Chat now with support
Chat with Support

Change Auditor for Active Directory 7.0.4 - User Guide

Create custom searches

The following scenarios explain how to use the What tab to create custom searches.

Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Subsystem | Active Directory.
NOTE: You can use Add with Events | Subsystem | Active Directory (instead of Add | Subsystem | Active Directory) to search for an entity that already has an event associated with it in the database.
All Active Directory Objects - select to include all objects. (Default when the Add tool bar button is used).
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
7
By default, All Actions is selected meaning that all the activity associated with the object generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
8
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
9
When a scope other than All Active Directory Objects is selected, the directory object picker is enabled allowing you to select the objects to include in the search definition.
You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

Examples:

Column: Name

Values:

Actions (Optional)

Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions

Values:

Possible values include SSL/TLS, Kerberos or Simple Bind.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions,Transports

Values:

The number of the required port.

Examples:

Columns: Name,Actions,Transports,Port

Values:

NOTE: Select the Exclude the Above Selection(s) check box to search for changes to all directory objects except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a directory object every time the search is run.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Subsystem | Active Directory.
7
By default, All Actions and All Transports are included. To change any of these settings, clear the corresponding check box and select the individual options.
Use the * wildcard character to match any string of zero or more characters. For example: LIKE *admin* will find Active Directory objects that contain ‘admin’ anywhere in their name.
Use Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Subsystem | Group Policy.
NOTE: You can use Add with Events | Subsystem | Group Policy (instead of Add | Subsystem | Group Policy) to search for an entity that already has an event associated with it in the database.
All Objects - select to include all objects (Default)
This Object - select to include the selected object only
7
When the This Object scope option is selected, use either the Browse or Search page to search your environment to locate and select the Group Policy objects to include in the search. Use the Options page to view or modify the search options to be used to retrieve directory objects.
NOTE: On the Add Group Policy Container, the Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Simply click the Search button on this page to locate the Group Policy containers in your environment.
You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

Examples:

Column: Name

Values:

NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Group Policy Objects except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a Group Policy Object every time the search is run.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Subsystem | Group Policy.
7
By default, All Results will be included. To change this setting, clear the All Results check box and select the individual results to be included.
Use the Add button to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Object Class.
NOTE: You can use Add with Events | Object Class (instead of Add | Object Class) to search for an entity that already has an event associated with it in the database.
6
On the Add Object Class dialog select an object class and click Add to add it to the list box located across the bottom of the dialog. Repeat this step to add additional object classes.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all object classes except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an object class every time the search is run.
7
Once you have made your selections, click OK to save your selection and close the dialog.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and select Subsystem | ADAM (AD LDS).
NOTE: You can use Add with Events | Subsystem | ADAM (AD LDS) (instead of Add | Subsystem | ADAM (AD LDS)) to search for an entity that already has an event associated with it in the database.
All ADAM (AD LDS) Objects - select to include all objects. (Default when the Add tool bar button is used.)
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
9
By default, All Actions is selected meaning that all of the activity associated with the object will generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
10
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used will be included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
Port - select to identify a specific port used for communication
11
When a scope other than All ADAM (AD LDS) Objects is selected, the directory object picker is activated allowing you to select the ADAM (AD LDS) containers to be included in the search definition.
Once you select a container to be included, click Add to add it to the list at the bottom of the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all ADAM (AD LDS) containers except those listed in the ‘what’ list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an ADAM (AD LDS) container every time the search is run.

Custom Active Directory Object Auditing

Introduction

By default, Change Auditor audits the Enterprise for all Active Directory events. To see a complete list of the Active Directory events that are audited by default, go to the Audit Events table (Administration Task->Auditing->Audit Events), and sort by license.

Using the Active Directory Auditing wizard, you can define additional custom object classes to be audited, as well as specify where you want to conduct the audit (for example, enterprise, or individual object).

 

Active Directory Auditing page

The Active Directory Auditing page is used to define additional Active Directory custom events that you want to audit. The page is displayed when you select Active Directory from the Auditing task list in the navigation pane of the Administration Tasks tab. Custom Active Directory events will contain the word ‘custom’ in their facility name, for example “Custom User Monitoring”. By default user, group and computer object classes are selected on this page.

The Active Directory Auditing page contains an expandable view of the Active Directory objects selected for auditing. Initially, the list box will contain an entry for auditing all user, computer and group object classes in the entire enterprise.

To add an object to this list, use the Add tool bar button (or to add multiple objects, expand the Add tool bar button and select the Select Multiple Objects option). Once added, the following information will be displayed:

Related Documents