Chat now with support
Chat with Support

Change Auditor 7.5 - Installation Guide

Installation Overview Install Change Auditor Add Users to Change Auditor Security Groups Connecting to the Clients Deploy Change Auditor Agents Upgrade Change Auditor Installation Notes and Best Practices Deployment Options Workstation Agent Deployment Agent Comparison Install an agent to audit ADAM (AD LDS) on workgroup servers Windows Installer Command Line Options

Licensing Change Auditor products

You can upgrade from the following versions of Change Auditor: 6.x and 7.x.

The following Change Auditor products all require separate licenses which can be applied during the coordinator installation process:

If you are licensing multiple Change Auditor products, you can apply the licenses in any order but must apply all the licenses provided.

If you purchased more Change Auditor products after the initial installation, you can apply new licenses from the coordinator icon in the system tray.

2
From the Licenses tab, click Select License.

Permissions

User account performing the coordinator installation:

The user account installing the coordinator needs permission to perform the following tasks on the target server:

The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed.

Service account running the coordinator service (LocalSystem by default):

By default, the Coordinator service runs as LocalSystem. To run the Change Auditor service as a Domain User or service account other than Local System, the Change Auditor SPN (Service Connection Point) must be removed from the Coordinator computer (local system) account and added to the Domain Account used to run the Coordinator service.

To do so, open a command prompt on a Domain Controller and perform the following:

SQL Server database access account specified during installation:

An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:

Must be assigned the db_owner role on the Change Auditor database

The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation.

If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest.

All users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error.

The user account used to install the agent by running the Windows Installer directly on the domain controller or member server or workgroup server or workstation needs permissions to perform the following tasks on the server:

Other installation notes

Certain MMC modules disrupt or hinder the addition or removal of services, therefore, MMC modules can not be running (directly on the server or in a Terminal Services session) when installing or uninstalling Change Auditor. Stop the MMC files before installing or uninstalling Change Auditor.

Before installing or upgrading the coordinators or server agents, Quest recommends to close all Event Log Viewers. If a user has an Event Viewer open and opens a Change Auditor event log to load and display a message, the Windows EventLog locks the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services.

If you try to install these components on a computer with an earlier version, the installation fails and you are notified that a newer version is required. To verify that you are running the appropriate version of Microsoft’s .NET framework, use Add or Remove Programs.

Quest recommends installing the Change Auditor components in the following order:

For a complete and comprehensive Active Directory change auditing solution, Quest recommends deploying agents to every server in the forest.

For best results in capturing Group Policy changes, Quest recommends installing an agent on the domain’s PDC operations master role holder.

During the coordinator installation, three installation-specific security groups are created in the domain where the member server hosting a coordinator resides.

ChangeAuditor Administrators — <InstallationName> Group — provides access to all aspects of Change Auditor and to roll out Change Auditor agents.
ChangeAuditor Operators — <InstallationName> Group — provides access to Change Auditor except for making configuration changes.
ChangeAuditor Web Shared Overview Users — <InstallationName> Group — provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Change Auditor Web Client User Guide for more information about sharing overviews.

Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest.

Add your user account to either the ChangeAuditor Administrators or ChangeAuditor Operators group before running the client. If multiple coordinators are installed in a mixed mode environment, to connect to each coordinator, add your user account to one of these groups on each of the member servers where a coordinator resides.

In addition, users responsible for deploying agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation.

During the coordinator installation, you are presented with the option to add the current user to the ChangeAuditor Administrators security group. If you selected not to do this during the coordinator installation process or you want to add more user accounts, add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups before running the client.

See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are created when the coordinator is installed.

NOTE: When the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group to properly authenticate.

Change Auditor for Windows File Servers

Change Auditor for Windows File Server agents may fail to provide origin information if remote users are already connected when the agent is initialized or started. Therefore, it is suggested that you restart the server as soon as possible after an agent installation or upgrade.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating