Resolved issues
Known issues
|
Actions caused by the Search-Mailbox command are not audited by Change Auditor. |
|
|
Change Auditor agents are not compatible with Kaspersky Endpoint Security 11. |
|
|
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis –pz “Quest ChangeAuditor 5.5” |
|
|
Upgrade fails if your previous version installation name was longer than 22 characters. |
|
|
SQL Server tempdb. The SQL Server tempdb grows to accommodate Change Auditor queries, scheduled reports, and purge jobs. Quest recommends following Microsoft best practices regarding tempdb management, including allocating the tempdb and transaction logs on a separate drive from user database files. |
|
|
Conflict with McAfee HIPS and Change Auditor agent causing server reboots: McAfee 8.0 HIPS causes the system to become unresponsive with the ServicesHook.dll which caused the server to reboot every time the Change Auditor agent started. Exclude the services.exe and lsass.exe from HIPS protection. |
|
|
AD Protection wizard in the web client: The Web Client does not provide the right-click option from the Forest level to display Peer Domains within the AD Protection wizard. |
|
|
IRPStackSize issues: After an agent is upgraded on a domain controller, Quest recommends to reboot the domain controller before doing another upgrade. This removes an old ITAD driver from memory. As of Change Auditor 6.0, agents cannot be upgraded after two (2) upgrades have occurred without a reboot on domain controllers. This is to prevent the domain controller from becoming inaccessible. To identify this condition, the DC's system log shows EventID 2011: The server's configuration parameter “irpstacksize” is too small for the server to use a local device. Increase the value of this parameter. |
|
|
Running coordinator service with a service account: If you are running the coordinator service under a service account, you must move the ServicePrincipalName role holder in order for Kerberos authentication to function correctly. See the Change Auditor Installation Guide for detailed instructions. |
|
|
WHO by Group Membership: When setting up a search based on WHO is in a particular group, you must consider the time it takes for AD replication to occur and the time the Change Auditor coordinator needs to add that configuration to the coordinator. |
|
|
Coordinator configuration with limited SQL account: If this error is displayed, run the following SQL query: |
|
|
Web Client: Repeatedly switching back and forth between the grid and timeline view keeps increasing the timeline counts by the factor of the original displayed amount. |
|
|
Report Alerts: Report Alerting cannot be enabled through the web client. Workaround: Enable this feature within the Windows client. |
|
Custom Active Directory attribute auditing: If audit configurations where custom Active Directory attribute auditing are used, and a new Change Auditor database is created during installation or upgrade with the same installation name, data storage anomalies may occur. See the Upgrade and compatibility for more information. |
|
|
Central Access Policy in protected GPO: Due to the way Microsoft is storing the configuration settings for a Central Access Policy (Windows Server 2012), it appears that an unauthorized account can add or remove a Central Access Policy that is in a protected Group Policy container. You do not get an ‘Access is denied’ warning message explaining the change was not saved similar to what you get when attempting to access other group policy objects within the protected Group Policy container. However, unauthorized changes to the configuration settings for a Central Access Policy are NOT saved and generates a ‘Failed Group Policy Container Access (Change Auditor Protection)’ event within Change Auditor. |
|
Change Auditor for EMC supports single CIFS servers per data mover: The Change Auditor agent does not audit events from another CIFS server that is under the same data mover and has the same shares as the CIFS server used in the CA for EMC policy. |
|
|
Change Auditor for EMC is not compatible with EMC “CQM”: The Change Auditor for EMC agent does not support running concurrently with EMC Content Quota Management. To ensure that the EMC auditing is successful, disable EMC CQM. |
|
|
Client unable to connect to EMC devices after Putty default settings changed: The Change Auditor client uses SSH APIs to connect to EMC devices. Changing the “Default Settings” saved session in the Putty client prevents the Change Auditor client from connecting to the correct server. |
|
“Appointment created in shared mailbox’ event is not recorded when the appointment is auto-created. |
|
|
Service Accounts generating excessive Exchange Mailbox events: Bulk operations generated by third-party products that use MAPI transports to scan or modify Exchange mailboxes can cause system slowdowns if not excluded from auditing. Exchange internal requests are automatically excluded from monitoring, as are Blackberry Enterprise Server and similar MAPI synchronization services. |
|
|
OWA protection: If protection is enabled while a user already has an active OWA session on the newly protected mailbox, protection does not prevent the user from deleting the items in the active folder. New OWA sessions established after protection is enabled are properly protected. |
|
|
Missing Exchange event detail: Some Exchange Active Directory changes that are detected on domain controllers may be reported with missing information. To capture this detail, add the Domain Controllers group to the Exchange View-Only Administrators group. |
|
|
Exchange scripting extensions: When a Change Auditor agent is deployed on Exchange Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies to ALL Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that a Change Auditor agent be installed on ALL Exchange servers to ensure that all servers are using the same scripting agent. See these TechNet posts for more information regarding the Scripting Agent: |
|
|
Delayed events using Entourage and Exchange 2013: There is a known issue with Microsoft Exchange 2013 and Entourage EWS or Outlook 2011 for Mac where content conversion may fail, and connections are dropped by the server without any response to the client. Contact Microsoft for a fix. |
|
|
Exchange mailbox permission changes are reported as the System account: When a user is created prior to creation of the mailbox in Exchange Server, the MMC snap-in for Active Directory Users and Computers handles changes to the user attribute msExchMailboxSecurityDescriptor directly, and “Who” information is available. After the Exchange Server actually creates the mailbox, when the first Outlook or OWA client opens it, MMC Users and Computers delegates msExchMailboxSecurityDescriptor changes to another process from which no “Who” information is available. All mailbox permission changes after this point will be generated by the server’s Local System account. |
|
|
“Message Read by Owner/Non-Owner” events on mailbox moves: When moving user mailboxes from one message store to another in your Exchange environment, Quest recommends temporarily disabling the audit events for “Message Read by Owner/Non-Owner” in the Audit Event configurations to prevent generating large numbers of Message Read events during the move. Change Auditor is unable to differentiate those system events from normal user activity. |
|
|
Auditing of non-primary email addresses is not supported: The use of alternate email addresses throughout audited modules is not supported. |
|
Change Auditor for NetApp drops connection to FPolicy Server: If CIFS signing is enabled for communication between the filer and FPolicy server, the filer drops its connection to the FPolicy server with Data ONTAP 7.3.1. This happens when multiple requests are pending from the filer to the FPolicy server without getting a response for the requests sent. When the responses to the multiple requests arrive, the signing check fails due to a bug in ONTAP. Since the signing check fails, the filer turns off signing and tries to send the subsequent requests to which the server responds with an access denied error. Disable signing on the FPolicy server. See http://support.microsoft.com/kb/887429 for the steps to turn off signing on the FPolicy server. |
|
Manually enter the server or instance name when configuring your templates. |
|
|
SQL Data Level does not support auditing encrypted databases. |
|
|
Duplicate FluidFS File open events may be generated when editing files on audited FluidFS clusters. |
|
|
When you upgrade to version 6.9.5 or later, existing FluidFS auditing templates stop auditing. Workaround: Save the FluidFS auditing template and update the agent configuration. |
|
Integration password cannot begin with a supported special character (@ or $). |
System requirements
Change Auditor coordinator (Server-side component)
|
Quad core Intel Core i7 equivalent or better | |||||
| |||||
|
Installation platforms (x64) supported up to the following versions |
|||||
|
For the best performance, Quest strongly recommends:
In addition, the following software and configuration is required: | |||||