Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Working with Active Directory protection templates

Previous Next

Working with Active Directory protection templates

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions.

* 
IMPORTANT: The following commands are only supported for protection templates that are stored in SQL. They will not function if the protection templates are stored in Active Directory.

The following commands are available to manage Active Directory protection:
New-CAADProtectionTemplate
New-CAProtectedObject
Remove-CAProtectedObject
New-CAForestCredential
New-CAScheduledTimeRange
Get-CAADProtectionTemplates
Remove-CAADProtectionTemplate
Set-CAADProtectionTemplate

New-CAADProtectionTemplate

Use this command to create an Active Directory protection template.

Table 77. Available parameters

Parameter

Description

-Credential

Credentials used to access the foreign forest.

-Name

The template name.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-Attributes (Optional)

List of attributes to protect. When AttributeType is not set to “All” this specifies the attributes for the template. Default is none.

-AttributeType (Optional)

This is applied to the list of attributes specified in the Attributes parameter. Possible values include “All”, “Only” and “AllExcept”. Default is All.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Locations (Optional)

IP addresses to protect. Default is none.

-LocationProtectionType (Optional)

Applied to the IP addresses specified by the Locations parameter. The potential values include ProtectAllLocations, ProtectSelectLocations, AllowSelectLocations, or ProtectUnknownLocations.

Default is ProtectAllLocations.

-Schedule (Optional)

It is a list of PSCAScheduledTimeRange objects, created with the
New-CAScheduledTimeRange cmdlet. Default is no specified schedule, which means that protection is always enabled.

See New-CAScheduledTimeRange for details.

Example: Create an Active Directory protection template

$protectedObject = New-CAProtectedObject -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

New-CAADProtectionTemplate -Connection $connection -Name TemplateSample1 -ProtectedObjects $protectedObject

Example: Creating an Active Directory Protection template to protect objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

New-CAProtectedObject

Use this command to create a protected object to include in a protection template.

Table 78. Available parameters

Parameter

Description

-ObjectDistinguishName

Distinguish name of object to protect.

-ProtectedScope (Optional)

Scope of coverage for the protected object. Specify the scope using one of the following values:

ScopeObject
ScopeOneLevel
ScopeSubtree
NOTE: The -ProtectedScope parameter is required for Active Directory protection templates.

-Operations

Operations to be denied for the selected object:
None
Create
Modify
Delete
Move
Link
NOTE: You can specify multiple operations.
Example: Create a new protected object

New-CAProtectedObject -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

Remove-CAProtectedObject

Use this command to remove protected objects from a protection template.

* 
NOTE: Both the -ProtectedObject and the -All parameters are optional, however, one or the other must be specified in the command.

Table 79. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove protected objects from.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the template object to remove protected objects from.

-Credential

Credentials used to access the foreign forest.

NOTE: If the Active Directory protection template contains protected objects from a foreign forest, you must specify the -Credential parameter and value when getting the template object and when removing the protected object. The -Credential parameter value is obtained by running the New-CAForestCredential cmdlet.

-ProtectedObject (Optional)

Protected object (distinguished name).

-All (Optional)

Remove all the protected objects.

Example: Remove protected object

Remove-CAProtectedObject -Connection $connection -Template $template -ProtectedObject $protectedObjectDn

Example: Remove protected object from a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

$templates = Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Remove-CAProtectedObject -Connection $connection -Templates $template[2] -ProtectedObject $protectedObjectDn -Credential $forestCredential

New-CAForestCredential

Use this command to input credentials for foreign forests when creating Active Directory protection templates with PowerShell.

Table 80. Available parameters

Parameter

Description

-ForestName

The name of the forest to access.

-Credential

Credentials used to access the foreign forest. The credential object is obtained by using the Get-Credential command.

Example: Creating an Active Directory Protection template to protect objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

New-CAScheduledTimeRange

Use this command to schedule when to enforce the protection.

Table 81. Available parameters

Parameter

Description

-Day

Spelled out day of the week to begin the protection. For example, Monday.

-StartTime

The time to start the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to start on.

-EndTime

The time to end the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to end on.

Example: Create a scheduled time range for a protected template

New-CAScheduledTimeRange -Day Monday -StartTime 7 -EndTime 18

Get-CAADProtectionTemplates

Use this command to see all the Active Directory protection templates that have been created including those in a foreign forest.

Table 82. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

Example: Get a list of all Active Directory Protection templates

Get-CAADProtectionTemplates -Connection $connection

Example: Get a list of all Active Directory Protection templates in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Remove-CAADProtectionTemplate

Use this command to remove an Active Directory protection template.

Table 83. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the object to remove.

-Force

Removes the template without providing confirmation.

Example: Remove an Active Directory protection template

Remove-CAADProtectionTemplate -Connection $connection -Template $template

Example: Remove an Active Directory Protection template in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Remove-CAADProtectionTemplate -Connection $connection -Template $selectedTemplate -Credential $forestCredential

Set-CAADProtectionTemplate

Use this command to modify Active Directory protection templates.

Table 84. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to update.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the template object to update.

-TemplateName (Optional)

Sets the template name (string).

-Credential (Optional)

Credentials used to access the foreign forest.

NOTE: If the Active Directory protection template contains protected objects and accounts from a foreign forest, you must specify the
-Credential parameter and value when getting the template and when modifying the template object. The -Credential parameter value is obtained by running the New-CAForestCredential cmdlet.

-ProtectedObjects (Optional)

List of ProtectedObjects. See New-CAProtectedObject for details.

-Attributes (Optional)

List of attributes to protect. When AttributeType is not set to “All” this specifies the attributes for the template. Default is none specified.

-AttributeType (Optional)

This is applied to the list of attributes specified in the Attributes parameter. Possible values include “All”, “Only” and “AllExcept”. Default is All.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

String array of distinguished names.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. (If accounts are specified, then only those specified accounts can manage the template. If no accounts are specified, then all Change Auditor administrators can manage the template.) Default is none specified.

This is a string array of distinguished names.

-Locations (Optional)

IP addresses to protect. Default is none specified.

-LocationProtectionType (Optional)

Applied to the IP addresses specified by the Locations parameter. The potential values include ProtectAllLocations, ProtectSelectLocations, AllowSelectLocations, or ProtectUnknownLocations.

Default is ProtectAllLocations.

-Schedule (Optional)

It is a list of PSCAScheduledTimeRange objects, created with the
New-CAScheduledTimeRange cmdlet. Default is no specified schedule, which means that protection is always enabled.

See New-CAScheduledTimeRange for details.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

Example: Modify a protection template

Set-CAADProtectionTemplate -Connection $connection -Template $template[2] -ProtectedObjects $protectedObject1, $protectedObject2 -AdminAccounts $adminAccountDn -Schedule $schedule -Disabled $False

Example: Modify a template that contains foreign forest objects

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

$templates = Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Set-CAADProtectionTemplate -Connection $connection -Template $templates[2] -Schedule $schedule -Credential $forestCredential

Working with GPO protection templates

Previous Next

Working with GPO protection templates

Enabling GPO protection, allows you to prevent all changes to Group Policy Objects, regardless of the tool that is used to make the change. Protection includes both portions of the Group Policy data: the Group Policy Object (GPO) in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers

The following commands are available to manage GPO protection:
New-CAGPOProtectionTemplate
Get-CAGPOProtectionTemplates
Set-CAGPOProtectionTemplate
Remove-CAGPOProtectionTemplate

New-CAGPOProtectionTemplate

Use this command to create a GPO protection template.

Table 85. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential (Optional)

Credentials used to access the foreign forest.

-TemplateName

The template name.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-DoNotProtectWorkingCopies (Optional)

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template. The parameter accepts Boolean $true or $false.

NOTE: Name-matching is used to identify GPOADmin temporary working copies based on a name prefix "[GPOADmin Working Copy] - ". The service account for the GPOADmin service should also be excluded from protection as an allowed account when the option to exclude GPOADmin working copies is selected.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

Example: Create a GPO Protection template

$ProtectedObjects = New-CAProtectedObject -ObjectDistinguishName “distinguishedName" -Operations Modify

New-CAGPOProtectionTemplate -Connection $connection -TemplateName TemplateSample1 -ProtectedObjects $protectedObjects

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Modify

New-CAGPOProtectionTemplate -Connection $connection -TemplateName TemplateSample1 -ProtectedObjects $EnterpriseProtectedObject

Example: Create a GPO Protection template to protect objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAGPOProtectionTemplate -Connection $connection -TemplateName $templateName -ProtectedObjects $protectedObjects -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Credential $forestCredential

Get-CAGPOProtectionTemplates

Use this command to see all the GPO protection templates that have been created.

 

Table 86. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

Example: Get a list of all GPO Protection templates

Get-CAGPOProtectionTemplates -Connection $connection

Example: Get a list of all GPO Protection templates with objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Get-CAGPOProtectionTemplates -Connection $connection -Credential $forestCredential

Example: Get a list of operations and protected objects for GPO Protection template

Get-CAGPOProtectionTemplates -Connection $connection | Where-Object {$_.TemplateName -eq "TemplateName" } | Select-Object -ExpandProperty ProtectedObjects

Set-CAGPOProtectionTemplate

Use this command to modify a GPO protection template.

Table 87. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to be modified.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-Credential (Optional)

Credentials used to access the foreign forest.

-TemplateName (Optional)

The new name for the template.

-DoNotProtectWorkingCopies (Optional)

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template. The parameter accepts Boolean $true or $false.

NOTE: Name-matching is used to identify GPOADmin temporary working copies based on a name prefix "[GPOADmin Working Copy] - ". The service account for the GPOADmin service should also be excluded from protection as an allowed account when the option to exclude GPOADmin working copies is selected.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

Example: Modify a GPO Protection template

$ProtectedObjects= New-CAProtectedObject -ObjectDistinguishName "distinguishedName" -Operations Create, Delete, Modify, Link

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Create, Delete, Modify, Link

Set-CAADProtectionTemplate -Connection $connection -Template $template - ProtectedObjects $protectedObject1, $protectedObject2 -AdminAccounts $adminAccountDn -Schedule $schedule -Disabled $False

Example: Modify a GPO template that contains foreign forest objects

$ProtectedObjects= New-CAProtectedObject -ObjectDistinguishName "distinguishedName" -Operations Create, Delete, Modify, Link

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Create, Delete, Modify, Link

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Set-CAGPOProtectionTemplate -Connection $connection -Template $template - ProtectedObjects ($ProtectedObjects, $EnterpriseProtectedObject) - DoNotProtectWorkingCopies $true -OverrideAccounts "distinguishedName" - OverrideAccountsDenied $true -AdminAccounts "distinguishedName" -Disabled $False - Credential $forestCredential

Remove-CAGPOProtectionTemplate

Use this command to remove a GPO protection template.

Table 88. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAGPOProtectionTemplates command and filter to select the object to remove.

-Force

Removes the template without providing confirmation.

Example: Remove a GPO protection template

Remove-CAGPOProtectionTemplate -Connection $connection -Template $template

 

 

 

 

 

Change Auditor Dialogs

Previous Next

Change Auditor Dialogs

This book provides information on the Change Auditor dialogs and help available within the product.

Change Auditor dialogs

Previous Next

Change Auditor dialogs
Quest Change Auditor dialog
Add Administrator
Add Agents, Domains, Sites dialog
Add Container dialog
Add Active Directory Container dialog (AD Query)
Add Facilities or Event Classes dialog
Add File System Path dialog
Add Group Policy Container dialog
Add Local Account dialog
Add Logons dialog
Add Logons dialog (Add With Events)
Add Object Classes dialog
Add Origin dialog
Add Registry Key dialog
Add Results dialog
Add Service dialog
Add Service dialog (Add With Events)
Add Severities dialog (Add With Events)
Add SharePoint Path dialog
Add SQL Instance dialog
Add SQL Instance dialog
Add SQL Data Level Object
Add Users, Computers or Groups dialog
Add Where dialog
Add Where dialog
Add Who dialog
Advanced Deployment Options dialog
Agent Assignment dialog
Alert Body Configuration dialog
Alert Custom Email dialog
Auditing and Protection Templates dialog
Authorizations: Application Group dialog
Authorizations: Operations | Role Definitions | Task Definitions | Application Group
Authorizations: Role dialog
Authorizations: Task dialog
Auto Deploy to New Servers in Forest dialog
Browse for Folder dialog
Comments dialog
Configuration Setup dialog
Configure cepp.conf Auditing dialog
Connection screen
Coordinator Configuration tool
Coordinator Credentials Required dialog
Credentials Required dialog
Custom Filter dialog
Database Credentials Required dialog
Directory object picker
Domain Credentials dialog
Eligible Change Auditor Agents dialog
Event Logging dialog
Export/Import dialog
Install or Upgrade/Uninstall/Update Foreign Agent Credentials
Install or Upgrade/Uninstall/Update Foreign Agent Credentials
IP Address dialog
Log page
Log page
Logon Credentials dialog (Deployment page)
Logon Credentials dialog (EMC Auditing wizard)
Manage Connection Profiles dialog
New Report Layout dialog
Microsoft 365 dialog
Rename dialog
Save As dialog
Save As dialog
Select a SQL Instance and Database dialog
Select Exchange Users dialog
Select Registry Key dialog
Select SQL Reporting Services Template dialog
Shared Mailboxes dialog
SharePoint Credentials Required dialog
When dialog
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating