Chat now with support
Chat with Support

Change Auditor 7.0.3 - Installation Guide

Installation Overview Install Change Auditor Add Users to Change Auditor Security Groups Connecting to the Clients Deploy Change Auditor Agents Upgrade Change Auditor Installation Notes and Best Practices Multi-Forest Deployments Workstation Agent Deployment Agent Comparison Install an agent to audit ADAM (AD LDS) on workgroup servers Active Roles Integration Quest GPOADmin Integration Windows Installer Command Line Options

Client components added to Change Auditor

You can view initiator information retrieved from GPOADmin on the Search Results page in the Change Auditor client. You can use the following to display this additional information:

A Source field is available in the Event Details pane that displays the name of the application from which the change event was generated (such as, Change Auditor, Active Roles, or GPOADmin). In addition, for change events generated by GPOADmin or Active Roles, the name of the user account that initiated the change is displayed in parenthesis.

A built-in report is available that retrieves events for all Active Directory changes, including those initiated by GPOADmin and Active Roles. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results.

Expand and select the Shared | Built-in | All Events folder to display the built-in searches available.
Locate the All Active Directory Events Including ActiveRoles/GPOADmin Initiator search and use one of the following methods to run the selected search:

Columns are added to the database to record the information retrieved from GPOADmin or Active Roles. These columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information to all searches:

EventSource - for all events, the name of the application from which the event was generated (i.e., Change Auditor, Active Roles, or GPOADmin).
Initiator Mail - for events generated by GPOADmin or Active Roles, the email address of the user that initiated the change.
Initiator SID - for events generated by GPOADmin or Active Roles, the SID of the user that initiated the change.
Initiator UserName - for events generated by GPOADmin or Active Roles, the name of the user that initiated the change.
Locate the new columns (EventSource, Initiator Mail, Initiator SID, and/or Initiator UserName) in the Unselected Columns table.

When using the Who tab to retrieve change events initiated by a specific user, changes initiated by GPOADmin will not automatically be included in the search. A check is available in the Who tab which instructs Change Auditor to retrieve all change events initiated by the specified user, including those made through GPOADmin.

Click New to enable the Search Properties tabs.
On the Who tab, click Add to add an active user, computer or group to the ‘who’ list.
After selecting one or more directory objects, click Select to save your selection and close the dialog.
Back on the Who tab, select the Include Event Source Initiator check box.
In addition, when this check box is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by GPOADmin, this column contains the user account that was logged into the GPOADmin console.

The following email tags are available which can be added to the event details of alert email notifications:

See the Change Auditor User Guide for more information on how to configure and enable email notifications and customize email content.

Troubleshooting tips

If GPO events initiated by GPOADmin do not appear in the Change Auditor client as expected, check the following:

To make sure Change Auditor has the latest GPOADmin configuration, manually refresh the agent configuration (Refresh Configuration on Agent Configuration Page on the Administration Tasks tab).

Windows Installer Command Line Options

This section lists the Windows Installer command line options (MSIEXEC.exe) that are available for deploying an agent or installing a coordinator.

For more information on using the Windows Installer (MSIEXEC.exe) see:

Agent options


Specify the Change Auditor installation name.

APPDIR="<install directory>"

Specify the installation path.


Specify a GPO backup path.



Specify whether to open the agent system tray icon on startup.



Specify whether to automatically restart the agent on failure.


Specify whether to override event log block detection.

When this setting is set to "0" (default), the event log detection is active which detects whether or not the system EventLog service is holding one of Change Auditor’s event log message DLLs open. If one of these DLLs are open, the Windows Installer Restart Manager can cause unpredictable restarts of dependent services.



For foreign agents (non-domain members), specify the foreign credentials to be used to find and connect to a coordinator in the Active Directory forest.


For foreign agents (non-domain members), use this option to specify the fully-qualified domain name ( of the root domain of Active Directory.


For foreign agents (non-domain members), specify whether the logged in user is to be added to the ChangeAuditor Agents security group.

Related Documents