Chat now with support
Chat with Support

Change Auditor 7.0.4 - Release Notes

Change Auditor client (Client-side component)

The client connects to a coordinator and queries the audited event database for the desired results.

 
Table 14. Client requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 4 GB RAM or better

Recommended: 8 GB RAM or better

Installation platforms (x64) supported up to the following versions
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows 8 and 8.1
Windows 10
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.

Screen resolution
1280 x 800 with at least 256 colors

Client software and configuration
x64 version of Microsoft’s .NET Framework 4.6.1
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0

Ports

Ports 139 and 445 must be opened on the domain controller.

Client footprint
Estimated hard disk space used: 140 MB
Estimated physical memory RAM) used: 150 to 500 MB

Client RAM usage depends on the number of tabs you have open.

NOTE: Queries that return much data can cause the client to use as much memory as required to store the results in RAM.

Change Auditor agent (Server-side component)

A Change Auditor agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. The agents report the audit events to the coordinator which inserts the event details into the Change Auditor database.

 
 
Table 15. Agent requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 4 GB RAM or better

Recommended: 8 GB RAM or better

Installation platforms (x64) supported up to the following versions
Windows Server 2008 R2 SP1
Windows Server 2008 R2 Core SP1
Windows Server 2012
Windows Server 2012 Core
Windows Server 2012 R2
Windows Server 2012 R2 Core
Windows Server 2016 Server Core
Windows Server 2016
Windows Server 2019 (SharePoint, Defender, and VMWare auditing is not supported)
When auditing EMC Unity using an agent on Windows Server 2019, the lowest supported version is EMC Unity 4.4.1.
Windows Server Core 2019 (Active Directory, File system, Registry, Services, local user and group, and Exchange 2019 auditing only)
Windows Server 1803 Server Core (Active Directory, File system, Registry, Services and local user and group auditing only)
Windows Server 1809 Server Core (Active Directory, File system, Registry, Services and local user and group auditing only)
Windows Server 1903 Server Core (Active Directory, File system, Registry, Services and local user and group auditing only)
NOTE: Change Auditor components can be deployed on Windows environments with Secure Boot enabled.
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.
NOTE: Starting with Change Auditor 6.9, you cannot install an agent on Windows 2008 SP2 operating system. During an agent install, if this operating system is detected, the latest version of the agent that supports the operating system is installed. For example, when you install an agent on a Windows 2012 server, the latest 7.x agent is deployed. When you deploy an agent on a Windows 2008 SP2 server, the latest 6.8 agent is installed.
NOTE: Windows File System auditing is supported in a Windows failover cluster configuration. However, the agent is not aware of the cluster and only audits the active nodes in the cluster where agents are deployed.
NOTE: Change Auditor agent requires File and Printer Sharing on Windows Server 2008 R2. By default, File and Printer sharing are not enabled on Windows Server 2008 R2 installations. To remotely deploy agents to Windows Server 2008 R2, enable the File and Printer sharing (SMB-in) Inbound rule in the Windows firewall (Port 445) on the target host machine. The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment.
NOTE: Auditing of some Exchange events requires the latest Exchange service pack. See the Change Auditor for Exchange Event Reference Guide for the minimum service packs required for Exchange events.

Agent software and configuration
x64 version of Microsoft’s .NET Framework 4.5.2
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0
The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
The Change Auditor agent service depends on the following Windows services to be running:
DNS Client
Remote Procedure Call (RPC)
Windows Event Log
NOTE: Ensure communication over RPC between coordinators and agents.

Agent footprint
Estimated hard disk space used: 120 MB + local database size + log size
Change Auditor agent log retention and content is configurable. That is, you can define how many files to retain and the level of logging.
Estimated physical memory (RAM) used: 60 to 100 MB; Agent RAM usage depends on the auditing modules you have licensed.

Agent installation is NOT compatible with the following applications

Chang Auditor agent cannot be installed on the same server as agents from Quest products that were precursors to Change Auditor including:

InTrust for Active Directory
InTrust for ADAM
InTrust for Exchange
InTrust for File Access
DirectoryLockdown
SecurityManager

These products are no longer available, but if their agents are still installed they should be removed before installing Change Auditor.

Due to the way Change Auditor integrates with Active Directory to capture all change details, there may be incompatibilities with third party agents that integrate with Active Directory in a similar way such as Active Directory auditing tools from other vendors.

Change Auditor may be incompatible out-of-the-box with agents that are designed to detect suspicious software such as anti-virus tools. In these cases, it may be necessary to configure the third party product to exclude the Change Auditor process from its scope.

If Change Auditor is going to be installed alongside products that conform to either of these patterns, Quest recommends that the installation is tested in a non-production environment first to identify any incompatibilities and adjust the product configurations as necessary before deploying to production.

 
Table 16. Agent minimum permissions
Account
Permissions

User account deploying agents

The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation.

If you are targeting domain controllers only, membership in the Enterprise Admins group grants you authority to all domain controllers in the forest.

In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation. If you are not a member of this security group for this installation, you get an access denied error.

System account running on agent

Change Auditor agents must run as Local System.

Change Auditor workstation agent (optional component)

You can deploy workstation agents to capture authentication activity and logon session events from monitored workstations when the Change Auditor for Logon Activity Workstation license is applied.

* 
NOTE: The recommended installation for domain workstations is from the Deployment tab of the Change Auditor Windows client. However, for non-domain workstations you must manually install the workstation agent. See the Change Auditor Installation Guide for recommendations and instructions on manually deploying workstation agents.
 
Table 17. Workstation agent requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 2 GB RAM or better

Recommended: 4 GB RAM or better

Installation platforms supported up to the following versions
Windows 8 and 8.1 (Pro and Enterprise)
Windows 10 (Pro and Enterprise)
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.

Agent software and configuration
x86 or x64 version of Microsoft’s .NET Framework 4.5.2 (or higher)
x86 or x64 version of Microsoft XML Parser (MSXML) 6.0
x86 or x64 version of Microsoft SQLXML 4.0
The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
The Change Auditor agent service depends on the following Windows services to be running:
DNS client
Remote Procedure Call (RPC)
Windows event log
NOTE: Ensure communication over RPC between coordinators and agents.
NOTE: For workstation log management (such as Get Logs or View Agent Log), the following must be enabled on the workstation:
Windows Management Instrumentation (WMI) must be enabled in firewall rule set (usually domain) on the workstation.
Network Discovery and File Sharing must be enabled.
Remote Registry service must be set to ‘Start Automatically’. By default, this service is stopped and set to ‘Manual’ for Windows 8/8.1 and Windows 10.

Authentication Activity auditing

To capture Authentication Activity events, you must first enable (that is, set to Success, Failure) the ‘Audit Logon events’ audit policy for all servers or workstations:
Domain - Group Policy
Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policy\Audit Policy\Audit logon events
Workgroup - Local Group Policy
Local Computer Policy\Computer Configuration\Windows Sercurity\Security Settings\Local Policies\Audit Policy\Audit logon events

For more information

See the Change Auditor for Logon Activity User Guide for more information about using Change Auditor for Logon Activity.

Change Auditor web client (optional component)

The Change Auditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to Change Auditor through a standard or mobile web browser.

 
Table 18. Web client requirements
Component
Supported versions

Processor

Quad core Intel Core i7 equivalent or better

Change Auditor

Change Auditor (any license)

NOTE: Change Auditor 6.5 (or higher) is required for using the Administration Tasks page to manage Change Auditor.

Installation platforms (x64) supported up to the following versions

Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
NOTE: Web Server (IIS) role must be installed.

Software and configuration
x64 version of Microsoft’s .NET Framework 4.6.1
ASP.NET 4.5.1 or higher
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0

Browsers supported up to the following versions

 
Chrome 59
Edge 38
Firefox 54
Internet Explorer 11 not running in Compatibility View mode
NOTE: Versions below 11 are not supported.
Safari 9.1.2 for Mac OS (Windows Safari is not supported)

Change Auditor role

To install the web client, you must have at minimum the operator role.

For more information

See the Change Auditor Web Client User Guide for more information about installing, configuring, and using the web client.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating