Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Group Policy protection page

Previous Next

Group Policy protection page

The Group Policy protection page displays when you select Group Policy from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Group Policy Protection wizard to define critical group policy objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Group Policy Protection page contains an expandable view of all previously defined Group Policy Protection templates. To add a Group Policy container to the protection list, use the Add button. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.
Template

Displays the name assigned to the template when it was created.

Objects

This cell is used for filtering data.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Override Accounts

Indicates whether the override accounts listed are excluded from protection or included in protection. This setting corresponds to the option used at the top of the last page of the Group Policy Protection wizard:
Excluded from Protection — indicates that you selected the Allow option to allow only the selected accounts to change the protected objects.
Included in Protection - indicates that you selected the Deny option to allow all accounts to change the protected objects except for those selected.
Override Account Filter

This field is used for filtering data.

Click the expansion box to the left of the template name to expand this view and display the following details for each template:

Policy Name
* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client redisplays the templates that meet the search criteria (that is, comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Displays the name of the group policy being protected.

Group Policy Object

Displays the group policy object being protected.

Status

Indicates whether protection for the object is enabled or disabled.

Operations

Displays the type of operations to protect:
Create
Modify Attribute
Delete
Link
Override Account

If applicable, this section displays the user and group accounts that are allowed (or not allowed) to change the protected objects.

* 
NOTE: This field is not displayed when there are no override accounts specified in the protection wizard.
Administration Account

If applicable, this section displays the user or group accounts that have been selected on the last page of the wizard to manage this protection template.

* 
NOTE: This field is displayed only when there is at least one account specified on the last page of the protection wizard and your protection templates are being stored in SQL.

Group Policy protection templates

Previous Next

Group Policy protection templates

The Group Policy protection templates are global settings and apply to all agents.

* 
NOTE: If you are planning to use multiple Group Policy Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
To create a Group Policy Protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select Group Policy in the Protection task list.
4
Click Add to open the Group Policy Protection wizard and specify the GPOs to protect.
5
Enter a name for the template.
6
Use the Browse or Search pages to locate and select the group policy container to protect.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Click Add to add the selected container to the list. Repeat this step to add additional group policy containers.

* 
NOTE: The Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Click Search to locate the Group Policy containers in your environment.
7
By default, the create, modify attributes, and delete operations are selected; however, you can change this by using the drop-down arrow in the Operations cell in the list box and selecting or clearing the different operations.

When the Link operation is selected, the GPO is protected from any attempts to link to or unlink from any Active Directory container in the forest. If Enterprise protection is selected, all GPOs in the forest are protected from linking and unlinking attempts.

8
If required, enable the Do not enforce protection for GPOADmin working copy group policies option.
When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template.
* 
NOTE: Name-matching is used to identify GPOADmin temporary working copies based on a name prefix "[GPOADmin Working Copy] - ". The service account for the GPOADmin service should also be excluded from protection as an allowed account when the option to exclude GPOADmin working copies is selected.
9
If you have trusted administrators whose accounts must be permitted to change the protected group policy object, click Next.

Use the Browse or Search pages to locate and select the user or group accounts to exclude from this protection template.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Use Add to add the accounts to the list at the bottom of the page.

 
* 
NOTE: The Allow option is selected by default indicating that the selected users or groups will be allowed to change the protected objects. However, you can select the Deny option at the top of this page and select individual users or groups that are NOT allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.
10
On the last page of the wizard, you can specify users or groups who are authorized to manage this protection template.
* 
NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.
* 
IMPORTANT: By default members of the ChangeAuditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, after you enter a user or group account on this page you are relinquishing your rights to modify the selected protection template to the users and groups specified on the last page of this protection wizard.
* 
NOTE: If the users and groups specified on this page are NOT members of the ChangeAuditor Administrators group, you need to add them to the AD Protection Role in order for them to view the Administration Tasks tab to access Active Directory and Group Policy protection templates. For more information about adding members to the AD Protection role using the Application User Interface Authorization page (in the Configuration task list of the Administration Tasks tab), see the Change Auditor User Guide.
11
Click Finish to save the template, close the wizard and return to the Group Policy Protection page.
* 
IMPORTANT: If the current user who is creating the protection template is not in the authorized accounts list, a warning message is displayed prompting the user to continue or stop with the creation of the protection template. If you are in the authorized accounts list at template creation time, you may find yourself locked out later if someone else in the authorized accounts list decides to edit the template and remove you.
To modify a protection template:
1
On the Group Policy protection page, select the template to modify and click Edit to open the Group Policy Protection wizard where you can modify the current list of objects and the authorized accounts.
2
Click Finish to save your changes and return to the Group Policy protection page.
To disable a protection template:

Disabling a template allows you to temporarily stop protection for the specified objects without having to remove the protection template.

1
On the Group Policy protection page, place your cursor in the Status cell of the template and click the arrow control and select Disabled.

The entry in the Status column for the template changes to ‘Disabled’.

2
To re-enable the protection template, use the Enable option in the Status cell.
To disable an object’s protection within a protection template:
1
On the Group Policy Protection page, place your cursor in the Status cell for the object, click the arrow control, and select Disabled.

The entry in the Status column for the object changes to ‘Disabled’.

2
To re-enable an object’s protection, use the Enable option in the Status cell.
* 
NOTE: If you disable all the objects in a protection template, the template itself becomes disabled. Similarly, when you re-enable an object in the protection template, the template will automatically be re-enabled.
To delete a protection template:
1
On the Group Policy Protection page, select the template and click Delete | Delete Template.
2
Click Yes to confirm.
To delete an object from a protection template:
1
On the Group Policy Protection page, select the object to delete and click Delete | Delete Object.
2
Click Yes to confirm.
To delete an override account from a protection template:
* 
NOTE: When you delete the last object in a protect template, the entire protection template will be deleted.
1
On the Group Policy Protection page, select the account and click Delete | Delete Override Account.
2
Click Yes to confirm.
To delete an administration account from a protection template:
1
On the Group Policy Protection page, select the account and click Delete | Delete Administration Account.
2
Click Yes to confirm.

Group Policy Protection wizard

Previous Next

Group Policy Protection wizard

The Group Policy Protection wizard opens when you click Add or Edit on the Group Policy Protection page. From here, you can define the Group Policy Objects to protect from unauthorized modifications.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

The following table provides a description of the available fields and controls:

* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.

 

Table 8. Group Policy Protection wizard

Create or modify a Group Policy Protection Template page: On the first page of the wizard, enter a name for the template and select the Group Policy objects to be protected.

Template Name

Enter a descriptive name for the template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the group policy container to be protected.

Once you have selected a container, click Add to add it to the list.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

 

Search page

The Search page initially contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Click Search to locate the Group Policy containers in your environment.

You can use the controls at the top of the page to search your environment for a group policy container to protect.

In the Find field, either enter or use the drop-down menu to select the type of object to locate. You can enter multiple classes, separated by either a comma or semicolon. When you type in an entry, either click the Enter key or use Search to display the objects.
In the Name field, specify a search expression to use to locate a particular object. Usually, this field contains an asterisk (*) indicating to search for all objects of the type specified in the Find field.
Select the ANR check box to use Ambiguous Name Resolution (ANR) as the search algorithm, which allows you to enter limited input (partial data) to find multiple objects in your network.

When the ANR check box is checked, use one of the following methods to enter your search expression:
Enter a partial string to return exact matches or a list of possible matches. For example, entering ‘Admin’ will return objects that contain the names ‘Admin’, ‘Admins’, ‘Administrator’, Administrators’.
Enter a string preceded by the equal sign (=Admins) to return only exact matches. For example, entering ‘=Admin’ returns only those objects containing the name ‘Admin’.

By default, ANR searches the following attribute fields in Active Directory:
First Name (GivenName)
Last Name (Surname)
Display Name (displayName)
LegacyExchangeDN
msExchMailNickname
Relative Discontinued Name of the object (RDN)
Office (physicalDeliveryOfficeName)
Email address (proxyAddress)
Security Account Manager account (sAMAccountName)

When the ANR check box is not checked, the search expression entered will be used to search only the Display Name of directory objects to locate a particular object.

To use this search mechanism, enter a string of characters and the wildcard (*) character as described below.
n* returns objects that start with the letter ‘n’
*n returns objects that end in the letter ‘n’
*n* returns objects that contain the letter ‘n’ within their Display Name.

Once you have selected a container, click Add to add it to the list at the bottom of the page.

Options page

Use this page to modify the search options used to retrieve directory objects.

Policy list

The list box across the bottom of the page displays the group policy containers selected for protection. Use the buttons located above this list box to add and remove containers.
Add — Select a container in the Browse or Search page to add it to the Policy list.
Remove — Select an entry in the Policy list to remove it from the template.

Operations

By default, the create, modify attributes, and delete operations are selected. To change this use the drop-down arrow in the Operations cell and select and clear operations.

When the Link operation is selected, the GPO is protected from any attempts to link to or unlink from any Active Directory container in the forest. If Enterprise protection is selected, all GPOs in the forest are protected from linking and unlinking attempts.

Do not enforce protection for GPOADmin working copy group policies

option

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template.

Name-matching is used to identify GPOADmin temporary working copies based on a name prefix "[GPOADmin Working Copy] - ". The service account for the GPOADmin service should also be excluded from protection as an allowed account when the option to exclude GPOADmin working copies is selected.

(Optional) Select Accounts Allowed (Not Allowed) to Access Protected Objects page: By default all users and groups are prevented from changing the Group Policy containers selected for protection. However, you can use this page to specify individual users or groups that are allowed (not allowed) to change the protected objects.

NOTE: Management actions performed by excluded accounts are audited but not prevented.

Allow

Allow is selected by default indicating that the users and groups selected on this page will be the only accounts allowed to change the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option if you want to allow all users and groups to change the protected objects except for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Accounts list

The list box across the bottom of the page displays the user and group accounts allowed (not allowed) to make changes to the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page to add it to the Override Accounts list.
Remove - Select an account in the Override Accounts list to remove it.

(Optional) Select Accounts Authorized to Manage This Protection Template page: By default members of the ChangeAuditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, once you enter a user or group account on this page you will be relinquishing your rights to modify the selected protection template to the users/groups specified on this page of the protection wizard.

NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.

Browse page

Displays the hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be authorized to manage this protection template.

Once you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be authorized to manage this protection template.

Once you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Administration Accounts list

The list box across the bottom of the page displays the user and group accounts authorized to manage this protection template.

NOTE: By adding accounts to this authorized accounts list, you are relinquishing your rights to modify this protection template. Only those accounts specified on this page will have access to modify this protection template.

Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page and add it to the Administration Accounts list.
Remove - Select an account in the Administration Accounts list to remove it.

ADAM (AD LDS) object protection

Previous Next

ADAM (AD LDS) object protection

When configured, you can prevent changes to objects in specified ADAM (AD LDS) instances.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating