Requires Authentication on the SMTP Configuration pane on the Coordinator Configuration page (Administration Tasks tab) in the Change Auditor client. It may also be necessary to configure more Transport settings (authentication and permissions) to allow email relay from the Change Auditor coordinator machine to receive SMTP alerts.
Change Auditor for Exchange does not support Microsoft Outlook 2000 or 2002.
For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is enabled by default when you configure an email account for Exchange Server. To disable this setting, select the Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.
© ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center