• Become a portal pro
• Download
• Print
• My Downloads ()

• Support
• Technical Documentation
• Change Auditor for Active Directory 7.0.4
• Change Auditor for Active Directory 7.0.4 - User Guide

Change Auditor for Active Directory 7.0.4 - User Guide

Table of Contents  

Change Auditor for Active Directory Overview

Introduction Deployment Requirements Client Components and Features

Custom Active Directory Searches and Reports

Introduction Run the All Active Directory Events report Run the All Group Policy Events report Create custom searches

Custom Active Directory Object Auditing

Introduction Active Directory Auditing page Custom Active Directory object auditing Active Directory Auditing wizard Active Directory event logging

Custom Active Directory Attribute Auditing

Introduction Active Directory Attribute Auditing page Custom Active Directory attribute auditing

Member of Group Auditing

Introduction Member of Group Auditing page Member of Group auditing list Member of Group Auditing wizard

ADAM (AD LDS) Auditing

Introduction ADAM (AD LDS) Auditing page Enable ADAM (AD LDS) auditing ADAM (AD LDS) Auditing wizard ADAM (AD LDS) event logging

Active Directory Protection

Introduction Active Directory object protection

Active Directory protection page Active Directory protection templates Active Directory Protection wizard

Group Policy Object protection

Group Policy protection page Group Policy protection templates Group Policy Protection wizard

ADAM (AD LDS) object protection

ADAM (AD LDS) protection page ADAM (AD LDS) protection templates

ADAM Protection Wizard Setting extra security on protected objects

Event Details Pane

• Viewing Topics 9 - 12 of 46

×

Create custom searches

The following scenarios explain how to use the What tab to create custom searches.

 

NOTE: You can use the other search properties tabs to define additional criteria: • Who - allows you to search for events generated by a specific user, computer or group • Where - allows you to search for events captured by a specific agent or within a specific domain or site • When - allows you to search for events that occurred within a specific date/time range • Origin - allows you to search for events that originated from a specific workstation or server

To search for changes to a specific Active Directory container:

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Subsystem | Active Directory.

NOTE: You can use Add with Events | Subsystem | Active Directory (instead of Add | Subsystem | Active Directory) to search for an entity that already has an event associated with it in the database.

6	On the Add Active Directory Container dialog, select one of the following options to define the scope of coverage:

•	All Active Directory Objects - select to include all objects. (Default when the Add tool bar button is used).

•	This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).

•	This Object and Child Objects Only - select to include the selected objects and its direct child objects.

•	This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).

•	Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.

NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.

7	By default, All Actions is selected meaning that all the activity associated with the object generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:

•	All Actions - select to include when any of the following actions occur (Default)

•	Add Attribute - select to include when an attribute is added

•	Delete Attribute - select to include when an attribute is deleted

•	Modify Attribute - select to include when an attribute is modified

•	Rename Object - select to include when an object is renamed

•	Add Object - select to include when an object is added

•	Delete Object - select to include when an object is deleted

•	Move Object - select to include when an object is moved

•	Other - select to include other types of activity against the selected object

8	By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:

•	All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)

•	SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology

•	Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption

•	Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)

•	Port - select to identify a specific port used for communication

NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.

9	When a scope other than All Active Directory Objects is selected, the directory object picker is enabled allowing you to select the objects to include in the search definition.

Use either the Browse or Search page to search your environment to locate and select the Active Directory objects to include. Use the Options page to view or modify the search options to be used to retrieve directory objects.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected with the column names or specified values.

NOTE: Column names and values must be separated with a comma.

NOTE: If an optional column name is not specified, then the default All is used for the value for each object. The default All is also used if the optional column is specified, but the value is empty. Mandatory Name values cannot be empty.

Columns	Description
Name (Required)	The name of the directory object to import. Name values must be specified in canonical name format. NOTE: The first column must be Name. NOTE: Wildcard characters are only supported for the Name values. Examples: Column: Name Values: • test.domain.ca/OU1/User1 • test.domain.ca/*/Group1 • test.domain.ca/OU1/*User*
Actions (Optional)	Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other. When specifying multiple values they must be separated by the Pipe character '|'. Examples: Columns: Name,Actions Values: • test.domain.ca/OU1/User1,Move Object|Modify Attribute • test.domain.ca/OU1/Group*,
Transports (Optional)	Possible values include SSL/TLS, Kerberos or Simple Bind. When specifying multiple values they must be separated by the Pipe character '|'. Examples: Columns: Name,Actions,Transports Values: • test.domain.ca/OU1/User1,Move Object|Modify Attribute,Kerberos • test.domain.ca/OU1/Group1,,Kerberos |SSL/TLS
Port (Optional)	The number of the required port. Examples: Columns: Name,Actions,Transports,Port Values: • test.domain.ca/OU1/*,Move Object|Modify Attribute,Kerberos,389 • test.domain.ca/OU1/Group1,Add Attribue,Kerberos, NOTE: When importing a file in the web client, the default value (All Ports) will be applied if port values are specified.

 

NOTE: Select the Exclude the Above Selection(s) check box to search for changes to all directory objects except those listed in the ‘what’ list.

NOTE: Select the Runtime Prompt check box on this dialog to prompt for a directory object every time the search is run.

10	Once you have added all the Active Directory objects to be included in the search, click OK to save your selection and close the dialog.

11	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the Active Directory objects specified on the What tab.

To construct an Active Directory object search using a wildcard expression:

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Subsystem | Active Directory.

6	On the Add Active Directory Container dialog, select the This Object scope.

7	By default, All Actions and All Transports are included. To change any of these settings, clear the corresponding check box and select the individual options.

8	Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Active Directory objects (Object Name column in Search Results grid).

•	Select the comparison operator to be used: Like or Not Like.

•	In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.

Use the * wildcard character to match any string of zero or more characters. For example: LIKE *admin* will find Active Directory objects that contain ‘admin’ anywhere in their name.

•	Use Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.

9	After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.

10	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

To search for changes to a specific Group Policy container:

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Subsystem | Group Policy.

NOTE: You can use Add with Events | Subsystem | Group Policy (instead of Add | Subsystem | Group Policy) to search for an entity that already has an event associated with it in the database.

6	On the Add Group Policy Container dialog, select one of the following options to define the scope of coverage:

•	All Objects - select to include all objects (Default)

•	This Object - select to include the selected object only

7	When the This Object scope option is selected, use either the Browse or Search page to search your environment to locate and select the Group Policy objects to include in the search. Use the Options page to view or modify the search options to be used to retrieve directory objects.

NOTE: On the Add Group Policy Container, the Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Simply click the Search button on this page to locate the Group Policy containers in your environment.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected.

Columns	Description
Name (Required)	The name of the directory object to import. Name values must be specified in canonical name format. Examples: Column: Name Values: • test.domain.ca/System/Policies/{D72618D2-1413-4352-8EC9-FA4A33CBE99C} • test.domain.ca/System/Policies/*

 

NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Group Policy Objects except those listed in the ‘what’ list.

NOTE: Select the Runtime Prompt check box on this dialog to prompt for a Group Policy Object every time the search is run.

8	Once you have added all the Group Policy Objects to be included in the search, click OK to save your selection and close the dialog.

9	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the Group Policy Objects specified on the What tab.

To construct a Group Policy object search using a wildcard expression:

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Subsystem | Group Policy.

6	On the Add Group Policy Container dialog, select the This Object scope.

7	By default, All Results will be included. To change this setting, clear the All Results check box and select the individual results to be included.

8	Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Group Policy objects (Object Name column in Search Results grid).

•	Select the comparison operator to be used: Like or Not Like.

•	In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.

Use the * wildcard character to match any string of zero or more characters. For example: LIKE Default* will find Group Policy objects whose name begins with the word ‘Default’.

•	Use the Add button to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.

9	After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.

10	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

To search for changes to a specific object class (classSchema object):

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Object Class.

NOTE: You can use Add with Events | Object Class (instead of Add | Object Class) to search for an entity that already has an event associated with it in the database.

6	On the Add Object Class dialog select an object class and click Add to add it to the list box located across the bottom of the dialog. Repeat this step to add additional object classes.

NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all object classes except those listed in the ‘what’ list.

NOTE: Select the Runtime Prompt check box on this dialog to prompt for an object class every time the search is run.

7	Once you have made your selections, click OK to save your selection and close the dialog.

8	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the object classes specified on the What tab.

To search for changes to a specific ADAM (AD LDS) container:

1	Open the Searches page.

2	In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3	Click New to enable the Search Properties tabs across the bottom of the Searches page.

4	On the Info tab, enter a name and description for the search.

5	On the What tab, expand Add and select Subsystem | ADAM (AD LDS).

NOTE: You can use Add with Events | Subsystem | ADAM (AD LDS) (instead of Add | Subsystem | ADAM (AD LDS)) to search for an entity that already has an event associated with it in the database.

6	On the Select the agent that hosts the ADAM/AD LDS instance dialog, use the Browse or Search page to locate and select the agent that hosts the ADAM (AD LDS) instance to be searched.

NOTE: The Explorer View is displayed by default; however, this display will not include member servers. Therefore, if you have installed ADAM (AD LDS) on a workgroup server, select the Grid View option at the top of the dialog to select from a list of workgroup servers.

7	If credentials are required, a Credentials Required dialog is displayed allowing you to enter the credentials to be used to access the selected instance.

8	On the Add ADAM (AD LDS) Container dialog, select one of the following options to define the scope of coverage:

•	All ADAM (AD LDS) Objects - select to include all objects. (Default when the Add tool bar button is used.)

•	This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).

•	This Object and Child Objects Only - select to include the selected objects and its direct child objects.

•	This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).

•	Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.

NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.

9	By default, All Actions is selected meaning that all of the activity associated with the object will generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:

•	All Actions - select to include when any of the following actions occur (Default)

•	Add Attribute - select to include when an attribute is added

•	Delete Attribute - select to include when an attribute is deleted

•	Modify Attribute - select to include when an attribute is modified

•	Rename Object - select to include when an object is renamed

•	Add Object - select to include when an object is added

•	Delete Object - select to include when an object is deleted

•	Move Object - select to include when an object is moved

•	Other - select to include other types of activity against the selected object

10	By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used will be included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:

•	All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)

•	SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology

•	Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption

NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.

•	Port - select to identify a specific port used for communication

11	When a scope other than All ADAM (AD LDS) Objects is selected, the directory object picker is activated allowing you to select the ADAM (AD LDS) containers to be included in the search definition.

Use either the Browse or Search page to search your environment to locate and select the ADAM (AD LDS) containers to be included. Use the Options page to view or modify the search options or ADAM instance to be used to retrieve directory objects.

Once you select a container to be included, click Add to add it to the list at the bottom of the dialog.

NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all ADAM (AD LDS) containers except those listed in the ‘what’ list.

NOTE: Select the Runtime Prompt check box on this dialog to prompt for an ADAM (AD LDS) container every time the search is run.

12	Once you have added all the ADAM (AD LDS) containers to be included in the search, click OK to save your selection and close the dialog.

13	Once you have defined the search criteria, you can either save the search definition or run the search.

•	To save the search definition without running it, click Save.

•	To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the ADAM containers specified on the What tab.

Custom Active Directory Object Auditing

•	Introduction

•	Active Directory Auditing page

•	Custom Active Directory object auditing

•	Active Directory event logging

•	Active Directory Auditing wizard

Introduction

By default, Change Auditor audits the Enterprise for all Active Directory events. To see a complete list of the Active Directory events that are audited by default, go to the Audit Events table (Administration Task->Auditing->Audit Events), and sort by license.

Using the Active Directory Auditing wizard, you can define additional custom object classes to be audited, as well as specify where you want to conduct the audit (for example, enterprise, or individual object).

 

Active Directory Auditing page

The Active Directory Auditing page is used to define additional Active Directory custom events that you want to audit. The page is displayed when you select Active Directory from the Auditing task list in the navigation pane of the Administration Tasks tab. Custom Active Directory events will contain the word ‘custom’ in their facility name, for example “Custom User Monitoring”. By default user, group and computer object classes are selected on this page.

 

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.

NOTE: If you receive a message stating that the client is unable to acquire exclusive access to object monitoring, there is another user using the Active Directory Auditing page and therefore, all of the tool bar buttons will be deactivated preventing you from making any changes.

The Active Directory Auditing page contains an expandable view of the Active Directory objects selected for auditing. Initially, the list box will contain an entry for auditing all user, computer and group object classes in the entire enterprise.

To add an object to this list, use the Add tool bar button (or to add multiple objects, expand the Add tool bar button and select the Select Multiple Objects option). Once added, the following information will be displayed:

Object

Displays the distinguished name of object.

Status

Indicates whether the auditing for a selected object is enabled or disabled.

Scope

Displays the scope of coverage:

•

Forest

•

Object

•

One Level

•

SubTree

Object Class

This field is used for filtering data.

If the view is not already expanded, click the expansion box to the left of an object to expand the view to display the object classes and monitored attributed to be audited in the object.

Object Class

Displays the object class being audited (such as computer, user, and group.)

Monitored Attributes

Displays the number of schema attributes selected for auditing by Change Auditor for each object class listed.

 

NOTE: Attribute auditing is specified using the AD Attribute Auditing page.

•  Previous
• Viewing Topics 9 - 12 of 46
• Next 

Search this document Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center