• Become a portal pro
• Download
• Print
• My Downloads (0)

• Support
• Technical Documentation
• Change Auditor 7.3
• Change Auditor 7.3 - PowerShell User Guide

Change Auditor 7.3 - PowerShell User Guide

Table of Contents  

PowerShell Commands

Adding the PowerShell module Viewing available commands and help Installing Change Auditor coordinators and web clients Setting the master time zone Finding Change Auditor installations and coordinators Connecting to and disconnecting from Change Auditor installations and coordinators Importing and exporting configuration settings Managing client authentication options Gathering Change Auditor system information Deploying Change Auditor agents Managing auditing templates Working with searches

Copy-CASearch

Managing Active Directory Database auditing Working with Active Directory Database protection templates Managing Windows File System auditing Managing SQL Extended Events Auditing (Preview) Managing Fluid File System auditing Managing Azure Active Directory auditing Managing Office 365 auditing Managing Skype for Business auditing Configuring a Quest On Demand Audit integration Working with Active Directory protection templates Our brand, our vision. Together. Contacting Quest Technical support resources

• Viewing Topics 13 - 16 of 27

×

Working with searches

Searches (both built-in and private) allow you to view valuable information based on activity captured by Change Auditor.

When using the commands, consider the following:

•	You cannot create multiple folders with the same name in the same directory.

•	Microsoft folder naming standards are upheld and restrict folder names to a length between 1 and 4000 characters.

•	You cannot create multiple searches with the same name in the same directory.

•	The commands generate audit events when a folder that contains public searches is deleted.

•	Administrators have full access to all the search commands.

•	Operators access inlcudes the following:

Full access for:

•	Invoke-CASearch

•	Get-CASearches

•	Get-CASearchDefinition

Restricted access to private searches and folders for:

•	Set-CASearchProperties

•	Copy-CASearch

•	Add-CASearch

•	Move-CASearch

•	Remove-CASearch

•	Add-CASearchFolder

•	Remove-CASearchFolder

The following commands are available to manage searches:

•	Invoke-CASearch

•	Get-CASearches

•	Get-CASearchDefinition

•	Set-CASearchProperties

•	Copy-CASearch

•	Add-CASearch

•	Move-CASearch

•	Remove-CASearch

•	Add-CASearchFolder

•	Remove-CASearchFolder

Invoke-CASearch

Use this command to run a search.

Table 32. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Search	The search to run. Use Get-CASearches to find the PSCASearchInfo object required to identify the search.
-StartTime (Optional)	The start time for the events that will be retrieved. By default this is the start time defined in the search.
-EndTime (Optional)	The end time for the events that will be retrieved. By default this is the start time defined in the search.
-Limit (Optional)	The maximum number of records to retrieve and display. By default this is the limit defined in the search.

Example: Running a search and limit the display to 10 events

$connection = Connect-CAClient -InstallationName 'DEFAULT"

$search = Get-CASearches $connection | ? {$_.Name -eq "All Events"}

Invoke-CASearch -Connection $connection -Search $search -limit 10

 

Get-CASearches

Use this command to view information on all available searches and identify a search info object that is required for some other commands.

Table 33. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.

Example: Viewing all available searches within a specific installation

Get-CASearches $connection

Example: Viewing a specific search

Get-CASearches $connection | ? {$_.Name -eq "All AD Queries in the last 30 days"}

Get-CASearchDefinition

Use this command to obtain the search definition from an existing search. The search definition is XML that can be modified and used to create a search.

Table 34. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
- Search	The search info object obtained from the Get-CASearches command.

Example: Getting the definition of a search with the name “All Events” and writing it to a file at the directory “C:\definitions\All Events.xml”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

[xml]$xmlString = Get-CASearches $connection | ? {$_.Name –eq “All Events”} | Get-CASearchDefinition $connection

$xmlString.Save(“C:\definitions\All Events.xml”)

Set-CASearchProperties

Use this command to update the search name, default folder, set the limit of a public or private search, or the path and subsystem for an imported .csv file of a list of directory objects.

Table 35. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Search	The search info object obtained from the Get-CASearches command.
-Name	Specifies a new name for the search.
-DefaultFolderPath	Specifies a new default folder path for the search.
-Limit	Specifies a new limit for the search.
-PassThru (Optional)	A switch that specifies to return the updated search after the command runs.
-Subsytem	The subsystem to update. The ability to import a .csv file with a list of objects is available for Active Directory, Exchange, and Group Policy.
-Path	Path to the .csv file to import.

Example: Changing the display name of a search, set the default folder path and limit

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ?{$_.Name –eq “All Owner Mailbox Events”}

Set-CASearchProperties $connection -Search $search -Name "NewName"
-DefaultFolderPath "C:\PATH\MYSEARCH" -Limit 1000

Example: Import a .csv file of Active Directory objects

NOTE: For optimal performance, do not include more than 1000 objects in your import file.

$connection=Connect-CAClient -InstallationName 'Default'

$search = Get-CASearches $connection | ? {$_.Name -eq "All My Events"}

Set-CASearchProperties $connection -Search $search -Subsystem "Active Directory" -Path "C:\MyCSVObjectList.csv"

Copy-CASearch

Use this command to copy a search in the installation.

Table 36. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Search	The search info object obtained from the Get-CASearches command.
-IsPublic (Optional)	An optional switch that specifies if the search is public. The default is private.
-UserSid	An optional parameter that is used (when –IsPublic is not used) to specify the SID of the user that owns the directory where the copy of the search is placed.
-Path	A parameter that specifies a path where the copy is to be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.
-Name (Optional)	An optional parameter that specifies a new name for the copy of the search.
-PassThru (Optional)	A switch that specifies to return the updated search after the command runs.

Example: Copying a search named “New Search for Employee” to a user’s private folder Searches\New and giving it a new name “All My Events”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “New Search for Employee”}

Copy-CASearch –Connection $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path Private\Searches\New –Name “All My Events” -PassThru

Add-CASearch

Use this command to create a search in the installation.

Table 37. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-XmlSearchDefinition	An XML string or object that represents a search definition.
-IsPublic	A switch that specifies if the search is public. The default is private.
-UserSid	A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.
-Path	A parameter that specifies a path where the new search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.
-Name	A parameter that specifies a new name for the search.
-PassThru (Optional)	A switch that specifies to return the new search after the command runs.

Example: Adding a public search to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$searchDefinition = Get-Content C:\Users\Admin\Documents\MySearchDefinition.xml

Add-CASearch –Connection $connection –XmlSearchDefinition $searchDefinition
–IsPublic –Path Shared\AllSearches\New –Name “All events in the past 23 hours”
-PassThru

Move-CASearch

Use this command to move a search from one folder path to another in the installation.

Table 38. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-IsPublic	A switch that specifies if the search is public. The default is private.
-UserSid	A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.
-Path	A parameter that specifies the path where the search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.
-Search	The search info object obtained from the Get-CASearches command.
-PassThru (Optional)	A switch that specifies to return the updated search after the command runs.

Example: Moving the search named “All AD Queries in the last 30 days” to the private folder “Shared\Skype\” of the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All AD Queries in the last 30 days”}

Move-CASearch $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path “Shared\Skype”

Remove-CASearch

Use this command to remove a public or private search from the installation.

Table 39. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Search	The search info object obtained from the Get-CASearches command.
-Force (Optional)	A parameter that removes the prompt before a search is removed.

Example 1: removing any search with the name “All Exchange Admin Events” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All Exchange Admin Events”}

Remove-CASearch $connection –Search $search

Example 2: Removing the search with the name “All Search Events”, owned by the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”, which exists in that user’s folder “Security\Internal\Searches” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.OwnerSid –eq “S-1-5-21-3623811015-3361044348-30300820-1013”} | ? {$_.FolderPath –eq “Security\Internal\Searches”} | ? {$_.Name –eq “All Search Events”}

Remove-CASearch $connection –Search $search

Add-CASearchFolder

Use this command to create a search folder in the installation.

Table 40. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-IsPublic	A switch that specifies if the search is public. The default is private.
-UserSid	A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new folder.
-Path	A parameter that specifies the path to create. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

Example: Adding the public folder Searches\New to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Add-CASearchFolder –Connection $connection –IsPublic –Path Shared\Searches\New

Remove-CASearchFolder

Use this command to remove a public or private folder from the installation.

Table 41. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-IsPublic	A switch that specifies the folder being removed is public.
-UserSid	A parameter that is used if –IsPublic is not specified to speci-fy the SID of the user that owns the private folder being removed.
-Path	A parameter that specifies the path to the folder to remove. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.
-Force (Optional)	An optional parameter that removes the prompt before a search is removed.

Example: Removing the public folder in the installation Miscellaneous\OldSearches

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Remove-CASearchFolder $connection –IsPublic –Path Shared\Miscellaneous\OldSearches

Managing Active Directory Database auditing

Change Auditor allows you to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach. The ability to audit changes to this file reduces the risk of the user account information from being accessed and tampered with by unwanted processes or users.

Managing Active Directory database auditing is available through the following PowerShell commands:

•	New-CAADDatabaseTemplate

•	Get-CAADDatabaseTemplate

•	Remove-CAADDatabaseTemplate

•	Set-CAADDatabaseTemplate

New-CAADDatabaseTemplate

Use this command to create an Active Directory Database auditing template.

Table 42. Parameter description

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-TemplateName	The template name.
-Disabled (Optional)	Set to true or false to enable or disable the template.
-ExcludedProcesses (Optional)	The list of processes to exclude from auditing. The default is none.

Example: Create a new Active Directory Database auditing template

New-CAADDatabaseTemplate -Connection $connection -TemplateName $template
-ExcludeProcess $excludeProcess -Disabled false

Get-CAADDatabaseTemplate

Use this command to see all the Active Directory Database auditing templates available within your installation.

Table 43. Parameter description

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Id (Optional)	The template GUID.

Example: Get a list of all Active Directory Database templates

Get-CAADDatabaseTemplates -Connection $connection

Remove-CAADDatabaseTemplate

Use this command to delete an Active Directory Database auditing template.

Table 44. Parameter description

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Template	The CAADDatabaseTemplate object to remove. Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.
-Force (Optional)	Removes template without prompting for a confirmation. The default is false.

Example: Remove a Active Directory Database auditing template

Remove-CAADDatabaseTemplate -Connection $connection -Template $removeTemplate

Set-CAADDatabaseTemplate

Use this command to modify an Active Directory Database auditing template.

Table 45. Parameter description

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-TemplateName	The template name.
-Template	The PSCAProtectionTemplate object to update. Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.
-Disabled (Optional)	Set to true or false to enable or disable the template.
-ExcludedProcesses (Optional)	The list of processes to exclude from auditing. The default is none.

Example: Modify an Active Directory Database auditing template

Set-CAADDatabaseTemplate -Connection $connection -template $template -templatename "Name" -ExcludeProcess $excludeProcess -Disabled false

Working with Active Directory Database protection templates

Change Auditor allows you to protect the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

The following commands are available to manage Active Directory Database protection:

•	New-CAADDProtectionTemplate

•	Set-CAADDProtectionTemplate

•	Get-CAADDProtectionTemplates

•	Remove-CAADDProtectionTemplate

New-CAADDProtectionTemplate

Use this command to create an Active Directory Database protection template.

Table 46. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-TemplateName	The template name.
-Disabled (Optional)	Set to true or false to enable or disable the template.
-ExcludedProcesses (Optional)	The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

New-CAADDProtectionTemplate -Connection $connection -TemplateName TemplateSample

Set-CAADDProtectionTemplate

Use this command to modify an Active Directory Database protection template.

Table 47. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Template	The CAADDProtectionTemplate object to edit. Obtain the template objects using the Get-CAADDProtectionTemplates command and filter to select the object to remove.
-TemplateName (Optional)	The template name.
-Disabled (Optional)	Set to true or false to enable or disable the template.
-ExcludedProcesses (Optional)	The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

set-caaddprotectiontemplate -connection $connection -template $template -templatename "templatesample"

Get-CAADDProtectionTemplates

Use this command to see all the Active Directory Database protection templates that have been created.

Table 48. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-ID (Optional)	GUID for a specific template.

Example: Get a list of all Active Directory Database Protection templates

Get-CAADDProtectionTemplates -Connection $connection

Remove-CAADDProtectionTemplate

Use this command to remove an Active Directory Database protection template.

Table 49. Available parameters

Parameter	Description
-Connection	A connection obtained by using the Connect-CAClient command.
-Template	The PSCAProtectionTemplate object to remove. Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.
-Force (Optional)	Removes the template without providing confirmation.

Example: Remove an Active Directory Database protection template

Remove-CAADProtectionTemplate -Connection $connection -Template $template

 

 

 

 

•  Previous
• Viewing Topics 13 - 16 of 27
• Next 

Search this document Search all documents for this product-version Search all documents for this product Search all documents

×

 Welcome to Quest Support

You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.

Related Documents

Change Auditor - 7.3
Built-in Reports Reference Guide
Event Reference Guide
FIPS Compliance User Guide
Installation Guide
Office 365 and Azure Active Directory Event Reference Guide
Office 365 and Azure Active Directory User Guide
PowerShell User Guide
Quick Start Guide
Release Notes
SIEM Integration User Guide

Showing 1 to 10 of 42 rows10

• 10
• 25
• 50

records per page

• «
• 1
• 2
• 3
• 4
• 5
• »

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center