Change Auditor 7.5 - User Guide

Menu commands

Menu commands

The Change Auditor commands are grouped under a menu on the menu bar. Some of these commands perform an action immediately; others display an additional dialog or open a wizard where you select options or specify additional information.

The following table provides a description of the commands available under each of the Change Auditor menus.

 

Table 1. Menu commands

Menu command	Shortcut key	Description
File Menu
Connect	Ctrl+O	Use to display the Connection screen to select the connection profile to be used to connect to a Change Auditor coordinator. This command is only available when the client is disconnected from a coordinator.
Disconnect	Ctrl+D	Use to disconnect from the current coordinator.
Open Log		Use to view one of the log files. Selecting this command will display the Open Log dialog allowing you to select the log file to be viewed. Once selected, a new tabbed page will be created in the client displaying the entries logged in the selected log.
Open Client Log		Use to view the current client log. A new tabbed page will be created in the client displaying the entries logged to the current client log.
Print	Ctrl+P	Use to send the contents of the displayed page to the designated printer. When you select this command, the Print dialog will be displayed allowing you to specify various print options.
Print to File	Ctrl+Shift+F	Use to save the contents of the displayed page to either an Excel (.xls) or comma delimited (.csv) file. When you select this command, the Save As dialog will be displayed allowing you to specify the location, file name and type of file to be created.
Print to PDF	Ctrl+Shift+D	Use to save the contents of the displayed page to a PDF file. When you select this command, the Save As dialog will be displayed allowing you to specify the location and file name.
Print Preview	Ctrl+Shift+P	Use to preview the contents of the displayed page prior to printing it.
Page Setup	Ctrl+Shift+U	Use to define the page settings for printing. Selecting this command will display the Page Setup dialog allowing you to define the paper, page orientation and margins.
Exit	Ctrl+Q	Use to close the client.
Edit Menu
Cut	Ctrl+X	Use to move the selected item (folder or search definition) to a different location in the explorer view (left pane) on the Searches page. Once cut, this item can then be pasted (or moved) to another location.
Copy	Ctrl+C	Use to copy the selected item (folder or search definition) to another location in the explorer view (left pane) on the Searches page. Once copied, a copy of this item can be pasted to another location.
Paste	Ctrl+V	Use to paste the contents of the clipboard (folder or search definition) to the selected location.
Delete		Use to remove the selected user-defined item (folder or search definition).
Move		Use to move the selected item (folder or search definition) to another location in the explorer view (left pane) on the Searches page. Selecting this command will display the Select the Destination Folder dialog allowing you to select the new location.
Action Menu
Refresh	F5	Use to retrieve and redisplay current data.
Autofit Columns to Contents	Ctrl+F	Use to resize the columns based on the content, which will eliminate the scroll bars.
Reset Display		Use to close multiple client windows and return to a single client window.
Show XML Tab		Use to display the XML tab, which displays the XML representation of a selected search criteria, at the end of the Search Properties tabs. NOTE: This command is only available from the Searches page and a Search Results page.
Show SQL Tab		Use to display the SQL tab, which displays the SQL query built to run a selected search, at the end of the Search Properties tabs. NOTE: This command is only available from the Searches page and a Search Results page.
Auto Connect		Use to enable or disable the auto connect feature. When enabled, the Connection Profile dialog will not be displayed when the client is launched. Instead, the previously specified connection profile will automatically be used to connect to the coordinator.
Disconnect client after 30 minutes of inactivity		Use this to disconnect from the client after 30 minutes of inactivity. If this option is not checked, the connection to the coordinator remains open.
Agent Notifications		Use to hide (or display) the desktop notification that is displayed in the lower right-hand corner of the screen whenever an agent is connected or disconnected from the coordinator, or when the coordinator is stopped or started. NOTE: Agent Notifications is enabled by default.
Agent Auto Refresh		Use to enable or disable the refreshing of the currently displayed grid (on the Deployment, Overview or Agent Statistics page) when an agent either connects or disconnects. NOTE: Agent Auto Refresh is enabled by default.
Hide Unlicensed Components		Use to hide unlicensed components from the Administration Tasks tab and unlicensed events throughout the client. NOTE: This command is only available from the Administration Tasks tab. NOTE: This feature only applies to users who have never had a specific product license (e.g., Change Auditor for Exchange). Users who had a trial license that has expired, will not be able to hide components. This is so that you can continue to search for events that may have occurred during your trial period.
Export		Use to export the Administration settings, such as configurations and settings, and auditing and protection templates, into an XML file. Selecting this command displays an Export dialog allowing you to select the settings/templates to be exported. NOTE: This command is only available from the Administration Tasks tab.
Import		Use to import previously exported Administration settings. Selecting this command displays an Import dialog allowing you to select the settings/templates to be imported. NOTE: This command is only available from the Administration Tasks tab.
View Menu
Deployment	Ctrl+F8	Use to display the Deployment page, from which you can deploy agents.
Overview	Ctrl+F9	Use to display the Overview page, which displays the results of your favorite search as well as an overview of the following information: • Top agent activity • Recent event activity • Count of events by event class, facility, location, severity, result or subsystem • Agent status for the entire enterprise or individual domain • Coordinator status for the entire enterprise or a single domain • Alert history counts
Searches	Ctrl+F10	Use to display the Searches page, from which you can run searches, define new searches and enable alerting.
Statistics | Agent	Ctrl+F11	Use to display the Agent Statistics page which provides a global view of all your agents, providing you with their current status and statistics.
Statistics | Coordinator	Shift+F11	Use to display the Coordinator Statistics page which provides coordinator status, database information and agent connection, event and alert data.
Administration	Ctrl+F12	Use to display the Administration Tasks tab which provides a single location where you can perform various administrative tasks related to configuring Change Auditor, customizing the auditing process and defining protection.
Close All Windows		Use to close all open windows.
List of open windows		The remainder of this menu lists all of the windows that are currently opened in the client. A check mark to the left of a window indicates the window that is currently active.
Help Menu
About		Use to display the Quest Change Auditor dialog which displays the following information: • The About tab displays the current version, patent, trademark and copyright statements. • The License tab provides license compliance information. • The Legal Notices tab displays acknowledgments for third party components that are used in Change Auditor • The Contact tab provides contact information for technical support, product questions and sales.
Contents	F1	Use to display the contents and initial screen of the online help.

Tool bar buttons

Tool bar buttons

The following table lists all of the commands available on the various tool bars in the client. It lists the commands/buttons in alphabetical order and provides a brief description of each command.

NOTE: When a tool bar button contains an arrow to the far right, this indicates that you can expand the button to select an additional command.

 

Table 2. Tool bar buttons

Tool bar button	Description	Change Auditor pages
Add	Depending on the page, use to add an entry to a search criteria list, add an object to an auditing list, define a new template, create a scheduled purge job, etc.	Most Administration Tasks pages
Add Add Role Definition Add Task Definition Add Application Group	Use the Add options as defined below: • Add Role Definition - use to define a new role defining who is authorized to perform the selected tasks and/or operations. • Add Task Definition - use to define a new task defining the operations that can be performed. • Add Application Group - use to define a new Authorization Manager Application Group.	Application User Interface page
Add Subsystem Event Class Object Class Severity Results	Use to add an entity (subsystem, event class, object class, severity or results) to the What search criteria list or purge criteria.	What tab
Add with Events Subsystem Event Class Object Class Severity Results	Use to add an entity that already has an event associated with it in the coordinator database to the What search criteria list or purge criteria.	What tab
Add with Events	Use to add an entity that already has an event associated with it in the coordinator database to the search or purge criteria.	Who tab Where tab Origin tab
Add | Add Wildcard Expression	Use to specify a wildcard expression for the search criteria or purge criteria.	Who tab Where tab
Add | Add Server Types	Use to specify a server type for the search criteria or purge criteria.	Where tab
Add | Exclude	Use to exclude a mailbox from Exchange auditing.	Exchange Mailbox Auditing page
Add | Select Multiple Objects	Use to define custom Active Directory and ADAM auditing - defining the objects, classes and/or attributes to be audited by Change Auditor.	Active Directory Auditing page ADAM (AD LDS) Auditing page
Advanced Options | Advanced Options	Use to display the Advanced Deployment Options dialog where you can view or modify the following settings: • Specify Agent Installation Location • Specify a Custom Share on the Remove Server • Launch ServiceStatusTray of startup • Restart Agent on failure • Specify a Group Policy Backup	Deployment page
Advanced Options | ActiveRoles Integration Deploy Scripts Only Deploy Scripts and Excluded Accounts	Use the Active Roles integration options as described below: • Deploy Scripts Only - use to copy and run the Active Roles integration scripts on the Active Roles server. These scripts instruct Active Roles to capture the initiator information for all users and pass this information onto Change Auditor. • Deploy Scripts and Excluded Accounts - use to specify user and computer accounts that are to be excluded from this integration. Change Auditor then deploys the Active Roles integration scripts that signal Active Roles to retrieve the initiator information for all users except for those specified for exclusion. Refer to the Quest Change Auditor Installation Guide for more information on Active Roles integration.	Deployment page
Alert Properties	Use to display the Alert properties across the bottom of the Alert History page.	Alert History page
Apply Changes	Use to save your coordinator configuration settings.	Coordinator Configuration page
Assign	Use to assign an agent configuration to the selected agents or to assign a template to an agent configuration.	Agent Configuration page Excluded Accounts Auditing page SQL Auditing page File System Auditing page Registry Auditing page Services Auditing page File System Protection page
Comments	Use to enter a comment for the selected event.	Event Details pane
Configurations	Use to display the Configuration Setup dialog to add, edit or delete agent configuration definitions.	Agent Configuration page
Connect To	Use this button to select the domain controller to be used to apply ACLs or to revert back to the client’s default global catalog. NOTE: This button is available only when you have selected to save your Active Directory and Group Policy protection templates to Active Directory using the Protection tab of the Coordinator Configuration tool.	Active Directory Protection page Group Policy Protection page
Copy	Use to copy the displayed event details to the clipboard.	Log pages Event Details pane SQL tab XML tab
Credentials Set Clear Test	Use to set, clear or test the credentials to be used for installing agents on the selected domain.	Deployment page
Default	Use to reset the severity and enabled settings of the selected events back to the factory defaults.	Audit Events page
Default All	Use to reset all agent configurations back to the default configuration.	Agent Configuration page
Delete	Use to remove the selected entry from the list.	Application User Interface page Member of Group Auditing page AD Query Auditing page Exchange Mailbox Auditing page Purge Jobs page Report Layouts page Who tab Where tab Origin tab
Delete | Delete Administration Account	Use to remove the selected administration account from an Active Directory, ADAM (AD LDS), or Group Policy protection template.	Active Directory Protection page ADAM (AD LDS) Protection page Group Policy Protection page
Delete | Delete Agent	Use to remove the selected agent from an EMC or NetApp auditing template.	EMC Auditing page NetApp Auditing page
Delete | Delete Excluded Account	Use to remove the selected account from an Excluded Accounts auditing template.	Excluded Accounts Auditing page
Delete | Delete File Path	Use to remove the selected file path from a File System auditing or protection template, an EMC auditing template or a NetApp auditing template.	File System Auditing page EMC Auditing page NetApp Auditing page
Delete | Delete Object	Use to remove the selected object from custom Active Directory or ADAM auditing; an Active Directory, ADAM (AD LDS) or Group Policy protection template.	Active Directory Auditing & Protection pages ADAM (AD LDS) Auditing & Protection pages Group Policy Protection page
Delete | Delete Object Class	Use to remove the selected object class from the Active Directory or ADAM (AD LDS) auditing list.	Active Directory Auditing page ADAM (AD LDS) Auditing page
Delete | Delete Override Account	Use to remove the selected override account from a protection template.	Protection pages
Delete | Delete Path	Use to remove the selected path from the auditing template.	SharePoint Auditing page
Delete | Delete Registry Key	Use to remove the selected registry key from a Registry auditing template.	Registry Auditing page
Delete | Delete Service	Use to remove the selected service from a Service auditing template.	Service Auditing page
Delete | Delete SQL Instance	Use to remove the selected SQL instance from a SQL auditing template.	SQL Auditing page
Delete | Delete Template	Use to remove the selected auditing or protection template.	Auditing pages Protection pages
Delete Criteria	Use to remove the selected entry from the What search criteria list.	What tab
Design Report	Use to launch the report designer to create a custom report layout for a selected search query.	Report tab
Disable	Use to disable the selected events.	Event Details pane Audit Events page
Disable Alert	Used to disable a private alert.	Private Alerts and Reports page
Disable Report	Used to disable a private report.	Private Alerts and Reports page
Edit	Use to modify the selected item.	Most Administration Tasks pages, including: • Purge Jobs page • Report Layouts page • Application User Interface page • Auditing pages • Protection pages
Edit Event Class	Use to modify the selected entry in the What search criteria list.	What tab
Edit Logon	Use to modify the type of logons included in a logon search.	What tab
Email	Use to launch the configured email client to email the selected event details.	Event Details pane
Enable	Use to enable the selected events.	Audit Events page Event Details pane
Event Details	Use to display the Event Details pane across the bottom of the Overview pane, Search Results page, or Alert History page.	Overview page Search Results page Alert History page
Event Logging	Use to enable or disable event logging.	Agent Configuration page
Explorer View	Use to show the explorer view in the left-hand pane of the Searches page.	Searches page
Find	Use to search for text in the currently displayed trace log. Enter a word or string of characters to be located.	Log pages
Force Refresh	Use to force a topology harvest refresh to discover new servers added to the Active Directory forest and display them on the Deployment page. NOTE: Topology scan takes a long time when the environment contains a large number of workstations.	Deployment page
Grid View	Use to hide the explorer view and display only the Searches list on the Searches page.	Searches page
Hide Properties	Use to hide the Search Properties tabs across the bottom of the Searches page. Use to hide the Resource Properties pane across the bottom of the Agent Statistics page.	Searches page Agent Statistics page
Hide Uninstalled Agents	Use to remove uninstalled agents from the current Agent Statistics view.	Agent Statistics page
Hide Uninstalled Coordinators	Use to remove uninstalled coordinators from the current Coordinator Statistics view.	Coordinator Statistics page
High/Medium/Low	Use to change the severity level assigned to the selected events.	Audit Events page
Install or Upgrade	Use to install or upgrade an agent on the selected servers.	Deployment page
Knowledge Base	Use to display the associated Event Reference Guide.	Audit Events page Event Details pane
Logs Open Log Get All Logs View Agent Log View Coordinator Log	Use the Log options as described below: • Open Log - use to retrieve a Change Auditor trace log file and display it in the client. • Get All Logs - use to retrieve any associated logs and save them to a specified location on the local machine. • View Agent Log - use to display the current Change Auditor agent trace log in the Change Auditor client. • View Coordinator Log - use to display the current coordinator trace log in the client.	Agent Configuration page Agent Statistics page Coordinator Statistics page Deployment page
Match Case	Use to locate log entries that match the case that was entered in the search text.	Log pages
New New Folder New Search	Use the New options as described below: • New Folder - use to create a new folder in the explorer view of the Searches page. • New Search - use to create a new search definition.	Searches page
New Servers	Use to enable or disable the automatic deployment of agents to new servers found in your Active Directory forest.	Deployment page
Next	Use to move to the next log entry that contains the search text.	Log pages
Overviews	Use to display the Overview panes across the bottom of the Overview page.	Overview page
Preview Changes	Use to run the search based on the changes made to the search query and display the results in the current Search Results page.	Search Properties tabs (Search Results page)
Preview Report	Use to display a query results report.	Report tab
Previous	Use to move to the previous log entry that contains the search text.	Log pages
Print Print Print to File Print to PDF Print Preview Page Setup	Use the print options to print or save the contents of the displayed page. • Print - use to send the contents of the active page to a designated printer. • Print to File - use to save the contents of the active page to either an Excel (.xls) or comma delimited (.csv) file. • Print to PDF - use to save the contents of the active page to a PDF file. • Print Preview - use to display the print layout of the active page prior to printing it. • Page Setup - use to define the page settings for printing.	All pages
Protect Object	Use to protect Active Directory objects, ADAM (AD LDS) objects, Group Policy Objects, Exchange mailboxes, File System files and folders against unauthorized modifications.	Event Details pane
Refresh	Use to retrieve and display the latest data available.	Overview page Log pages
Refresh Configuration	Use to retrieve the current agent configuration assignments.	Agent Configuration page
Refresh Status	Use to refresh the deployment status of the selected servers.	Deployment page
Related Search	Use to view additional details about the user who initiated the change, view resource details about the machine where the change occurred, or run related searches based on the who, where, what, when or origin of an event.	Event Details pane
Restart Agent	Use to stop and then restart an agent. This button is only available when an agent is in an ‘active’ state.	Agent Statistics page
Restore Value	Use to restore the current value (To value) to its previous value (From value). NOTE: Applies to 6.x (and higher) events reporting Active Directory attribute changes only. NOTE: The Restore Value feature may not work for all events. Specifically, values cannot be restored for the following events: • User password changed • User password changed by non-owner • User account locked • User account unlocked • User must change password at next logon option changed	Event Details pane
Run	Use to run the selected search and display the events returned in a new Search Results page.	Searches page Search Properties tabs
Save	Use to save a newly created search or modifications made to a search definition.	Search Properties tabs
Save As Save As Save As Default	Use the Save As options as described below: • Save As - use to save the search definition using a different name and/or location. • Save As Default - use to save the search definition as the new default for creating new searches.	Search Properties tabs
Search Properties	Use to display the Search Properties tabs across the bottom of the page.	Search Results page
Select All	Use to select all the entries in the currently displayed trace log, which can then be copied for use in another application.	Log pages
Set Agent Uninstalled	Use to flag the selected agent as ‘uninstalled’. NOTE: This button is only available when the selected agent is in an ‘active’ state.	Agent Statistics page
Set Coordinator Uninstalled	Use to flag the selected coordinator as ‘uninstalled’. NOTE: This button is only available when the selected coordinator is in an ‘active’ state.	Coordinator Statistics page
Shared Mailboxes	Use to view automatically detected shared mailboxes or to define a shared mailbox on the Exchange Mailbox auditing page.	Exchange Mailbox Auditing page
Show Matched Entries Only ()	Use to display only the log entries that match the word/string of characters entered in the search text.	Log pages
Show Properties	Use to display the Search Properties tabs across the bottom of the Searches page. Use to display the Resource Properties pane across the bottom of the Agent Statistics page.	Searches page Agent Statistics page
Show Uninstalled Agents	Use to include uninstalled agents in the current Agent Statistics view.	Agent Statistics page
Show Uninstalled Coordinators	Use to include uninstalled coordinators in the current Coordinator Statistics view.	Coordinator Statistics page
Start Agent	Use to start a stopped agent. This button is only available when an agent is in an ‘inactive’ state.	Agent Statistics page
Stop Agent	Use to stop an agent. This button is only available when an agent is in an ‘active’ state.	Agent Statistics page
Test Mail	Use to generate a test email based on the configuration information entered in the Email Alerts Configuration pane.	Coordinator Configuration page
Test SNMP	Use to generate a test SNMP trap based on the configuration information entered in the Email Alerts Configuration pane.	Coordinator Configuration page
Uninstall	Use to uninstall the agent from the selected servers.	Deployment page

Right-click commands

Right-click commands

The following table lists the commands which are available through right-click functionality. The commands are listed in alphabetical order with a reference to the pages from which they can be accessed.

 

Table 3. Right-click commands

Command	Present on the following pages
Add Application Group	Administration Tasks tab: • Application User Interface Authorization - Role • Application User Interface Authorization - Member
Add Task Definition	Administration Tasks tab: • Application User Interface Authorization - Role • Application User Interface Authorization - Member
Add Role Definition	Administration Tasks tab: • Application User Interface Authorization - Role • Application User Interface Authorization - Member
Alert Enable Transport Email SNMP WMI Disable Transport Email SNMP WMI Disable Alert History Delete History	Searches page - Search definition (right pane) NOTE: The History and Delete History options are only displayed when alerting has been enabled for a search.
All Results	Administration Tasks tab: • Audit Events - event
Assign	Administration Tasks tab: • Agent Configuration
Assign to Configuration	Administration Tasks tab: • Excluded Accounts Auditing - template or account • File System Auditing - template or file path • File System Protection - template or file path • Registry Auditing - template or registry key • Services Auditing - template or service • SQL Auditing - template or instance • SQL Data Level Auditing - template
Audit	Exchange Mailbox Auditing page - excluded mailbox
Clear Result	Deployment page - agent
Collapse All	Searches page - folder (left pane)
Comments	Overview page - event (data grid) Search Results page - event (data grid)
Copy	Administration Tasks tab: • Coordinator Configuration - text boxes • Excluded Accounts Auditing - template • File System Auditing - template • Registry Auditing - template • Report Layouts - template • Services Auditing - template • SQL Auditing - template • SQL Data Level Auditing - template Event Details pane (text boxes) Overview page - event (data grid) Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes) Searches Results page - event (data grid) Searches page: • Folder (left pane) • Search definition (right pane)
Credentials Set Clear Test	Deployment page - agent
Cut	Administration Tasks tab: • Coordinator Configuration (text boxes) Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes) Searches page: • Folder (left pane) • Search definition (right pane)
Delete	Administration Tasks tab: • Active Directory Auditing - object • Active Directory Auditing - object class • Application User Interface Authorization - role • Coordinator Configuration - text boxes • EMC Auditing - template or file path • Exchange Mailbox Auditing - mailbox • Exchange Mailbox Protection - template or mailbox • Excluded Account Auditing - template or account • AD Query Auditing - container • File System Auditing - template or file path • File System Protection - template or file path • NetApp Auditing - template or file path • Purge Jobs - job • Registry Auditing - template or registry key • Report Layouts - template • Services Auditing - template or service • SharePoint Auditing - template or path • SQL Auditing - template or instance • SQL Data Level Auditing - template Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes) Searches page: • Folder (left pane) • Search definition (right pane)
Disable	Administration Tasks tab: • Active Directory Auditing - object • Active Directory Protection - template or object • Audit Events - event • EMC Auditing - template or file path • Exchange Mailbox Auditing - mailbox • Exchange Mailbox Protection - template or mailbox • Excluded Accounts Auditing - template • AD Query Auditing - container • File System Auditing - template or file path • File System Protection - template or file path • Group Policy Protection - template or object • NetApp Auditing - template or file path • Purge Jobs - job • Registry Auditing - template or registry key • Services Auditing - template or service • SharePoint Auditing - template or path • SQL Auditing - template or instance • SQL Data Level Auditing - template Overview page - event (data grid) Search Results page - event (data grid)
Disable Alert	Private Alerts and Reports page
Disable Report	Private Alerts and Reports page
Edit	Administration Tasks tab: • Active Directory Auditing - object or object class • Active Directory Protection - template, object or attribute protection • Application User Interface Authorization - role • EMC Auditing - template or file path • Exchange Mailbox Protection - template or mailbox • Excluded Accounts Auditing - template or account • File System Auditing - template or file path • File System Protection - template or file path • NetApp Auditing - template or file path • Purge Jobs - job • Registry Auditing - template or registry key • Report Layouts - template • Services Auditing - template or service • SharePoint Auditing - template or path • SQL Auditing - template or instance • SQL Data Level Auditing - template
Email	Overview page - event (data grid) Search Results page - event (data grid)
Enable	Administration Tasks Tab: • Active Directory Auditing - object • Active Directory Protection - template or object • Audit Events - event • EMC Auditing - template or file path • Exchange Mailbox Auditing - mailbox • Exchange Mailbox Protection - template or mailbox • Excluded Accounts Auditing - template • AD Query Auditing - container • File System Auditing - template or file path • File System Protection - template or file path • NetApp Auditing - template or file path • Purge Jobs - job • Registry Auditing - template or registry key • Services Auditing - template or service • SharePoint Auditing - template or path • SQL Auditing - template or instance • SQL Data Level Auditing - template Overview page - event (data grid) Search Results page - event (data grid)
Event Details	Overview page - event (data grid) Search Results page - event (data grid)
Exclude	Exchange Mailbox Auditing page - audited mailbox
Expand All	Searches page - folder (left pane)
Export	Searches page: • Folder (left pane) • Search definition (right pane)
Hide Properties	Searches page: • Folder (left pane) • Search definition (right pane) Agent Statistics page - agent
High/Medium/Low	Administration Tasks tab: • Audit Events Auditing
Import Folder	Searches Page - folder (left pane)
Import Search	Searches Page - folder (left pane)
Install or Upgrade	Deployment page - agent
Knowledge Base	Administration Tasks Tab: • Audit Events Auditing Overview page - event (data grid) Search Results page - event (data grid)
Logs Open Log Get All Logs View Agent Log View Coordinator Log	Agent Statistics page - agent Coordinator Statistics page - coordinator Deployment page - agent
Move	Searches page: • Folder (left pane) • Search definition (right pane)
New New Folder New Search	Searches Page: • Folder (left pane) • Search definition (right pane)
Overviews	Overview page - event (data grid)
Paste	Administration Tasks tab: • Coordinator Configuration (text boxes) Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes) Searches page: • Folder (left pane) • Search definition (right pane)
Redo	Administration Tasks tab: • Coordinator Configuration (text boxes) Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes)
Refresh Configuration	Administration Tasks tab: • Agents Configuration
Refresh Status	Deployment page - agent
Rename	Searches page - folder (left pane)
Report Disable Report	Searches page - search definition (right pane)
Restart Agent	Agent Statistics page - agent
Run	Searches page - Search definition (right pane)
Scope Object One Level Subtree	Exchange Mailbox Auditing page - audited mailbox
Search Properties	Search Results page - event (data grid)
Security	Active Directory Protection page - object Group Policy Protection page - object
Select All	Administration Tasks tab: • Coordinator Configuration - text boxes Event Details pane - text boxes Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes)
Set Agent Uninstalled	Agent Statistics page - agent
Set As My Favorite	Searches page - Search definition (right pane)
Set Coordinator Uninstalled	Coordinator Statistics page - coordinator
Show Properties	Searches page • Folder (left pane) • Search Definition (right pane) Agent Statistics page -agent
Start Agent	Agent Statistics page - agent
Stop Agent	Agent Statistics page - agent
Success Only	Administration Tasks tab: • Audit Events - event
Success and Protected Only	Administration Tasks tab: • Audit Events - event
Success and Failed Only	Administration Tasks tab: • Audit Events - event
Undo	Administration Tasks tab: • Coordinator Configuration - text boxes Search Properties tabs: • Report tab (text boxes) • Info tab (text boxes)
Uninstall	Deployment page - agent

 

Change Auditor Email Tags

Change Auditor Email Tags

The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert emails. It consists of the following tabbed pages:

•	Preview - is for previewing a sample of what your customized email will look like.

•	Main Body - to define the overall content and layout of the alert email body.

•	Event Details - to define the details to be included for each event included in the alert email.

•	Signature - to define the signature line to be included.

The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags (%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and should not be modified.

 

Table 1. Tags valid in the Main Body tab

Email Tag:	Description:
%AD_MANAGEDBY%	The email address for the user assigned to manage the user referenced in an Active Directory user event.
%AD_USERMAIL%	The email address for the user referenced in an Active Directory user event.
%ALERT_COORDINATOR_DOMAIN%	The name of the domain where the coordinator that generated the alert resides.
%ALERT_COORDINATOR_NAME%	The name of the coordinator generating the alert.
%ALERT_NAME%	The name of the alert that fired.
%ALERT_TIME_SENT%	The date and time when the alert fired.
%ALERT_TYPE%	The type of alert: Smart Alert or Alert.
%BATCH_ID%	The batch ID for all alerts grouped into a single smart alert email.
%EVENT_COUNT%	The number of events grouped into a single smart alert email.
%SMART_ALERT%	Indicates whether this is a smart alert email.
%SMART_ALERT_GROUPING%	Indicates whether this is a smart alert email and on a single object.
%SMART_ALERT_OCCURRENCE%	For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD%	For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD_UNIT%	For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.

 

Table 2. Tags valid in the Event Details tab

Email Tag:	Description:
%AAD_ACTIVITYORIGIN%	For Microsoft Entra events, the origin of the activity.
%AAD_ACTIVITYSTATUSREASON%	For Microsoft Entra events, the status reason.
%AAD_ACTIVITYTYPE%	For Microsoft Entra events, the type of activity.
%AAD_CATEGORY%	For Microsoft Entra events, the associated category.
%AAD_CITY%	For Microsoft Entra events, the associated city.
%AAD_COUNTRY%	For Microsoft Entra events, the associated country.
%AAD_ONPREMISESSUBJECT%	For Microsoft Entra events, the associated Active Directory on premises subject.
%AAD_ONPREMISESTARGET%	For Microsoft Entra events, the associated Active Directory on premises target.
%AAD_ONPREMISESUSERNAME%	For Microsoft Entra events, the associated Active Directory on premises username.
%AAD_STATE%	For Microsoft Entra events, the associated state.
%AAD_SUBJECTDISPLAYNAME%	For Microsoft Entra events, the associated subject display name.
%AAD_SUBJECTSYNCTYPE%	For Microsoft Entra events, the associated subject synchronization type.
%AAD_TARGETDISPLAYNAME%	For Microsoft Entra events, the target display name.
%AAD_TARGETSYNCTYPE%	For Microsoft Entra events, the target synchronization type.
%AAD_TENANTDEFAULTDOMAIN%	For Microsoft Entra events, the tenant default domain.
%AAD_TENANTDISPLAYNAME%	For Microsoft Entra events, the tenant display name.
%ACTIONNAME%	The action associated with the event (e.g., Modify Attribute).
%AD_SAMACCOUNTNAME%	For Active Directory events, the logon name of the user who initiated the change event.
%AD_FAILURE_REASON%	For Active Directory events, the failure reason for failed events.
%AD_STATUS_CODE%	For Active Directory events, the status code for failed events.
%AD_USERPRINCIPALNAME%	For Active Directory events, the user principal name (UPN) of the user who initiated the change event.
%ADAM_CONFIGURATIONSET%	For ADAM (AD LDS) events, the name of the configuration set that holds the ADAM instance where the change occurred.
%ADAM_INSTANCENAME%	For ADAM (AD LDS) events, the name of the ADAM instance where the change occurred.
%ADAM_INSTANCEPORT%	For ADAM (AD LDS) events, the communications port used by the ADAM instance where the change occurred.
%ADAM_PARTITIONNAME%	For ADAM (AD LDS) events, the name of the directory partition where the change event occurred.
%ALERT_COORDINATOR_DOMAIN%	The name of the domain where the coordinator that generated the alert resides.
%ALERT_COORDINATOR_NAME%	The name of the coordinator generating the alert.
%ALERT_NAME%	The name of the alert that fired.
%ALERT_TIME_SENT%	The date and time when the alert fired.
%ALERT_TYPE%	The type of alert: Smart Alert or Alert.
%ATTRIBUTENAME%	For Active Directory and ADAM (AD LDS) events, the name of the schema attribute that was modified (e.g., displayName). For File System events, the name of the file or folder attribute that was modified.
%BATCH_ID%	The batch ID assigned to all alerts grouped into a single smart alert email.
%COMMENT%	Any comments for the event which were entered using the Comments feature on the Event Details pane.
%DOMAINCONTROLLER%	Indicates whether the agented server is a domain controller.
%DOMAINDN%	The distinguished name (DN) of the domain to which the agent that generated the alert belongs.
%DOMAINFQDN%	The fully qualified domain name (FQDN) of the domain to which the Change Auditor agent that generated the alert belongs.
%DOMAINNAME%	The name of the domain to which the agent that generated the alert belongs.
%EVENT_COUNT%	The number of events grouped into a smart alert email.
%EVENTCLASSNAME%	The event name.
%EVENTMESSAGE%	The actual event that triggered the alert.
%EVENTSOURCE%	Indicates the application where the change event came from: Change Auditor, Active Roles, or GPOADmin.
%EXCHANGE%	Indicates whether the agented server is an Exchange server.
%FACILITYNAME%	The name of the event class facility to which the event belongs (e.g., Domain Configuration).
%FORESTNAME%	The name of the forest where the agent that captured the event resides.
%FS_ATTRIBUTENAME%	For File System events, the name of the attribute that was modified.
%FS_FILENAME%	For File System events, the name of the file that was modified.
%FS_FILESERVER%	For File System events, the name of the server where the file or folder that was modified resides.
%FS_FILESYSTEMTYPEID%	For File System events, the type of object (File or Folder) that was modified.
%FS_FOLDERPATH%	For File System events, the full path of the file or folder where the modification occurred.
%FS_LOGONID%	For File System events, the logon ID of the user who made the change.
%FS_PRIMARYSID%	For File System events, the SID of the user who made the change.
%FS_PROCESSNAME%	For File System events, the full path of the application responsible for the change.
%FS_SHARENAME%	For File System events, the name of the local share that was modified.
%FS_TRANSACTIONID%	For File System Transaction Status Changed events, the identification number assigned to a transaction.
%FS_TRANSACTIONSTATUS%	For File System Transaction Status Changed events, the current status of the transaction.
%GLOBALCATALOG%	Indicates whether the agented server is a Global Catalog.
%GPO_POLICYCANONICAL%	For Group Policy events, the canonical name (CN) of the group policy that was modified.
%GPO_POLICYITEM%	For Group Policy events, the group policy item that was modified.
%GPO_POLICYNAME%	For Group Policy events, the name of the group policy that was modified.
%GPO_POLICYSECTION%	For Group Policy events, the section of the group policy that was modified.
%INITIATORMAIL%	For events generated by Active Roles or GPOAdmin, the email address of the user that initiated the change event.
%INITIATORSID%	For events generated by Active Roles or GPOAdmin, the SID of the user that initiated the change event.
%INITIATORUSERNAME%	For events generated by Active Roles or GPOADmin, the name of the user that initiated the change event.
%IPADDRESS%	The IP address of the Change Auditor agent that generated the alert.
%LDAP_ATTRIBUTES%	For AD Query events, the attributes that were queried.
%LDAP_ELAPSED%	For AD Query events, how long the AD query took to run.
%LDAP_FILTER%	For AD Query events, the filter string used in the AD query.
%LDAP_OCCURRENCES%	For AD Query events, the number of times the AD query occurred during the specified interval.
%LDAP_RESULTS%	For AD Query events, the number of results returned as a result of the query.
%LDAP_SCOPE%	For AD Query events, the scope of coverage: This object only or This object and all children.
%LDAP_SINCE%	For AD Query events, the date and time when the AD query was first initiated.
%LDAP_TYPE%	For AD Query events, the type of query: LDAP or GC.
%LOGON_DURATION%	For Logon Session events, how long the user session lasted or how long the user was actually logged onto the computer (depends on the event).
%LOGON_END%	For Logon Session events, the date and time when the user logged out of the computer.
%LOGON_SESSIONEND%	For Logon Session events, the date and time when the current user session ended.
%LOGON_SESSIONSTART%	For Logon Session events, the date and time when the current user session began.
%LOGON_START%	For Logon Session events, the date and time when the user initially logged onto the computer.
%LOGON_TYPE%	For Logon Activity events, the type of logon that occurred: • Domain Authentication • Interactive • Remote Interactive
%OBJECTCANONICAL%	For Active Directory and ADAM (AD LDS) events, the canonical name of the object that was modified. For Group Policy events, the canonical name of the group policy that was modified. For AD Query events, the LDAP object canonical name of the object that was queried.
%OBJECTCLASS%	For Active Directory and Exchange events, the object class that was modified (e.g., groupPolicyContainer). For ADAM (AD LDS) events, the object class that was modified (e.g., container, user, group). For AD Query events, the object class that was queried.
%OBJECTNAME%	For Active Directory and Exchange events, the name of the object that was modified. For ADAM (AD LDS) events, the distinguished name of the object that was modified. For Group Policy events, the name of the group policy that was modified. For AD Query events, the name of the object that was queried.
%ORGANIZATIONALUNIT%	For Active Directory and ADAM (AD LDS) events, the OU associated with the object that was modified. For Group Policy events, the name of the OU that is linked to the group policy that was modified. For AD Query events, the name of the OU associated with the LDAP query.
%OSVERSION%	Indicates the operating system version of the machine where the modification occurred.
%REGISTRYKEY%	For Registry events, the name of the registry key that was modified.
%REGISTRYVALUE%	For Registry events, the registry value that was modified.
%RESULTNAME%	Indicates the result of the operation mentioned in the event: • Success • Protected • Failed • None
%SAM_PRINCIPALNAME%	The logon name of the local account that initiated the change event.
%SAM_PRINCIPALTYPE%	The type of local account that initiated the change event.
%SERVERDN%	The distinguished name (DN) of the agented server that captured the event.
%SERVERFQDN%	The fully qualified domain name (FQDN) of the agented server that captured the event.
%SERVERNAME%	The name of the agented server where the change occurred.
%SERVEROU%	The name of the organizational unit where the agented server resides.
%SERVICE_DISPLAYNAME%	For Service events, the display name of the service that was modified.
%SERVICE_NAME%	For Service events, the name of the service that was modified.
%SEVERITYNAME%	The severity assigned to the change event: High, Medium or Low.
%SHAREPOINT_FARMNAME%	For SharePoint events, the name of the SharePoint farm where the modification occurred.
%SHAREPOINT_ITEMNAME%	For SharePoint events, the name of the SharePoint item (e.g. document, folder, list item) that was modified.
%SHAREPOINT_ITEMURL%	For SharePoint events, the URL of the SharePoint item that was modified.
%SHAREPOINT_LISTNAME%	For SharePoint events, the name of the SharePoint list that was modified.
%SHAREPOINT_LISTPATH%	For SharePoint events, the full path of the SharePoint list where the modification occurred.
%SHAREPOINT_WEBNAME%	For SharePoint events, the name of the web site where the modification occurred.
%SHAREPOINT_WEBURL%	For SharePoint events, the URL of the web site where the modification occurred.
%SIGNSEAL%	For Active Directory and AD Query events, indicates whether the LDAP operation or LDAP query is signed using Kerberos-based encryption.
%SITEDN%	The distinguished name (DN) of the site where the agented server resides.
%SITENAME%	The name of the site where the agented server resides.
%SMART_ALERT%	Indicates whether this is a smart alert email.
%SMART_ALERT_GROUPING%	Indicates whether this is a smart alert email and on a single object.
%SMART_ALERT_OCCURRENCE%	For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD%	For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SMART_ALERT_PERIOD_UNIT%	For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’.
%SQL_APPLICATIONNAME%	For SQL events, the name of the client application that initiated the change event.
%SQL_CLIENTPROCESSID%	For SQL events, the identification number associated with the client process that initiated the change event.
%SQL_DATABASEID%	For SQL events, the identification number associated with the SQL database used by the process that initiated the change event.
%SQL_DATABASENAME%	For SQL events, the name of the SQL database used by the process that initiated the change event.
%SQL_EVENTCLASS%	For SQL events, the SQL Server operation (event class) that was performed.
%SQL_EVENTSUBCLASS%	For SQL events, the type of event subclass that was performed.
%SQL_HOSTNAME%	For SQL events, the name of the client workstation that initiated the session.
%SQL_INSTANCENAME%	For SQL events, the name of the SQL instance where the change event occurred.
%SQL_ISSYSTEM%	For SQL events, indicates whether a system session initiated the change.
%SQL_LINKEDSERVERNAME%	For SQL events, the name of the linked server.
%SQL_OBJECTID%	For SQL events, the object identifier associated with the SQL object that was changed.
%SQL_OBJECTID2%	For SQL events, the object identifier of related objects or entities, if available.
%SQL_OBJECTNAME%	For SQL events, the name of the SQL Server object that was changed.
%SQL_OBJECTTYPE%	For SQL events, the type of SQL Server object that was changed.
%SQL_OWNERID%	For SQL lock events, the type of object that owns a lock.
%SQL_OWNERNAME%	For SQL events, the database user name of the object owner.
%SQL_PARENTNAME%	For SQL events, the name of the schema in which the object that changed resides.
%SQL_PROVIDERNAME%	For SQL events, the name of the OLEDB provider.
%SQL_ROWCOUNTS%	For SQL events, the number of rows returned by the SQL query.
%SQL_SESSIONLOGINNAME%	For SQL events, the SQL Server login name used by the client to create the session.
%SQL_SPID%	For SQL events, the SQL Server Process ID associated with the process that initiated the change.
%SQL_SUCCESS%	For SQL events, indicates whether the event was successful.
%SQL_TEXTDATA%	For SQL events, the character string used in the SQL query.
%SSLTLS%	For Active Directory or AD Query events, indicates whether the LDAP operation or LDAP query is secured using SSL or TLS technology.
%SUBSYSTEMNAME%	The subsystem, or area of auditing, where the change event occurred (e.g., Active Directory, Service, Group Policy).
%TIMEBATCHED%	The UTC date and time when the batch of events were sent from the agent to coordinator.
%TIMEDETECTED%	The UTC date and time when the agent captured the event.
%TIMEOFDAY%	The UTC time (no date) when the event the agent captured the event.
%TIMERECEIVED%	The UTC date and time when the event was received by Change Auditor.
%TIMEZONE%	The name of the time zone used for the alert’s date/time stamps in the email.
%TIMEZONETIMEDETECTED%	The date and time when the Change Auditor agent captured the event, based on the selected time zone.
%TIMEZONETIMERECEIVED%	The date and time when the event was received by Change Auditor, based on the selected time zone.
%USERADDRESS%	The machine name or IP address of the machine where the change originated.
%USERADDRESSIPV4%	The IPv4 IP address of the machine where the change originated.
%USERADDRESSIPV6%	The IPv6 IP address of the machine where the change originated.
%USERDISPLAY%	The display name of the user who initiated the change.
%USERMAIL%	The email address of the user that initiated the change.
%USERNAME%	The NT4 logon name (domain\name) of the user who initiated the change.
%USERSID%	The security identifier (SID) assigned to the user who initiated the change.
%VALUENEW%	The new value that is now assigned to the object.
%VALUEOLD%	The old value that was assigned to the object.

The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:

%EVENT_DETAILS%

This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert emails.