Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Quest GPOADmin Integration

Previous Next

Quest GPOADmin Integration

GPOADmin uses a proxy account (service account) to connect and change Active Directory objects and group policies. In past releases, Change Auditor for Active Directory only captured the service account name in the event details for changes initiated through GPOADmin. GPOADmin now integrates with Change Auditor for Active Directory and allows the name of the user who initiated the GPOADmin operation and comments to display in the Change Auditor for Active Directory client.

* 
NOTE: GPOADmin only sends initiator and comment information to Change Auditor for Active Directory for the following operations:
GPO deployment
Working copy check-in
Working copy check-out

This appendix covers the following topics for GPOADmin integrations:
Requirements
GPOADmin and Change Auditor integration process
Client components added to Change Auditor for Active Directory
Troubleshooting tips

Requirements

Previous Next

Requirements

Refer to the Release Notes for the list of minimum system requirements.

GPOADmin and Change Auditor integration process

Previous Next

GPOADmin and Change Auditor integration process

Some GPOADmin events recorded by Change Auditor have the initiator name in the event. The initiator is the name of the account logged in to the GPOADmin client performing actions in GPOADmin. However, the initiator name is not always populated due to how the GPO is processed in Active Directory.

The following is a high-level overview of typical Change Auditor events recorded when modifying a GPO using GPOADmin:

1
A user logged in to GPOADmin to modify a GPO setting.

Change Auditor records the following events:

An event for the creation of a new GPO (the working copy GPO). The “who” in the event shows the GPOADmin service account and the initiator and the name of the user who was logged in to GPOADmin.

A rename event for the new GPO.

A permission change for the new GPO, granting the user logged in to GPOADmin rights to the working copy GPO.

Modification events performed on the working copy GPO. The who of these events show the user logged in to GPOADmin and the initiator blank as the initiator and the who are the same.

2
Once the GPO is checked in, there are number of events recorded with the “who” being the GPOADmin service account and the initiator blank. This is because importing the settings from the working copy to the live copy is performed in Sysvol, outside of GPOADmin. It is the same processes that are performed if the GPO was edited in GPMC. GPOADmin has no knowledge of what is being performed with these Active Directory operations and cannot communicate to Change Auditor who the initiator is as they happened outside of all the GPOADmin processes.
3
Approval is requested in GPOADmin. The approver approves and deploys the GPO.

This generates Change Auditor events where the “who” is the GPOADmin service account and the initiator is the name of the approver.

Events where the initiator is the name of the approver and the action logged was that the version of the GPO attribute was changed, are the events that show when the GPO was deployed and who performed the deployment.

4
GPOADmin provides the initiator name to Change Auditor using Change Auditor APIs.

You will see a considerable amount Change Auditor GPO events generated when performing actions in GPOADmin. This is due to how GPOADmin processes GPOs and how they are deployed to the live environment.

 

* 
NOTE: Enabling GPO protection in Change Auditor will prevent modifications to workflow disabled GPOs in GPOADmin.

Client components added to Change Auditor for Active Directory

Previous Next

Client components added to Change Auditor for Active Directory

You can view initiator information retrieved from GPOADmin on the Search Results page in the Change Auditor for Active Directory client. You can use the following to display this additional information:
A field on the Event Details pane that displays the additional information retrieved from GPOADmin.
A built-in report that retrieves all Active Directory changes, including those initiated by GPOADmin. Running this report also displays the Initiator UserName and EventSource columns in the search results.
Columns on the Layout tab that allow you to add the event source and initiator information to other search definitions.
Option on the Who tab that allows you to create a custom search to search for events initiated by a specific user, including those initiated by GPOADmin.
Email tags to include the additional information in alert email notifications.

Event Details pane

A Source field is available in the Event Details pane that displays the name of the application from which the change event was generated (such as, Change Auditor for Active Directory, Active Roles, or GPOADmin). In addition, for change events generated by GPOADmin or Active Roles, the name of the user account that initiated the change is displayed in parenthesis.

All Active Directory events including Active Roles/GPOADmin initiator built-in report

A built-in report is available that retrieves events for all Active Directory changes, including those initiated by GPOADmin and Active Roles. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results.

To execute the built-in GPOADmin search:
1
Open the Searches page.
2
Expand and select the Shared | Built-in | All Events folder to display the built-in searches available.
3
Locate the All Active Directory Events Including ActiveRoles/GPOADmin Initiator search and use one of the following methods to run the selected search:
Double-click a search definition
Right-click a search definition and select Run
Select the search definition and click Run

A new Search Results page appears populated with the audited events that met the search criteria, including the Initiator UserName and EventSource information.

Layout tab

Columns are added to the database to record the information retrieved from GPOADmin or Active Roles. These columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information to all searches:
EventSource - for all events, the name of the application from which the event was generated (i.e., Change Auditor for Active Directory, Active Roles, or GPOADmin).
Initiator Mail - for events generated by GPOADmin or Active Roles, the email address of the user that initiated the change.
Initiator SID - for events generated by GPOADmin or Active Roles, the SID of the user that initiated the change.
Initiator UserName - for events generated by GPOADmin or Active Roles, the name of the user that initiated the change.
To add new columns to the search results:
1
Open the Layout tab.
2
Locate the new columns (EventSource, Initiator Mail, Initiator SID, and/or Initiator UserName) in the Unselected Columns table.
3
Select the columns to add and use the right arrow button to move them to the Selected Columns table.

The column will be added to the bottom of the list or beneath the highlighted column in the Selected Columns table.

You can also drag a column to the Selected Columns table.

4
The Selected Columns table also displays the order the columns will be presented. To rearrange the columns, use the up and down arrow buttons located to the right of the Selected Columns table.

You can also drag columns within this table to define the order.

Who tab

When using the Who tab to retrieve change events initiated by a specific user, changes initiated by GPOADmin will not automatically be included in the search. A check is available in the Who tab which instructs Change Auditor for Active Directory to retrieve all change events initiated by the specified user, including those made through GPOADmin.

To include GPOADmin initiated events:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search (e.g., Shared or Private).
3
Click New to enable the Search Properties tabs.
4
On the Who tab, click Add to add an active user, computer or group to the ‘who’ list.
5
On the Select one or more Directory Objects dialog, use either the Browse or Search page to search your environment to locate the user, computer or group to be included.

Once you have located the directory object to be included, select it and click Add.

Repeat this step to include each additional directory object.

6
After selecting one or more directory objects, click Select to save your selection and close the dialog.
7
Back on the Who tab, select the Include Event Source Initiator check box.
* 
NOTE: Including the event source initiator, may have a noticeable effect on the search performance, depending on the size of the database and the number of results returned in the search.

When this search is run, Change Auditor for Active Directory retrieves all events made by the specified user account, including those initiated by GPOADmin.

In addition, when this check box is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by GPOADmin, this column contains the user account that was logged into the GPOADmin console.

Email tags

The following email tags are available which can be added to the event details of alert email notifications:
%EVENTSOURCE% - indicates the application where the change event came from: Change Auditor for Active Directory, Active Roles, or GPOADmin.
%INITIATORMAIL% - for events generated by GPOADmin or Active Roles, the email address of the user that initiated the event.
%INITIATORSID% - for events generated by GPOADmin or Active Roles, the SID of the user that initiated the event.
%INITIATORUSERNAME% - for events generated by GPOADmin or Active Roles, the name of the user that initiated the event.

See the Change Auditor User Guide for more information on how to configure and enable email notifications and customize email content.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación