Change Auditor 7.1.1 - Web Client User Guide

ADAM (AD LDS) Auditing page

The ADAM (AD LDS) Auditing page is displayed when ADAM (AD LDS) is selected from the Auditing task list in the navigation pane of the Administration Tasks page. Use the ADAM (AD LDS) Auditing page to create a list of ADAM instances, directory objects or containers, and object classes to be audited.


	NOTE: For more information, including a full description of the page, refer to the Change Auditor for Active Directory User Guide.

To enable ADAM (AD LDS) auditing:

Open the Administration Tasks page.

Click Auditing.

Select ADAM (AD LDS) in the Auditing task list to open the ADAM (AD LDS) Auditing page.

Click Add to launch the ADAM (AD LDS) Auditing wizard.

Table 34. ADAM (AD LDS) Auditing Wizard

Page

Description

Procedure

ADAM (AD LDS) Instance

Select the ADAM (AD LDS) instance from which to choose audited objects and enter the credentials for a user with access to the instance.

Select an ADAM (AD LDS) instance from the list.

Enter the Domain\User Name and Password of a user who can access the selected ADAM (AD LDS) instance.

Click Test to verify the credentials.

Click Next.

NOTE: If you have multiple ADAM (AD LDS) instances with replicating application partitions, there is no need to configure an auditing template for each instance. Change Auditor will automatically send the auditing configuration to each machine that is hosting an instance. You must have an agent installed on each instance host.

Object Selection

Select where to conduct the audit.

See Directory object picker for a detailed description of this wizard page.

Select where to conduct the audit.

From the Browse or Search page, select the ADAM (AD LDS) object or container to be audited.

Click Next.

Object Classes

Select object classes to audit under the selected container.

NOTE: At least one object class must be selected for auditing.

Select one or more object classes in the Unaudited Object Class list (left pane)

Click Add to move it to the Audited Object Class list (right pane).

Click Finish to save your selections and close the wizard.

ADAM (AD LDS) Attribute Auditing page

The ADAM (AD LDS) Attribute Auditing page is displayed when ADAM (AD LDS) | Attributes is selected from the Auditing task list in the navigation pane of the Administration Tasks page. Using the ADAM (AD LDS) Attribute Auditing feature, you can specify the individual schema attributes to be audited for the selected object class(es). In addition to specifying individual attributes for auditing, you can also assign a severity.


	NOTE: For more information, including a full description of the page, refer to the Change Auditor for Active Directory User Guide.

To audit attributes for selected object classes:

Open the Administration Tasks page.

Click Auditing.

Select Attributes under ADAM (AD LDS) in the Auditing task list to open the AD Attribute Auditing page.

Select an object class from the list and click Edit.

The ADAM (AD LDS) Attributes Auditing wizard appears, which contains a list of the attributes available for the selected object class.

In the Unaudited Attribute list (left pane), select one or more attributes and click Add to select them for auditing.

To change the severity level assigned to an attribute, in the right pane, click in the Severity cell and use the drop-down arrow to select the severity you want to assign to the selected attribute.

To remove an attribute from auditing, select the attribute from the right pane and click Remove. Selecting this button moves the selected attribute back into the Unaudited Attribute list.

Click Finish to save the selected attributes, close the dialog and return to the ADAM (AD LDS) Attribute Auditing page.

Once you have selected at least one attribute for auditing, the associated Audited Attributes column will display the number of attributes selected for auditing. This value will also be displayed in the Audited Attributes column back on the ADAM (AD LDS) Auditing page.

Applications

The tasks under this heading are used to define auditing for different types of applications within your environment.

See the following administration task descriptions for more information:

•

Exchange Mailbox auditing

•

Office 365 and Azure Active Directory auditing

•

SQL auditing

•

VMware auditing

•

SharePoint auditing

Exchange Mailbox auditing

Exchange Mailbox auditing helps tighten enterprise-wide change and control policies by tracking user and administrator activity such as user account changes, delivery restriction changes, send on behalf updates, and more. With these types of real-time alerts and in-depth analysis and reporting capabilities, your Exchange infrastructure is always protected from exposure to suspicious behavior or unauthorized access and kept in compliance with corporate and government standards.


	NOTE: For more information, including important tips and a full description of the following page, refer to the Quest Change Auditor for Exchange User Guide.

To enable Exchange Mailbox auditing, you must first define whose (users or groups) mailbox activities are to be audited.

Define an Exchange Mailbox Auditing list that contains the directory objects whose mailbox activities you want to audit.

In Change Auditor, some of the Exchange Mailbox events are disabled by default due to the potentially high volume of events that can occur. If you want to capture audit events for any of these disabled events, you will need to enable them.


	IMPORTANT: When the Message read by non-owner event is enabled and a mailbox is moved from one mailbox store to another, Change Auditor generates an event for every email in the mailbox that is being moved. For example, if a user has 1,000 emails in their mailbox, you will receive 1,000 Message read by non-owner events in Change Auditor. To avoid generating these events, do not add the user account for the mailbox to be moved to the list on the Exchange Mailbox Auditing page on the Administration Tasks page.

Exchange Mailbox Auditing page

To enable Exchange mailbox auditing, you must first specify whose mailbox activities are to be audited. To create this mailbox list, use the Exchange Mailbox Auditing page, which is displayed when Exchange Mailbox is selected from the Auditing task list in the navigation pane of the Administration Tasks page.


	NOTE: The directory objects listed on this page only apply to the events contained in the Exchange Mailbox Monitoring and Exchange ActiveSync Monitoring facilities. This list does not apply to any of the other Exchange facilities.

To include an Exchange Mailbox in the auditing process:

Open the Administration Tasks page.

Click Auditing.

Select Exchange Mailbox (under the Applications heading in the Auditing task list) to open the Exchange Mailbox Auditing page.

Click Add to display the Exchange Auditing wizard.

Select one of the options at the top of the page: Enterprise or This Object (default).

If the This Object option is selected, use the Browse and Search pages to locate and select a directory object (i.e., User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain) and use Add to add the selected directory object to the selection list at the bottom of the page.

Repeat this step to add additional directory objects to the Exchange Mailbox Auditing list.

Click Finish to close this wizard and return to the Exchange Mailbox Auditing page, where your selections will now be listed with a No in the Exclude cell.

By default, only Non-Owner events are selected for auditing.

For individual user mailboxes, you can change this to include ‘By Owner’ events as well. To do this, click in the Events cell and select the Owner, Non-Owner option from the list.


	NOTE: Selecting ‘By Owner’ auditing for many mailboxes can produce very large numbers of events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a small number of critical mailboxes.


	NOTE: ‘By Owner’ events are disabled by default. You will need to enable these events from the Audit Events page on the Administration Tasks page before Change Auditor will capture these events.


	NOTE: Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes need to be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance. See the Quest Change Auditor for Exchange User Guide for more information.

The default scope of coverage is displayed in the Scope cell. You can change this by clicking in the Scope cell and selecting the appropriate option from the list:

•

Object - to audit an individual object

•

One Level - to audit an object and its direct child objects

•

Subtree - to audit an object and all of its subordinate objects (all levels)

To exclude an Exchange Mailbox in the auditing process:

From the Exchange Mailbox Auditing page you can exclude a previously included mailbox by changing the setting in the Exclude cell.

From the Exchange Mailbox Auditing page you can exclude a previously included mailbox by changing the setting in the Exclude cell. Use one of the following methods:

•

Click in the Exclude cell of the mailbox to be included and select Yes.

•