Chat now with support
Chat mit Support

Change Auditor for Active Directory 7.2 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Active Roles Integration

Active Roles uses a proxy account (service account) to connect and change Active Directory objects and group policies. Change Auditor can deploy to an Active Roles server which signals it to retrieve and send the name of the user that was logged in to the Active Roles console to Change Auditor. This additional information is then displayed in the Change Auditor client for events initiated using Active Roles.

This section covers the following topics for Active Roles integrations:

Requirements

Refer to the Release Notes for the list of minimum system requirements.

Deploying Change Auditor/Active Roles integration scripts

For Active Roles to retrieve the name of the user that was logged in to the Active Roles console and forward this information to Change Auditor, you must first deploy the integration scripts to an Active Roles server.

https://support.quest.com/change-auditor/kb?k=119136

3
Expand Advanced Options and select one of the following options:
4
If you select the Deploy Scripts Only option, Change Auditor copies and runs the Active Roles integration PowerShell script on the Active Roles server which triggers Active Roles to retrieve the initiator information for all users and pass this information onto Change Auditor.
5
If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects dialog is displayed. Use either the Browse or Search page to locate and select a user or computer to exclude. Change Auditor then deploys the integration script that signals Active Roles to retrieve the initiator information for all accounts except for those specified for exclusion.
6
Once successfully deployed, Success is displayed in the Deployment Results cell for the server.

Client components added to Change Auditor

After you have deployed the integration script, the initiator information retrieved from Active Roles can be viewed on the Search Results page in Change Auditor. Use the following to display additional information:

A Source field in the Event Details pane displays the name of the application from which the change event was generated (Change Auditor, Active Roles, or GPOADmin). For change events generated by Active Roles or GPOADmin, the name of the user account that initiated the change is displayed in parentheses.

NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest integration scripts. To take advantage of the additional events and initiator account information captured using the integration scripts, ensure that you are running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher).

A built-in report is available which retrieves events for all Active Directory changes, including events initiated by Active Roles or GPOADmin. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results.

3
Locate the All Active Directory Events Including ActiveRoles/GPOAdmin Initiator search and select the search definition and click Run.

The Change Auditor database includes columns to record Active Roles and GPOADmin information. The columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information for all searches:

EventSource — for all events, the name of the application from which the event was generated (Change Auditor, Active Roles, or GPOADmin).
Initiator Mail — for all generated by Active Roles or GPOADmin, the email address of the user that initiated the change.
Initiator SID — for events generated by Active Roles or GPOADmin, the SID of the user that initiated the change.
Initiator UserName — for events generated by Active Roles or GPOADmin, the name of the user that initiated the change.
2
Locate the columns (EventSource, Initiator Mail, Initiator SID, or Initiator UserName) in the Unselected Columns table.

When using the Who tab to retrieve change events initiated by a specific user, changes initiated by Active Roles are not automatically included in the search. A check box is available on the Who tab which instructs Change Auditor to retrieve all change events initiated by the specified user, including those made through Active Roles and GPOADmin.

3
Click New to enable the Search Properties tabs.
4
On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list.
6
After selecting one or more directory objects, click Select to save your selection and close the dialog.
7
Back on the Who tab, select the Include Event Source Initiator check box.
In addition, when the Include Event Source Initiator option is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by Active Roles, this column contains the user account that was logged in to the Active Roles console.

Change Auditor/Active Roles integration email tags are available which can be added to the event details of alert email notifications. These new email tags are:

See the Change Auditor User Guide for more information about how to configure and enable email notifications and customize email content.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen