Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Event Details Pane

Previous Next

Event Details Pane

This section describes the Event Details pane for Active Directory and Group Policy events and the Restore Value feature that is available for some Active Directory events. It also describes the additional details added to this pane for Group Policy events.

Active Directory event details

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for an Active Directory event.

 

Table 11. Event Details pane: Active Directory events

What field

Description

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Active Directory’.

Action

Displays the action that was taken against the Active Directory object, such as Add Attribute, Add Object, Delete Attribute, Delete Object, Modify Attribute, Move Object.

Facility

Displays the event class facility to which the event belongs.

Class

Displays the object class that was modified, such as group, user, computer, nTDSConnection, crossRefContainer.

Attr

If an attribute has been added, deleted, or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified, such as Global (Security), Domain Local (Security).

Object

Displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Port

Indicates the port used for authentication.

From | To

Displays the old value that was assigned to the object and the new value that is now assigned.

NOTE: The From | To information does not apply to permission and access control list (ACL) type changes and is replaced with the Changes table. This information is also not available for occurrence type events, such as when an object is created or deleted.

Changes

For permission type changes, the Changes table replaces the To | From information. This table provides details about the changes made, such as operation, type, account, permission, scope, and condition.

Restore Value feature

For simple Active Directory attribute changes (such as Add Attribute, Modify Attribute, Delete Attribute), the Event Details pane features an option to restore changed values. When applicable, Restore Value is displayed at the top of the Event Details pane, allowing you to restore a changed value without needing to leave the client or use additional tools.

* 
NOTE: The Restore Value feature honors the logged on user’s domain rights. If the logged on user does not have sufficient rights to perform the restore, a dialog is displayed allowing the user to enter elevated credentials. If a user does not have sufficient privileges, Change Auditor displays a failure message noting either an access denial or a login failure.
* 
NOTE: The Restore Value feature may not work for all events. Specifically, values cannot be restored for the following events:
User password changed
User password changed by non-owner
User account locked
User account unlocked
User must change password at next logon option changed
To restore a changed value:
1
At the top of the Search Results page, select an event (such as Modify Attribute, Add Attribute, Delete Attribute) to display the related Event Details pane.
2
At the top of the Event Details pane, click Restore Value.
3
One of the following prompts is displayed:
If you do not have domain rights to access the selected server, the Credentials Required dialog is displayed allowing you to enter the credentials to be used to access the server.
A confirmation dialog is displayed explaining that you are about to restore the value of an attribute. Click Yes to perform the restore or No to cancel the restore operation.
A confirmation dialog is displayed explaining that the restore operation is not restoring the most recent value for an attribute. Click Yes to perform the restore or No to cancel the restore operation.
4
When a value is successfully restored, a success confirmation dialog is displayed and a Change Auditor event is generated reflecting the change that was made.
5
Events generated by a restore operation contain the ‘Restored by Change Auditor’ comment. To view a comment for an event, select the event in the grid at the top of the Search Results page and Comments.

Additional notes

The Restore Value feature cannot be used to restore deleted objects.
If the affected object has been deleted from the server, a message is displayed stating that the server cannot process the restore request because the object no longer exists on the server.
If the affected object has been marked for deletion but the change has not been fully replicated throughout the system, a similar message is displayed stating that the server is unable to process the request.

Group Policy event details

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for a Group Policy event.

 

Table 12. Event Details pane: Group Policy events

What field

Description

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Group Policy’.

Action

Displays the action that was taken against the Group Policy object or item, such as Add Attribute, Delete Attribute, Modify Attribute.

Facility

Displays the event class facility to which the event belongs:
Group Policy Item
Group Policy Object

Policy

Displays the name of the group policy that was modified.

Section

Displays what section of the group policy was modified.

Item

For events associated with Group Policy items, displays the group policy item that was modified.

From | To

Displays the old value that was assigned to the group policy object and the new value that is now assigned.

 

About us

Previous Next

About us

Quest creates software solutions that make the benefits of new technology real in an increasingly complex IT landscape. From database and systems management, to Active Directory and Microsoft 365 management, and cyber security resilience, Quest helps customers solve their next IT challenge now. Around the globe, more than 130,000 companies and 95% of the Fortune 500 count on Quest to deliver proactive management and monitoring for the next enterprise initiative, find the next solution for complex Microsoft challenges and stay ahead of the next threat. Quest Software. Where next meets now. For more information, visit www.quest.com.

Our brand, our vision. Together.

Our logo reflects our story: innovation, community and support. An important part of this story begins with the letter Q. It is a perfect circle, representing our commitment to technological precision and strength. The space in the Q itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.

Contacting Quest

For sales or other inquiries, visit www.quest.com/contact.

Technical support resources

Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
Submit and manage a Service Request.
View Knowledge Base articles.
Sign up for product notifications.
Download software and technical documentation.
View how-to-videos.
Engage in community discussions.
Chat with support engineers online.
View services to assist you with your product.

Change Auditor for Authentication Services

Previous Next

Change Auditor for Authentication Services

The Change Auditor for Authentication Services book contains information about Authentication Services auditing. It contains the following topics:
Quest Change Auditor for Authentication Services Overview: This section provides an overview Authentication Services auditing and the system requirements.
Getting Started: This section provides information on deployment requirements, enabling events, and running a report.
Authentication Services Searches/Reports: This section explains how to run a built-in Authentication Services reports.

 

Quest Change Auditor for Authentication Services Overview

Previous Next

Quest Change Auditor for Authentication Services Overview
Introduction
Change Auditor for Authentication deployment requirements
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating