Chat now with support
Chat with Support

Change Auditor 7.0.3 - Installation Guide

Installation Overview Install Change Auditor Add Users to Change Auditor Security Groups Connecting to the Clients Deploy Change Auditor Agents Upgrade Change Auditor Installation Notes and Best Practices Multi-Forest Deployments Workstation Agent Deployment Agent Comparison Install an agent to audit ADAM (AD LDS) on workgroup servers Active Roles Integration Quest GPOADmin Integration Windows Installer Command Line Options

Other installation notes

Certain MMC modules disrupt or hinder the addition or removal of services, therefore, MMC modules can not be running (directly on the server or in a Terminal Services session) when installing or uninstalling Change Auditor. Stop the MMC files before installing or uninstalling Change Auditor.

Before installing or upgrading the coordinators or server agents, Quest recommends to close all Event Log Viewers. If a user has an Event Viewer open and opens a Change Auditor event log to load and display a message, the Windows EventLog locks the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services.

Microsoft .NET 4.6.1 framework is required in the Change Auditor coordinator, client, web client. The agents (server and workstation) require NET 4.5.2 framework. If you try to install these components on a computer with an earlier version, the installation fails and you are notified that a newer version is required. To verify that you are running the appropriate version of Microsoft’s .NET framework, use Add or Remove Programs.

Quest recommends installing the Change Auditor components in the following order:

For a complete and comprehensive Active Directory change auditing solution, Quest recommends deploying agents to every server in the forest.

For best results in capturing Group Policy changes, Quest recommends installing an agent on the domain’s PDC operations master role holder.

During the coordinator installation, three installation-specific security groups are created in the domain where the member server hosting a coordinator resides.

ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of Change Auditor and to roll out Change Auditor agents.
ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except for making configuration changes.
ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Change Auditor Web Client User Guide for more information about sharing overviews.

Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest.

Add your user account to either the ChangeAuditor Administrators or ChangeAuditor Operators group before running the client. If multiple coordinators are installed in a mixed mode environment, to connect to each coordinator, add your user account to one of these groups on each of the member servers where a coordinator resides.

In addition, users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation.

During the coordinator installation, you are presented with the option to add the current user to the ChangeAuditor Administrators security group. If you selected not to do this during the coordinator installation process or you want to add more user accounts, add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups before running the client.

See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are created when the coordinator is installed.

NOTE: When the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group to properly authenticate.

Change Auditor for Windows File Servers

Change Auditor for Windows File Server agents may fail to provide “Origin” information if remote users are already connected during an agent installation or upgrade. To resolve this issue, restart the server as soon as possible after an agent installation or upgrade.

Change Auditor for Exchange

High volume Exchange Servers. Agent processing of large Exchange auditing and protection configurations may slow down initial user login access or cause timeouts if many user logins are occurring at the same time. To avoid this issue, Quest recommends that the following actions be performed during maintenance intervals or other periods of low user mailbox activity:

Before the system returns to a normal load, one user should log in to Outlook Web Access (OWA), Outlook, and Exchange Web Services (EWS, Outlook for Mac) clients. This triggers the Change Auditor agent to process Exchange Mailbox auditing and protection configuration changes when the fewest logins are occurring.

Exchange 2010/2013/2016. Exchange 2010/2013/2016 stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller captures all these change actions. However, starting with Exchange 2010, Microsoft rearchitected how they process configuration changes. Therefore, in order for Change Auditor for Exchange to retrieve the correct ‘who’ information for these Active Directory based events it now audits Windows PowerShell. So you can:

Exchange 2010: Deploy an agent to all Exchange 2010 CAS role servers.
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 servers with the Mailbox role.
Recommended: Deploy an agent to all Active Directory domain controllers and to all required Exchange servers. However, duplicate events are generated for Exchange Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no ‘who’ value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct ‘who’ value).

To capture Exchange mailbox access events:

Exchange 2010: Deploy an agent to all Exchange 2010 CAS role servers.
Exchange 2013/2016: Deploy an agent to all Exchange 2013/2016 Mailbox role servers.

Deploy agents to all Exchange Servers. When a Change Auditor 5.6 (or higher) agent is deployed on Exchange Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies to all Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that an agent be installed on all Exchange servers to ensure that all servers are using the same scripting agent.

If you need to restore your Exchange servers and they were NOT backed up after you deployed agents that enabled the scripting agent, you will need to disable the CmdletExtensionAgent BEFORE recovering your Exchange 2010/2013/2016 servers.

If Change Auditor cannot be installed on all your Exchange servers, use the following procedure on all Exchange servers where an agent is not yet deployed:

Exchange cluster node servers. When deploying or upgrading agents on Exchange cluster node servers, use the following recommended procedure:

To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry® Enterprise Server (BES) or similar service accounts. These accounts have both ‘Receive All’ and ‘Administer Information Store’ rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts are excluded from mailbox auditing, which may not be desired. If necessary, this automated exclusion can be disabled on a server-by-server basis. Contact Quest Technical Support for additional information.

Beginning with Change Auditor 6.5, Exchange 2003 is no longer supported. If you have an Exchange 2003 environment that you want to continue auditing, do NOT upgraded to Change Auditor 6.5 (or higher).

Exchange versions 2007 and above denies authentication to all well-known accounts, including ‘Administrator’. Use Hub Transport servers to allow SMTP email to go through. This references the setting for My Server Requires Authentication on the SMTP Configuration pane on the Coordinator Configuration page (Administration Tasks tab) in the Change Auditor client. It may also be necessary to configure more Transport settings (authentication and permissions) to allow email relay from the Change Auditor coordinator machine to receive SMTP alerts.

Change Auditor for Exchange does not support Microsoft Outlook 2000 or 2002.

For improved performance, Outlook offers an option to ‘cache’ requests to Exchange Server. This option is enabled by default when you configure an email account for Exchange Server. To disable this setting, select the Outlook Tools | Account Settings menu command, open the E-mail tab and click Change, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog.

While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook Web Access clients, this is not the case with cached-mode Outlook.

User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the timing and order of Exchange requests is not obvious or intuitive.

A few of the effects you will see when monitoring an Outlook cached connection to Exchange Server include:

You will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate.

Change Auditor for Authentication Services

Change Auditor for Authentication Services requires agents deployed on all Active Directory domain controllers in the forest to capture modifications to the Authentication Services configuration container.

Related Documents