Chat now with support
Chat with Support

Change Auditor for Active Directory Queries 7.0.4 - User Guide

Configure AD Query Auditing

Introduction

Because the overhead of recording each Active Directory query read operation is likely to be high, you can optimize the process by summarizing similar operations from the same client, and only record the summary periodically. Quest highly recommends that you perform the following steps to optimize the Active Directory query auditing/reporting process to reduce the number of events being generated:

 

AD Query Auditing pageThe AD Query Auditing page displays when you select AD Query from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can specify the Active Directory containers to include and exclude in Active Directory query auditing.

NOTE:  

Inclusion and exclusion rules

Only objects that are included (and not excluded) are monitored. For example:

AD Query Auditing page

The AD Query Auditing page contains an expandable view of Active Directory containers included and excluded from Active Directory query auditing.

Added containers display the following information:

2
Click Auditing.
3
Select AD Query (under the Forest heading in the Auditing task list) to open the AD Query Auditing page.
4
Click Add to open the AD Query Auditing wizard.
RootDSE - select this to include the RootDSE object.
This Object and All Child Objects - select this to specify the containers to include. (Selecting a container will also include any child objects.)
6
If the This Object and All Child Objects option is selected, use the Browse and Search pages to locate and select a directory object. Click Add to add the selected directory object to the inclusion list.
7
Click Finish to close the wizard and return to the AD Query Auditing page, where your selections will now be listed.
2
Click Auditing.
3
Select AD Query (under the Forest heading in the Auditing task list) to open the AD Query Auditing page.
4
Click Add to open the AD Query Auditing wizard.
RootDSE - select this option to exclude the RootDSE object. (Selecting this container will not exclude child objects.)
This Object and All Child Objects - select this option to specify the containers to exclude. (Selecting a container will also exclude any child objects.)
6
If the This Object and All Child Objects option is selected, use the Browse and Search pages to locate and select a directory object. Click Add to add the selected directory object to the exclusion list.
7
Click Finish to close the wizard and return to the AD Query Auditing page, where your selections will now be listed.

The disable feature allows you to temporarily stop including or excluding an individual container from Active Directory query auditing without having to remove it from the AD Query Auditing list.

Place your cursor in the Status cell for the container to be disabled, click the arrow control and select Disabled.
The entry in the Status column for the container will change to ‘Disabled’.
2
To re-enable the exclusion or inclusion of the selected container, use the Enable option in either the Status cell or right-click menu.
2
Click Yes to confirm to deletion.

AD Query Auditing wizard

The AD Query Auditing wizard is displayed when you click Add on the AD Query Auditing page. This wizard enables you to locate and select Active Directory containers to include and exclude from Active Directory query auditing.

Only objects that are included and not excluded are monitored. For example:

The following table provides a description of the fields and controls in the AD Query Auditing wizard.

RootDSE

Select this option to include the RootDSE container.

This Object and All Child Objects

Select this option to specify the containers to include. When this option is selected, use the Browse and Search page to locate and select a container.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the required containers. Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the required containers. Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Included Containers List

The containers selected for inclusion for Active Directory query auditing are displayed in the list box located across the bottom of this page. Use the buttons located above this list box to add and remove containers.

Add - Select a container in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry in the list and then click Remove to remove it.

RootDSE

Select this option to exclude the RootDSE container.

This Object and All Child Objects

Select this option to specify the containers to exclude. When this option is selected, use the Browse and Search pages to locate and select a container.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the containers to exclude from Active Directory query auditing.

Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the containers to exclude from Active Directory query auditing.

Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Excluded Containers List

The containers selected for exclusion from Active Directory query auditing are displayed in the list box located across the bottom of this page. Use the buttons located above this list box to add and remove containers.

Add - Select a container in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry in the list and then click e Remove to remove it.

AD Query settings

From the Agent Configuration page on the Administration Tasks tab you can define how to optimize the Active Directory query auditing process, summarizing similar operations from the same client.

Use the AD Query tab at the top of the Configuration Setup dialog to define the settings for summarizing similar operations from the same client and only record the summary in the Active Directory query event:

2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Configurations.
7
Once you have set these settings, click OK to save your selections, close the dialog and return to the Agent Configuration page.
8
On the Agent Configuration page, select the agents assigned to the selected agent configuration and click Refresh Configuration to ensure the agent are using the latest configuration.

 

Related Documents