Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

Change Auditor allows you to monitor Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Services (AD LDS) events. AD LDS provides directory services for directory-enabled applications without a risk compromising your Active Directory database.

* 
NOTE: The File and Printer Sharing feature must be enabled under the Windows Firewall before you can set up ADAM auditing or protection.
* 
NOTE: There are some special installation considerations for auditing ADAM (AD LDS) on workgroup servers. Refer to the Installing Change Auditor to Monitor ADAM (AD LDS) on Workgroup Servers appendix in the Change Auditor Installation Guide for more information.

To audit ADAM (AD LDS), you must first define the ADAM instances, the directory objects or containers, the object classes and optionally the individual attributes through the following pages on the Administration Tasks tab:
Use the ADAM (AD LDS) Auditing page to create a list of ADAM instances, directory objects or containers, and object classes to monitor.
Use the ADAM (AD LDS) Attribute Auditing page to select the individual schema attributes to monitor for the selected object classes.

 

ADAM (AD LDS) Auditing page

Previous Next

ADAM (AD LDS) Auditing page

The ADAM (AD LDS) Auditing page contains a list of ADAM (AD LDS) instances and the associated object classes selected for auditing. This page displays when you select ADAM (AD LDS) from the Auditing task list in the navigation pane of the Administration Tasks tab.

The ADAM (AD LDS) Auditing page contains an expandable view of the ADAM (AD LDS) instances selected for auditing. The view groups the information by agent, which can be expanded to view the object classes and monitored attributes. To add an instance to this list, click Add. Once added, the following information will be displayed:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
Agents

Displays the name of the agent where the ADAM (AD LDS) instance resides. If there are many instances that have replicated partitions, the name of each agent hosting an instance will be displayed.

Object

Displays the distinguished name of the ADAM (AD LDS) instance.

Configuration Set ID

Displays the unique identifier of the configuration set shared between all ADAM (AD LDS) instances that are replicating their application partitions.

Status

Indicates whether the auditing for the ADAM instance is enabled or disabled.

Scope

Displays the scope of coverage:
Enterprise
Object
One Level
Subtree
Object Class

This field is used for filtering data.

If the view is not already expanded, click the expansion box to the left of the Instance Agent name to expand the view to display the following details:

Object Class

Displays the object class selected for auditing (such as container, user, and group).

Monitored Attributes

Displays the number of schema attributes selected for auditing by Change Auditor for each object class listed.

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Quest Change Auditor User Guide.
* 
NOTE: If credentials are needed in order to connect to the selected ADAM (AD LDS) instance, a credentials required dialog will be displayed prompting you to enter the appropriate credentials.

The page consists of the following information/controls:

Attributes list

The list box located across the top of this page lists the object classes that can be selected to define attribute auditing. More specifically, this list box contains the object classes selected on the ADAM (AD LDS) Auditing page.

In addition to the name of the object class, the following information is also displayed:
the assigned severity
number of custom attributes selected for auditing
the names of the different schema classes available for auditing
the name of the agent where the associated ADAM (AD LDS) instances resides. If there are many instances that have replicated partitions, the name of each agent hosting an instance will be displayed.
Displays the unique identifier of the configuration set shared between all ADAM (AD LDS) instances that are replicating their application partitions.

Selecting an entry in this list, will populate the list boxes across the bottom of the dialog with the applicable attributes.

Unmonitored Attribute list

The list box located in the lower left-hand pane displays the attributes that are currently not being audited for the schema class selected in the Attributes list.

Monitored Attribute list

The list box located in the lower right-hand pane contains the attributes that are currently selected for auditing for the schema class selected in the Attributes list.

In addition to the attribute, the assigned severity is also displayed. To change the severity level assigned to an attribute, place your cursor in the Severity cell and use the drop-down arrow to select the severity you want to assign to the selected attribute.

Add

Select one or more attributes from the Unmonitored Attribute list and click Add to select them for auditing. The selected attributes will be moved to the Monitored Attribute list box.

* 
NOTE: You can also double-click an attribute to select it for auditing or ‘drag and drop’ it into the Monitored Attribute list.
Remove

Select one or more attributes from the Monitored Attribute list and click Remove to remove them from auditing. The selected attribute will then be moved back to the Unmonitored Attribute list box.

* 
NOTE: You can also double-click an attribute to remove it from auditing or ‘drag and drop’ it back into the Unmonitored Attribute list.

Enable ADAM (AD LDS) auditing

Previous Next

Enable ADAM (AD LDS) auditing

To enable ADAM (AD LDS) auditing:
1
Open the Administration Tasks page.
2
Click Auditing.
3
Select ADAM (AD LDS) in the Auditing task list.
4
Click Add to open the ADAM (AD LDS) Auditing wizard.
5
Select an ADAM (AD LDS) instance from the displayed list. This list includes the ADAM (AD LDS) instances found in your environment. Only instances running on computers with a Change Auditor agent installed display in this list.
6
On the second page of the wizard, use the Browse or Search pages to locate and select a directory object or container to audit.
7
On the Select Object Class page, use one of the following methods to move an object class from the UnAudited Object Class list to the Audited Object Class list:
Select one or more object classes in the UnAudited Object Class list and click Add.
Select one or more object classes in the UnAudited Object Class list and ‘drag and drop’ the selected object classes into the Audited Object Class list.
Double-click an object class in the UnAudited Object Class list.
8
After selecting one or more object classes, click Finish to save your selection and close the wizard.

Change Auditor will then audit for events such as object created, deleted, moved, renamed and modified for the objects selected. However, to audit individual ADAM (AD LDS) attributes for these objects, you must specify the attributes to be audited using the ADAM (AD LDS) Attribute Auditing page.

9
On the Administration Tasks tab, select ADAM (AD LDS) | Attributes in the Auditing task list to open the ADAM (AD LDS) Attribute Auditing page.
10
Select an object class from the list box located across the top of this page. (This list contains the object classes selected on the ADAM (AD LDS) Auditing page.) Selecting an entry in this list will populate the list boxes across the bottom of the page with the applicable attributes.
11
In the Unmonitored Attribute list, located in the lower left-hand pane of this page, select one or more attributes and click Add to select them for auditing. The selected attributes will be moved to the Monitored Attribute list.

You can also double-click an attribute to select it for auditing or ‘drag and drop’ it into the Monitored Attribute list.

12
To change the severity level assigned to an attribute, in the Monitored Attribute list, place your cursor in the Severity cell, click the arrow control and select the severity you want to assign to the selected attribute.
13
To remove an attribute from auditing, select the attribute in the Monitored Attribute list and click Remove. The selected attribute will then be moved back into the Unmonitored Attribute list.

You can also double-click an attribute to remove it from auditing or ‘drag and drop’ it into the Unmonitored Attribute list.

14
Once you have selected at least one attribute for auditing, the associated Monitored Attribute column in the list box displays the number of attributes selected for auditing. This value will also be displayed in the Monitored Attribute column back on the ADAM (AD LDS) Auditing page.

ADAM (AD LDS) Auditing wizard

Previous Next

ADAM (AD LDS) Auditing wizard

The ADAM (AD LDS) Auditing wizard opens when you click Add on the ADAM (AD LDS) Auditing page. This wizard steps you through the process of defining the ADAM (AD LDS) instance, directory objects or containers, and object classes to audit.

The following table provides a description of the available fields and controls:

 

Table 5. ADAM (AD LDS) Auditing wizard

Select an ADAM instance page: The first page of the wizard displays a list of available ADAM (AD LDS) instances found in your environment. This list only includes instances found on computers that are running a Change Auditor agent.

ADAM (AD LDS) Instances

This list includes the following information about each ADAM (AD LDS) instance discovered in your environment:
Agent - displays the name of the agent where each of the ADAM (AD LDS) instances reside.
Instance Name - displays the name of the ADAM (AD LDS) instances displayed.
Instance Port - displays the port number assigned to each of the ADAM (AD LDS) instances displayed.

From this list, select the ADAM (AD LDS) instance to be audited.

NOTE: If you have multiple ADAM (AD LDS) instances with replicating application partitions, there is no need to configure an auditing template for each instance. Change Auditor will automatically send the auditing configuration to each machine that is hosting an instance. You must have an agent installed on each instance host.

Select directory object or container page: On this page select where to conduct the audit (such as enterprise or individual objects) and what to audit (such as directory object or container).

Scope

Select the scope of coverage from the following options (This Object and All Child Objects is selected by default):
Enterprise - to audit the entire enterprise
This Object - to audit an individual object
This Object and Child Objects Only - to audit an object and its direct child objects
This Object and All Child Objects - to audit an object and all of its subordinate objects (all levels)

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the directory objects or containers to audit.

Search page

Use the controls at the top of the Search page to search your environment to locate the directory objects or containers to audit.

Options page

Use the Options page to modify the search options or ADAM instance to use to retrieve directory objects.

Select object class to audit page: On this page, select at least one object class to audit.

UnAudited Object Class list

The list box on the left contains a list of all the unaudited object classes available for auditing. Select one or more unaudited object classes and click Add to move them to the Audited Object Class list box.

At least one object class must be selected to continue.

Audited Object Class list

The list box to the right contains a list of all the object classes selected for auditing. Select one or more audited object classes and click Remove to remove them from auditing.

Add

Select one or more object classes from the UnAudited Object Class list to select them for auditing.

NOTE: You can also double-click an object class to move it into the Audited Object Class list or ‘drag and drop’ it into the Audited Object Class list.

Remove

Select one or more object classes from the Audited Object Class list to remove them from auditing. The selected object classes will then be moved back to the UnAudited Object Class list.

NOTE: You can also double-click an object class to move it back into the UnAudited Object Class list or ‘drag and drop’ it into the UnAudited Object Class list.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating