Chat now with support
Chat with Support

Change Auditor 7.1.1 - Release Notes

Resolved issues

"Failed to load registry driver" error generated in agent log on Windows 2012 domain controllers.

190301

Stopping an agent with two file system auditing templates enabled, may cause Change Auditor to close unexpectedly with error 0xC0000008 (invalid handle).

222345

Login user is not displayed when logged in as the domain administrator.

223573

All agent and coordinator status panels display html error in the web client overview page.

226389

Active Directory garbage collection and dynamic object time to live (TTL) expiration for objects in the deleted objects container are audited and causing a "Failed attempt to read attributes" error.

208937

Local share added and local share permissions changed events are not generated when using Server Manager or PowerShell.

205364

URLs required to create a configuration with and send events to On Demand Audit in Canada, UK, Australia regions need to be added to the Change Auditor User Guide.

208779

When a Group Policy subsystem item is added to a search, the canonical name is displayed in the search criteria twice rather than the expected group policy name and canonical name.

162940

Azure Active Directory group events return unexpected results when filtering by Sync Type.

201932

The Add-CASearch and the Set-CASearchProperties commands are not generating internal events.

208171

When the web client is hosted on servers with non US-English regional settings, the event details “When” value displays Invalid date.

208590

The internal event "Public user search folder deleted" is not being generated.

208630

New coordinators added to an installation are not able to decrypt proxy, email, and shared folder passwords.

209296

The "ChangeAuditor Agents" domain local security group is not being created in child domains.

215144

Azure Active Directory and Office 365 template creation fails with the error "Failure setting Azure app permissions" due to "The remote server returned an error: (403) Forbidden".

217209

Get-CASearches command fails and throws an exception when it is unable to resolve a search owner in Active Directory.

10857

Newly added coordinators cannot decrypt the proxy server password and generates the following message in the Coordinator log “No Public key found matching the Coordinator key. Unable to decrypt data."

196981

Get-CASearches command does not function when run with the Change Auditor Operator role.

198784

Change Auditor displays only a single Office 365 template even though multiple templates exist.

203056

Invoke-CASearch and Add-CASearch commands do not function when run with the Change Auditor Operator role.

204180

Change Auditor client is non-responsive when enabling Active Directory client certificate authentication.

206762

Move-CASearch and Remove-CASearchFolder commands are not generating the associated internal events.

207568

Note added to documentation to inform users that a manually created database cannot be used for the coordinator. The database must be created by the coordinator installation.

199047

An Active Directory search that contains specific objects and “LIKE” objects returns only results for the specific objects. The “LIKE” objects are not returned.

6879

Change Auditor client becomes unresponsive if a number higher than 32,767 is entered in the Send Alert When field in smart alerts.

15232

"Array dimensions exceeded supported range" error is generated and alerts are not sent when Events per Email field specifies a value higher than 99,999,999.

86249

UserMail and ADAM instance port columns are not displayed when added to the search layout.

180832

Alert variables for Azure Active Directory properties do not display values in alert emails.

199939

The error produced when the coordinator database credentials are incorrect does not provide enough detail.

199048

The “NOT LIKE” criteria for target does not function for Azure Active Directory searches.

199110

Documentation updated to fix a column label. (Deployment column label for “Foreign Forest” is shown incorrectly labeled as “Foreign”.)

199490

After enabling Event Logging, event description details are displayed incorrectly in Event Viewer.

199565

Active Directory Protection Wizard does not allow MSA or GMSA objects to be added to bypass protection.

200213

“Kerberos Ticket Lifetime” setting in agent configuration, does not handle invalid values in the same manner as other controls in the dialog.

200261

Coordinator start up fails and generates a database initialization not successful error.

202354

An Azure Active Directory query with the “NOT LIKE” option in the target column returns all data that matches any target column.

191176

Azure Active Directory auditing fails and generates error "Failed to process configuration: Object reference not set to an instance of an object" in the log file.

198588

Kerberos Ticket Lifetime (MaxKerbTicketAge) setting should be added to the output for the Get-CAConfigurations command.

198677

When an Azure Active Directory auditing template is replaced with another template for a different tenant, sign-in and risk events are not collected until the agent is restarted.

198796

F1 help in What | Add With Events | Result opens to “Can't reach this page”.

156146

Known issues

If File Deleted events are enabled in the Windows File System auditing template but File Created events are not, Windows File System File Deleted event is recorded when Save As is used to create a new file.

130156

File opened events are recorded for unopened .exe files when browsing shared folder if the file does not have a custom icon.

125671

You may be unable to view or gather agent logs in the client for older agents after upgrading to change Auditor 6.9.5 or later.

15954

An error stating that the “Object already exists” may be encountered when attempting to create a SharePoint or SQL DLA template.

Workaround:

Delete the “Quest ChangeAuditor 5.5” key container using the following command in the CMD Prompt. A new “Quest ChangeAuditor 5.5” key container will be automatically created:

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis –pz “Quest ChangeAuditor 5.5”

7801

Unable to restart an agent from the Statistics tab.

Workaround:

Use the Stop and Start options instead.

652516

Some web client features do not function correctly in Internet Explorer if the web client address contains an underscore.

494521

When using smartcard authentication you may receive a ‘Credentials are not valid’ error when re-connecting Change Auditor client after it has been disconnected.

Workaround:

Close and reopen the client and try to connect again.

510330

When in Active Directory Client Certificate Authentication mode, manual connection method fails if the client is in a domain that does not have a trust in place with the domain where the Change Auditor coordinator is installed. 

503383

Launching Change Auditor using a local account displays the Windows Forms Authentication login screen even if Active Directory Client Certificate Authentication is enabled.

Workaround:

Use RunAs.exe to run the client as a user who has access to the appropriate domains and can read the information in the service connection points.

503374

Upgrade fails if your previous version installation name was longer than 22 characters.

422945

Running the Change Auditor agent on Windows Server 2012 causes the system to become unresponsive if the Change Auditor Registry driver (CARegSys.sys) is added to the Driver Verifier.

371273

The Change Auditor client sets the incorrect time when the Active Directory subsystem is added with a prompt.

420042

When the Coordinator server runs a command to insert an event, it looks for the event that matches a certain criteria and has a time detected that occurred before the current time on the Change Auditor database server.

If the agent time is ahead of the Coordinator time, alerts are not sent because of issues with the event query.

Workaround:

Update time on the servers.

422986

When a folder is protected via location protection, access is incorrectly granted after the agent is restarted (if that folder was being accessed from a computer in the deny access list). Access will be correctly denied when the user logs off the remote computer.

418022

SQL Server tempdb. The SQL Server tempdb grows to accommodate Change Auditor queries, scheduled reports, and purge jobs. Quest recommends following Microsoft best practices regarding tempdb management, including allocating the tempdb and transaction logs on a separate drive from user database files.

 

Conflict with McAfee HIPS and Change Auditor agent causing server reboots: McAfee 8.0 HIPS causes the system to become unresponsive with the ServicesHook.dll which caused the server to reboot every time the Change Auditor agent started.

Workaround:

Exclude the services.exe and lsass.exe from HIPS protection.

226903

Change Auditor for VMware not auditing VMware Local User and Group Account events: When connecting directly to the ESXi host from a vSphere client bypassing vCenter, VMware Local User and Group Account events will not be audited by Change Auditor agent.

 

AD Protection wizard in the web client: The Web Client does not provide the right-click option from the Forest level to display Peer Domains within the AD Protection wizard.

342993

IRPStackSize issues: After an agent is upgraded on a domain controller, Quest recommends to reboot the domain controller before doing another upgrade. This removes an old ITAD driver from memory. As of Change Auditor 6.0, agents cannot be upgraded after two (2) upgrades have occurred without a reboot on domain controllers. This is to prevent the domain controller from becoming inaccessible.

To identify this condition, the DC's system log shows EventID 2011: The server's configuration parameter “irpstacksize” is too small for the server to use a local device. Increase the value of this parameter.

 

Running coordinator service with a service account: If you are running the coordinator service under a service account, you must move the ServicePrincipalName role holder in order for Kerberos authentication to function correctly.

See the Change Auditor Installation Guide for detailed instructions.

 

WHO by Group Membership: When setting up a search based on WHO is in a particular group, you must consider the time it takes for AD replication to occur and the time the Change Auditor coordinator needs to add that configuration to the coordinator.

 

Central Access Policy in protected GPO: Due to the way Microsoft is storing the configuration settings for a Central Access Policy (Windows Server 2012), it appears that an unauthorized account can add or remove a Central Access Policy that is in a protected Group Policy container. You do not get an ‘Access is denied’ warning message explaining the change was not saved similar to what you get when attempting to access other group policy objects within the protected Group Policy container. However, unauthorized changes to the configuration settings for a Central Access Policy are NOT saved and generates a ‘Failed Group Policy Container Access (Change Auditor Protection)’ event within Change Auditor.

 

Coordinator configuration with limited SQL account:

The Change Auditor coordinator SQL account must have access to the sys.dm_tran_locks view to resolve host names when using a SQL account with minimal permissions. If two users from two different clients select the same item in the client, one of the users will be displayed with a Change Auditor dialog message along with an “exception” notification stating “Error: 297, Procedure: usp_SQL_Lock_Read, Message: The user does not have permission to perform this action.”.

If this error is displayed, run the following SQL query:

USE Master;

GO

GRANT VIEW SERVER STATE TO {your limited SQL account};

GO

 

Web Client: Repeatedly switching back and forth between the grid and timeline view keeps increasing the timeline counts by the factor of the original displayed amount.

386038

Report Alerts: Report Alerting cannot be enabled through the web client.

Workaround: Enable this feature within the Windows client.

386918

Custom Active Directory attribute auditing: If audit configurations where custom Active Directory attribute auditing are used, and a new Change Auditor database is created during installation or upgrade with the same installation name, data storage anomalies may occur. See the Upgrade and compatibility for more information.

 

Change Auditor for EMC supports single CIFS servers per data mover: The Change Auditor agent does not audit events from another CIFS server that is under the same data mover and has the same shares as the CIFS server used in the CA for EMC policy.

 

Change Auditor for EMC is not compatible with EMC “CQM”: The Change Auditor for EMC agent does not support running concurrently with EMC Content Quota Management. To ensure that the EMC auditing is successful, disable EMC CQM.

 

Client unable to connect to EMC devices after Putty default settings changed: The Change Auditor client uses SSH APIs to connect to EMC devices. Changing the “Default Settings” saved session in the Putty client prevents the Change Auditor client from connecting to the correct server.

Workaround:

Remove any host name or IP address saved in the stored session named “Default Settings” in the Putty client.

159492

Service Accounts generating excessive Exchange Mailbox events: Bulk operations generated by third-party products that use MAPI transports to scan or modify Exchange mailboxes can cause system slowdowns if not excluded from auditing. Exchange internal requests are automatically excluded from monitoring, as are Blackberry Enterprise Server and similar MAPI synchronization services.

Quest recommends adding service accounts of third-party MAPI services to the Account Exclusion list, with the entire Exchange Mailbox facility selected, or with no event classes or facilities selected (indicating all events are excluded for the account).

 

OWA protection: If protection is enabled while a user already has an active OWA session on the newly protected mailbox, protection does not prevent the user from deleting the items in the active folder.

New OWA sessions established after protection is enabled are properly protected.

 

Missing Exchange event detail: Some Exchange Active Directory changes that are detected on domain controllers may be reported with missing information. To capture this detail, add the Domain Controllers group to the Exchange View-Only Administrators group.

 

Exchange scripting extensions: When a Change Auditor agent is deployed on Exchange Server, it automatically enables the scripting extension in Active Directory. This is a forest-wide setting and applies to ALL Exchange servers in the Exchange organization. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that a Change Auditor agent be installed on ALL Exchange servers to ensure that all servers are using the same scripting agent.

See these TechNet posts for more information regarding the Scripting Agent:

168683

Delayed events using Entourage and Exchange 2013: There is a known issue with Microsoft Exchange 2013 and Entourage EWS or Outlook 2011 for Mac where content conversion may fail, and connections are dropped by the server without any response to the client. Contact Microsoft for a fix.

 

Exchange mailbox permission changes are reported as the System account: When a user is created prior to creation of the mailbox in Exchange Server, the MMC snap-in for Active Directory Users and Computers handles changes to the user attribute msExchMailboxSecurityDescriptor directly, and “Who” information is available. After the Exchange Server actually creates the mailbox, when the first Outlook or OWA client opens it, MMC Users and Computers delegates msExchMailboxSecurityDescriptor changes to another process from which no “Who” information is available. All mailbox permission changes after this point will be generated by the server’s Local System account.

There is currently no workaround.

 

“Message Read by Owner/Non-Owner” events on mailbox moves: When moving user mailboxes from one message store to another in your Exchange environment, Quest recommends temporarily disabling the audit events for “Message Read by Owner/Non-Owner” in the Audit Event configurations to prevent generating large numbers of Message Read events during the move. Change Auditor is unable to differentiate those system events from normal user activity.

 

Auditing of non-primary email addresses is not supported: The use of alternate email addresses throughout audited modules is not supported.

366968

Resource access is blocked when agent configuration is refreshed. Note: When the agent detects that access to the filer is blocked, it disconnects itself from the filer and reconnects. This resolves the issue.

446000

If you host an agent on Windows Server 2012 or Windows Server 2012 R2, the connection between the agent and a NetApp filer (7-mode) may fail due to the “Secure Negotiate” added to SMB 3.0 for Windows Server 2012 which requires correct signing of error responses by all SMBv2 servers.

For resolution details see the following: http://support.microsoft.com/en-us/kb/2686098.

442110

For NetApp filers in cluster mode, you are unable to change the security on a file immediately after changing the file itself.

439040

For NetApp filers in cluster mode, you are unable to change security on a file from the same computer as the Change Auditor agent hosting the FPolicy server.

439038

Change Auditor for NetApp drops connection to FPolicy Server: If CIFS signing is enabled for communication between the filer and FPolicy server, the filer drops its connection to the FPolicy server with Data ONTAP 7.3.1. This happens when multiple requests are pending from the filer to the FPolicy server without getting a response for the requests sent. When the responses to the multiple requests arrive, the signing check fails due to a bug in ONTAP. Since the signing check fails, the filer turns off signing and tries to send the subsequent requests to which the server responds with an access denied error.

Workaround:

Disable signing on the FPolicy server. See http://support.microsoft.com/kb/887429 for the steps to turn off signing on the FPolicy server.

 

 

“Audit Add DB User” and “Audit Drop DB User” events are not always captured by SQL Server when “Create User” and “Drop User” is executed on the SQL Server and therefore will not be seen in Change Auditor.

55123

The SQL Data Level Auditing wizard may not display all valid servers when selecting the instance to audit.

Workaround:

Manually enter the server or instance name when configuring your templates.

478983

SQL Data Level does not support auditing encrypted databases.

463669

When the Event Viewer sorts the SQL Data Level logs, some events are not included and the details no longer match the records in the Event Viewer interface.

453519

The SQL Data Level event details for some object types and operations will not display the “textdata” field if the changed data exceeds the limit (16K bytes) that Change Auditor can handle.

450412

The test credentials option available in SQL Data Level auditing templates will not validate Windows Authentication credentials when the Change Auditor client is running on the SQL Server to be audited.

448942

Due to a limitation with the command used to retrieve transaction log records, data changes larger than 8000 bytes result in a truncated transaction log record. An event is still recorded with the application name, event class, who and where information but the resulting audit event may not show from and to values and text data information.

From/to values larger than 4096 characters and text data larger than 8192 characters are truncated by default for performance purposes but this limit can be customized via the registry.

446624

Modifications to SQL data columns of type TEXT, NTEXT, or IMAGE are not supported. Changes to these types may produce no events, or if an event is generated the changed values may not be recorded in the event details in Change Auditor.

449373

 

Duplicate FluidFS File open events may be generated when editing files on audited FluidFS clusters.

591424

When you upgrade to version 6.9.5 or later, existing FluidFS auditing templates stop auditing.

Workaround: Save the FluidFS auditing template and update the agent configuration.

15520

 

Change Auditor is unable to audit Office 365 tenants operated by third-party providers. For example, Office 365 Germany and Office 365 for China use their own data centers. For more information refer to Microsoft documentation.

8267

 

Destination IP and Source IP will show the same value when the FQDN is specified for QRadar host in a QRadar event subscription.

23859

Integration password cannot begin with a supported special character (@ or $).

164259

System requirements

Change Auditor coordinator (Server-side component)

The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts.

Processor

Quad core Intel Core i7 equivalent or better

Memory

Minimum: 8 GB RAM or better

Recommended: 32 GB RAM or better

SQL database supported up to the following versions

Installation platforms (x64) supported up to the following versions

Coordinator software and configuration

For the best performance, Quest strongly recommends:

The Change Auditor database should be configured on a separate, dedicated SQL server instance.

In addition, the following software and configuration is required:

Coordinator footprint

User account performing the coordinator installation

The user account that is installing the coordinator requires the appropriate permissions to perform the following tasks on the target server:

NOTE: The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed.

Service account running the coordinator service (LocalSystem by default)

The service account running the coordinator service must have the following permissions:

SQL Server database access account specified during installation

An account must be created to be used by the coordinator server on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:

Must be assigned the db_owner role on the Change Auditor database
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating