지금 지원 담당자와 채팅
지원 담당자와 채팅

Change Auditor for Active Directory 7.2 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Create custom searches

The following scenarios explain how to use the What tab to create custom searches.

 
* 
NOTE: You can use the other search properties tabs to define additional criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range
Origin - allows you to search for events that originated from a specific workstation or server
To search for changes to a specific Active Directory container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Active Directory.
* 
NOTE: You can use Add with Events | Subsystem | Active Directory (instead of Add | Subsystem | Active Directory) to search for an entity that already has an event associated with it in the database.
6
On the Add Active Directory Container dialog, select one of the following options to define the scope of coverage:
All Active Directory Objects - select to include all objects. (Default when the Add tool bar button is used).
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.
7
By default, All Actions is selected meaning that all the activity associated with the object generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
8
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
9
When a scope other than All Active Directory Objects is selected, the directory object picker is enabled allowing you to select the objects to include in the search definition.
Use either the Browse or Search page to search your environment to locate and select the Active Directory objects to include. Use the Options page to view or modify the search options to be used to retrieve directory objects.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.
You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.
* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.
The import will fail and an error message will be displayed if any errors are detected with the column names or specified values.
* 
NOTE: Column names and values must be separated with a comma.
* 
NOTE: If an optional column name is not specified, then the default All is used for the value for each object. The default All is also used if the optional column is specified, but the value is empty. Mandatory Name values cannot be empty.
Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

NOTE: The first column must be Name.
NOTE: Wildcard characters are only supported for the Name values.

Examples:

Column: Name

Values:

test.domain.ca/OU1/User1
test.domain.ca/*/Group1
test.domain.ca/OU1/*User*

Actions (Optional)

Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute
test.domain.ca/OU1/Group*,
Transports (Optional)

Possible values include SSL/TLS, Kerberos or Simple Bind.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions,Transports

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute,Kerberos
test.domain.ca/OU1/Group1,,Kerberos |SSL/TLS
Port (Optional)

The number of the required port.

Examples:

Columns: Name,Actions,Transports,Port

Values:

test.domain.ca/OU1/*,Move Object|Modify Attribute,Kerberos,389
test.domain.ca/OU1/Group1,Add Attribue,Kerberos,
NOTE: When importing a file in the web client, the default value (All Ports) will be applied if port values are specified.
 
* 
NOTE: Select the Exclude the Above Selection(s) check box to search for changes to all directory objects except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a directory object every time the search is run.
10
Once you have added all the Active Directory objects to be included in the search, click OK to save your selection and close the dialog.
11
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
When this search is run, Change Auditor searches for changes to the Active Directory objects specified on the What tab.
To construct an Active Directory object search using a wildcard expression:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Active Directory.
6
On the Add Active Directory Container dialog, select the This Object scope.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.
7
By default, All Actions and All Transports are included. To change any of these settings, clear the corresponding check box and select the individual options.
8
Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Active Directory objects (Object Name column in Search Results grid).
Select the comparison operator to be used: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters. For example: LIKE *admin* will find Active Directory objects that contain ‘admin’ anywhere in their name.
Use Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To search for changes to a specific Group Policy container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Group Policy.
* 
NOTE: You can use Add with Events | Subsystem | Group Policy (instead of Add | Subsystem | Group Policy) to search for an entity that already has an event associated with it in the database.
6
On the Add Group Policy Container dialog, select one of the following options to define the scope of coverage:
All Objects - select to include all objects (Default)
This Object - select to include the selected object only
7
When the This Object scope option is selected, use either the Browse or Search page to search your environment to locate and select the Group Policy objects to include in the search.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.
8
Use the Options page to view or modify the search options to be used to retrieve directory objects.
* 
NOTE: On the Add Group Policy Container, the Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Canonical Name field. Simply click the Search button on this page to locate the Group Policy containers in your environment.
You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.
* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.
The import will fail and an error message will be displayed if any errors are detected.
Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

Examples:

Column: Name

Values:

test.domain.ca/System/Policies/{D72618D2-1413-4352-8EC9-FA4A33CBE99C}
test.domain.ca/System/Policies/*
 
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Group Policy Objects except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a Group Policy Object every time the search is run.
9
Once you have added all the Group Policy Objects to be included in the search, click OK to save your selection and close the dialog.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
When this search is run, Change Auditor searches for changes to the Group Policy Objects specified on the What tab.
To construct a Group Policy object search using a wildcard expression:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Group Policy.
6
On the Add Group Policy Container dialog, select the This Object scope.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.
7
By default, All Results will be included. To change this setting, clear the All Results check box and select the individual results to be included.
8
Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Group Policy objects (Object and Canonical Name columns in Search Results grid).
Select the comparison operator to be used: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters. For example: LIKE Default* will find Group Policy objects whose name begins with the word ‘Default’.
Use the Add button to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To search for changes to a specific object class (classSchema object):
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Object Class.
* 
NOTE: You can use Add with Events | Object Class (instead of Add | Object Class) to search for an entity that already has an event associated with it in the database.
6
On the Add Object Class dialog select an object class and click Add to add it to the list box located across the bottom of the dialog. Repeat this step to add additional object classes.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all object classes except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an object class every time the search is run.
7
Once you have made your selections, click OK to save your selection and close the dialog.
8
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
When this search is run, Change Auditor searches for changes to the object classes specified on the What tab.
To search for changes to a specific ADAM (AD LDS) container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | ADAM (AD LDS).
* 
NOTE: You can use Add with Events | Subsystem | ADAM (AD LDS) (instead of Add | Subsystem | ADAM (AD LDS)) to search for an entity that already has an event associated with it in the database.
6
On the Select the agent that hosts the ADAM/AD LDS instance dialog, use the Browse or Search page to locate and select the agent that hosts the ADAM (AD LDS) instance to be searched.
* 
NOTE: The Explorer View is displayed by default; however, this display will not include member servers. Therefore, if you have installed ADAM (AD LDS) on a workgroup server, select the Grid View option at the top of the dialog to select from a list of workgroup servers.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forest credentials which can be entered on the Credentials Required dialog.
If credentials are required, a Credentials Required dialog is displayed allowing you to enter the credentials to be used to access the selected instance.
7
On the Add ADAM (AD LDS) Container dialog, select one of the following options to define the scope of coverage:
All ADAM (AD LDS) Objects - select to include all objects. (Default when the Add tool bar button is used.)
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.
8
By default, All Actions is selected meaning that all of the activity associated with the object will generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
9
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used will be included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
Port - select to identify a specific port used for communication
10
When a scope other than All ADAM (AD LDS) Objects is selected, the directory object picker is activated allowing you to select the ADAM (AD LDS) containers to be included in the search definition.
Use either the Browse or Search page to search your environment to locate and select the ADAM (AD LDS) containers to be included.
If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.
Use the Options page to view or modify the search options or ADAM instance to be used to retrieve directory objects.
Once you select a container to be included, click Add to add it to the list at the bottom of the dialog.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all ADAM (AD LDS) containers except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an ADAM (AD LDS) container every time the search is run.
11
Once you have added all the ADAM (AD LDS) containers to be included in the search, click OK to save your selection and close the dialog.
12
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
When this search is run, Change Auditor searches for changes to the ADAM containers specified on the What tab.

Custom Active Directory Object Auditing
Introduction
Active Directory Auditing page
Custom Active Directory object auditing
Active Directory event logging
Active Directory Auditing wizard

Introduction

By default, Change Auditor audits the Enterprise for all Active Directory events. To see a complete list of the Active Directory events that are audited by default, go to the Audit Events table (Administration Task->Auditing->Audit Events), and sort by license.

Using the Active Directory Auditing wizard, you can define additional custom object classes to be audited, as well as specify where you want to conduct the audit (for example, enterprise, or individual object).

 

Active Directory Auditing page

The Active Directory Auditing page is used to define additional Active Directory custom events that you want to audit. The page is displayed when you select Active Directory from the Auditing task list in the navigation pane of the Administration Tasks tab. Custom Active Directory events will contain the word ‘custom’ in their facility name, for example “Custom User Monitoring”. By default user, group and computer object classes are selected on this page.

 
* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
* 
NOTE: If you receive a message stating that the client is unable to acquire exclusive access to object monitoring, there is another user using the Active Directory Auditing page and therefore, all of the tool bar buttons will be deactivated preventing you from making any changes.

The Active Directory Auditing page contains an expandable view of the Active Directory objects selected for auditing. Initially, the list box will contain an entry for auditing all user, computer and group object classes in the entire enterprise.

To add an object to this list, use the Add tool bar button (or to add multiple objects, expand the Add tool bar button and select the Select Multiple Objects option). Once added, the following information will be displayed:

Object
Displays the distinguished name of object.
Status
Indicates whether the auditing for a selected object is enabled or disabled.
Scope
Displays the scope of coverage:
Forest
Object
One Level
SubTree
Object Class
This field is used for filtering data.
If the view is not already expanded, click the expansion box to the left of an object to expand the view to display the object classes and monitored attributed to be audited in the object.
Object Class
Displays the object class being audited (such as computer, user, and group.)
Monitored Attributes
Displays the number of schema attributes selected for auditing by Change Auditor for each object class listed.
 
* 
NOTE: Attribute auditing is specified using the AD Attribute Auditing page.
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택