Chat now with support
Chat with Support

Change Auditor 7.1 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Change Auditor Overview

Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management — and reduce the risks associated with day-to-day modifications.

Available Change Auditor auditing modules

Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to configurations and permissions. You can automatically generate intelligent, in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Quest provides the following products to help you track, audit, report, and receive alerts on vital changes and activity:

 

Table 1.  

Quest Change Auditor for Active Directory

Drives the security and control of Active Directory by tracking vital configuration changes to users, groups, nested groups, GPOs, computers, services, registry, local users and groups and DNS — without the overhead costs of native auditing. You can also lock down critical Active Directory, ADAM (AD LDS), and Group Policy objects, to protect them from unauthorized or accidental modifications or deletions.

Change Auditor for Active Directory also audits activity in Microsoft Azure Active Directory.

Correlating activity across the on-premises and cloud directories, provides a single pane-of-glass view of your hybrid environment and makes it easy to search all events regardless of where they occurred.

Quest Change Auditor for Exchange

Simplifies auditing the activities taking place in your entire Exchange environment. You can audit over 300 Exchange events covering owner and nonowner mailbox changes, server configurations and permissions, and more.

Through the Exchange Mailbox protection feature, you can prevent unwanted access to Exchange mailboxes, making it much more difficult for rogue administrators to access critical mailboxes.

You can also audit Office 365 Exchange Online configuration and permission changes.

Quest Change Auditor for Windows File Servers

Enables administrators to achieve the comprehensive auditing coverage of native tools without the mass of cumbersome data that native event logs generate. You can audit activity related to files and folders, shares, and changes to permissions.

Change Auditor provides an access control model that allows administrators to protect business-critical files and folders on the file server.

Quest Change Auditor for EMC

Eliminates the time and complexity of native auditing by providing EMC Celerra/VNX file and folder changes in real time and translating events into plain English.

Quest Change Auditor for NetApp

Eliminates the time and complexity of native auditing by providing NetApp file and folder changes in real time and translating events into plain English.

Quest Change Auditor for SQL Server

Provides database auditing to secure SQL database assets with extensive, customizable auditing and reporting for all critical SQL changes including broker, database, object, performance, and transaction events, plus errors and warnings.

Helps tighten enterprise-wide change and control policies by tracking user and administrator activity such as database additions and deletions, granting and removing SQL access.

SQL Data Level auditing allows you to audit changes to databases and tables.

Quest Change Auditor for Active Directory Queries

Monitors directory access across all domain controllers in the environment and aggregates that information in a central database identifying LDAP-enabled applications and how they use Active Directory. The LDAP access data can then be used during Active Directory forest migration and restructuring projects.

Quest Change Auditor for SharePoint

Provides centralized auditing, including configuration, event collection and reporting, for Microsoft SharePoint 2010, SharePoint 2013, SharePoint 2016, and SharePoint 2019 servers and farms. It provides built-in queries and reports that focus on auditing the following areas:

You can also audit Office 365 SharePoint Online and OneDrive for Business changes.

Quest Change Auditor for Logon Activity

Change Auditor for Logon Activity has removed the dependency on InTrust and the Change Auditor Data Gateway Service to capture user logon activity. This auditing module consists of two licenses (one for server agents and another for workstation agents) and may be used to collect logon activity events for regulatory compliance and user activity tracking.

Quest Change Auditor for Skype for Business

Allows you to audit configuration and security setting changes in Microsoft Skype for Business Server 2015 and Microsoft Lync Server 2013, providing change notifications for Skype user setup, permissions, and application configuration from the Microsoft Skype for Business Server 2015 / Microsoft Lync Server 2013 Central Management Store (CMS).

Quest Change Auditor for Authentication Services

Authentication Services enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and Mac platforms and enterprise applications. Using Change Auditor for Authentication Services, users of Authentication Services can audit on critical changes to:

Quest Change Auditor for Defender

Enhances security by enabling two-factor authentication to network, Web, and applications-based resources. Defender was designed to base all administration and identity management on an organization’s existing investment in Active Directory and eliminates the costs and time involved in setting up and maintaining proprietary databases. Change Auditor for Defender tracks changes to user accounts enabled with Defender tokens in Active Directory.

Because Defender extends the Active Directory schema, once the Change Auditor for Defender auditing is enabled, agents installed on Domain Controllers detect any changes made to the Defender-specific attributes in Active Directory and generate events. No audit template is needed.

Quest Change Auditor for VMware vCenter

Helps to ensure the security, compliance, and control of event activity and the security of VMware vCenter Server. It audits, reports, and provides alerts on all changes to the platform in real time, making VMware monitoring easy. You can analyze events and changes without complexity and fear of unknown security concerns, and be confident that compliance demands satisfy the scrutiny of any auditor.

Change Auditor for VMware vCenter is freeware and included with other Change Auditor modules.

Quest Change Auditor for Fluid File System

Eliminates the time and complexity of native auditing by providing Fluid File System file and folder changes in real time.

 

Agent Deployment

Deployment page

The Deployment page displays all the servers and workstations discovered in your Active Directory environment. From here, you specify the servers and workstations (if the Change Auditor for Logon Activity Workstation license is applied) to host a Change Auditor agent.

The first time you open Change Auditor, the Deployment tab is available for you to deploy agents. After agents are deployed, use the View | Deployment menu to open the page.

NOTE: The Deployment page does not display non-member objects, such as ADAM workgroup servers or non-Active Directory workstations, because agents cannot be deployed to non-member objects using the Deployment tab. See the Change Auditor Installation Guide for information about manually installing agents to workgroup servers or non-Active Directory workstations.

The Deployment page may contain the following for each server and workstation discovered in your Active Directory forest. To display fields other than the defaults, click the Field Chooser located to the far left of the column headings and select the columns to display.

Agent Status

Yes

Displays the current deployment status:

Coordinator

No

Displays the computer name of the coordinator to which the agent is connected.

Creds

Yes

Indicates whether user credentials have been entered for the selected domain. To enter the credentials to use to install agents on a domain, click Credentials.

Deployment Result

Yes

Indicates the status of the last deployment task:

Access Denied - user credentials are not valid; use the Credentials command to enter the proper user credentials for installing an agent on the selected domain
NOTE: You can select Clear Results to clear the entry in this column for the selected server.

DN

No

Displays the distinguished name of a server. (The ‘path’ to the server in the Active Directory schema.)

DNS Name

No

Displays the DNS name of a server.

Domain

Yes

Displays the name of the domain where a server is located.

Exchange Server

No

Indicates whether Exchange is installed on a server.

Foreign

No

Indicates whether an agent is connected to a coordinator in a foreign forest.

Forest

No

Displays the name of the forest where the agent resides.

GC

No

Indicates whether the server is a Global Catalog server.

Installation

No

Displays the installation name assigned to the coordinator to which the agent is connected.

IP Address

No

Displays the IP address of a server.

Name

Yes

Displays the NetBIOS name of a server.

Operating System

No

Displays what version of the operating system is running on a server.

Read-Only DC

No

Displays the Read-Only DCs.

Site

No

Displays the name of the site where a server resides.

Type

No

Displays the type of server:

See the Change Auditor Installation Guide for information about deploying agents to workgroup servers or non-Active Directory workstations.

Version

Yes

Displays the version number of the Change Auditor agent currently installed on a server.

When

No

Displays the date and time for a scheduled deployment task. That is, the date and time entered on the Install or Update dialog (or Uninstall dialog) when the When option is selected.

Workstation

No

Indicates whether the agent is a workstation agent used for capturing user logon activity when the Change Auditor for Logon Activity Workstation auditing module is licensed.

In addition to selecting the fields, you can define what type of computers to display.

The following table describes how to use these controls to filter the content displayed on the Deployment page.

Type

Use the left-most control to specify the type of Active Directory objects to be included in the display:

All - select to display all domain controllers, member servers and workstations in the forest, domain or site
DCs - select to display all domain controllers in the forest, domain or site
Read-Only DCs - select to display the Read-Only domain controllers in the forest
Servers - select to display the servers in the forest, domain or site
Workstations - select to display the workstations in the forest, domain or site
NOTE: See the Change Auditor Installation Guide for information about deploying agents to workgroup servers or non-Active Directory workstations.

Active Directory view

By default, the Deployment page provides a forest view of the servers found. However, you can use the right-most controls to limit your view to an individual domain or site.

Use the middle control to select the Active Directory view (forest, domain, or site) then use the right-most control to select an individual forest, domain, or site for which servers and workstations are to be displayed.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents