Chat now with support
Chat with Support

Change Auditor for Active Directory Queries 7.0.2 - User Guide

Create custom AD Query search

The following scenario explains how to use the What tab to create custom AD query searches.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New.
5
Open the What tab, expand Add and select Subsystem | AD Query. This opens the Add Active Directory Container dialog.
All Active Directory Objects - select to search all objects.
This Object - select to search the selected objects only.
This Object and Child Objects Only - select to search the selected object) and its direct child objects.
This Object and All Child Objects - select to search the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
7
When a scope other than All Active Directory Objects is selected, the directory object picker will be activated allowing you to select the objects to include in the search definition.
Filter - allows you to search for a filter string used in a query. This field uses the Like operator; therefore, you can enter a partial string of characters to have Change Auditor return any queries that use a filter string that contains the characters entered.
Attributes - allows you to search for attributes that are being queried. This field uses the Like operator; therefore, you can enter a partial string of characters to have Change Auditor return any queries that query attributes that contain the characters entered.
Results >= - allows you to search for queries that have returned a specific number of results. Enter (or use the arrow controls to specify) the number of results to be included in the search definition and Change Auditor will display the queries that have returned results equal to or greater than the number entered.
Elapsed (ms) >= - allows you to search for queries that take a certain amount of time to complete. Enter (or use the arrow controls to specify) the number of milliseconds to be included in the search definition and Change Auditor will display the queries that took the specified number of milliseconds or longer to run.
Transports - allows you to specify the type of transport protocols used to secure LDAP operation or LDAP queries. To include a specific transport, clear the All Transports check box.
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
9
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Active Directory containers EXCEPT those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an Active Directory container every time the search is run.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click the New tool bar button at the top of the Searches page (or right-click a folder and select the New | New Search menu command).
5
Open the What tab, expand Add with Events and select Subsystem | AD Query.
6
On the Add Active Directory Container dialog, select an object from the list and click the Add button to add it to the selection list at the bottom of the page.
7
Click OK to save your selection and close the dialog.

AD Query Event Details

This section provides a description of the ‘What’ details that are provided on the Events Details pane for an AD Query event.

 

AD Query Performed

Created when an AD query is performed on a container.

Low

 

What

Shows the container that was queried. For example, on LDAP bind operations, this displays the name (DN) being bound to; on LDAP search operations, this displays the baseObject of the search; and on LDAP compare operations, this displays the entry (DN) of the object being compared.

Subsystem

Displays ‘AD Query’

Action

Displays ‘Other’

Facility

Displays ‘AD Query’

Type

Displays the type of query:

Scope

Displays the scope of coverage:

Results

Displays the number of results returned as a result of the query.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

Port

Indicates the port used for authentication.

Occurrences

Displays the number of times the query occurred during the specified interval.

Since

Displays the date and time when the query was first initiated.

Elapsed

Displays how long the query took to run. Zero (0) indicates that it took less than a millisecond to complete.

Kerberos

Indicates whether the LDAP operation or AD query is signed using Kerberos-based encryption.

Filter

Displays the filter string used in the query.

Attributes

Displays the attributes that were queried.

Related Documents