Chat now with support
Chat with Support

Change Auditor 7.5 - Release Notes

Change Auditor client (Client-side component)

The client connects to a coordinator and queries the audited event database for the desired results.

 
Table 14. Client requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 4 GB RAM or better

Recommended: 8 GB RAM or better

Installation platforms (x64) supported up to the following versions
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows 10
Windows 11
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.

Screen resolution
1280 x 800 with at least 256 colors

Client software and configuration
x64 version of Microsoft’s .NET Framework 4.8
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0

Ports

Ports 139 and 445 must be opened on the domain controller.

Client footprint
Estimated hard disk space used: 140 MB
Estimated physical memory RAM) used: 150 to 500 MB

Client RAM usage depends on the number of tabs you have open.

NOTE: Queries that return much data can cause the client to use as much memory as required to store the results in RAM.

Change Auditor agent (Server-side component)

A Change Auditor agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. The agents report the audit events to the coordinator which inserts the event details into the Change Auditor database.

 
 
Table 15. Agent requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 8 GB RAM or better

Recommended: 16 GB RAM or better

Installation platforms (x64) supported up to the following versions
Windows Server 2016 Server Core (Active Directory, File system, Registry, Services, Local Account, and Exchange auditing only.)
Windows Server 2016
Windows Server 2019
Windows Server Core 2019 (Active Directory, File system, Registry, Services, Local Account, and Exchange 2019 auditing only.)
Windows Server 2022
Windows Server Core 2022 (Active Directory, File system, Registry, Services, Local Account, and Exchange 2019 auditing only.)
NOTE: Change Auditor components can be deployed on Windows environments with Secure Boot enabled.
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.
NOTE: Windows File System auditing is supported in a Windows failover cluster configuration. However, the agent is not aware of the cluster and only audits the active nodes in the cluster where agents are deployed.
NOTE: Auditing of some Exchange events requires the latest Exchange service pack. See the Change Auditor for Exchange Event Reference Guide for the minimum service packs required for Exchange events.

Agent software and configuration
x64 version of Microsoft’s .NET Framework 4.8
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0
The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
The Change Auditor agent service depends on the following Windows services to be running:
DNS Client
Remote Procedure Call (RPC)
Windows Event Log
NOTE: Ensure communication over RPC between coordinators and agents.

Agent footprint
Estimated hard disk space used: 220 MB + local database size + log size.
Change Auditor agent log retention and content is configurable. That is, you can define how many files to retain and the level of logging.
Estimated physical memory (RAM) used: 200 to 500 MB; Agent RAM usage depends on the auditing modules you have licensed.

Agent installation is NOT compatible with the following applications

Chang Auditor agent cannot be installed on the same server as agents from Quest products that were precursors to Change Auditor including:

InTrust for Active Directory
InTrust for ADAM
InTrust for Exchange
InTrust for File Access
DirectoryLockdown
SecurityManager

These products are no longer available, but if their agents are still installed they should be removed before installing Change Auditor.

Due to the way Change Auditor integrates with Active Directory to capture all change details, there may be incompatibilities with third party agents that integrate with Active Directory in a similar way such as Active Directory auditing tools from other vendors.

Change Auditor may be incompatible out-of-the-box with agents that are designed to detect suspicious software such as anti-virus tools. In these cases, it may be necessary to configure the third party product to exclude the Change Auditor process from its scope.

If Change Auditor is going to be installed alongside products that conform to either of these patterns, Quest recommends that the installation is tested in a non-production environment first to identify any incompatibilities and adjust the product configurations as necessary before deploying to production.

By default, Microsoft Defender has the “Block credential stealing from the Windows local security authority subsystem” rule enabled. This setting must be disabled on the agent computer for Change Auditor to audit events. This does not affect workstation agents.

 
Table 16. Agent minimum permissions
Account
Permissions

User account deploying agents

The user account used to deploy agent must have:
Administrative authority to install software on every target computer.
Interactive logon rights.

System account running on agent

Change Auditor agents must run as Local System.

Change Auditor workstation agent (optional component)

You can deploy workstation agents to capture authentication activity and logon session events from monitored workstations when the Change Auditor for Logon Activity Workstation license is applied.

* 
NOTE: The recommended installation for domain workstations is from the Deployment tab of the Change Auditor Windows client. However, for non-domain workstations you must manually install the workstation agent. See the Change Auditor Installation Guide for recommendations and instructions on manually deploying workstation agents.
 
Table 17. Workstation agent requirements
Requirement
Details

Processor

Dual core Intel Core i5 equivalent or better

Memory

Minimum: 8 GB RAM or better

Recommended: 16 GB RAM or better

Installation platforms supported up to the following versions
Windows 10 (Pro and Enterprise)
Windows 11 (Pro and Enterprise)
NOTE: Microsoft Data Access Components (MDAC) must be enabled. MDAC is part of the operating system and is enabled by default.

Agent software and configuration
Microsoft’s .NET Framework 4.8
Microsoft XML Parser (MSXML) 6.0
Microsoft SQLXML 4.0
The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.
The Change Auditor agent service depends on the following Windows services to be running:
DNS client
Remote Procedure Call (RPC)
Windows event log
NOTE: Ensure communication over RPC between coordinators and agents.
NOTE: For workstation log management (such as Get Logs or View Agent Log), the following must be enabled on the workstation:
Windows Management Instrumentation (WMI) must be enabled in firewall rule set (usually domain) on the workstation.
Network Discovery and File Sharing must be enabled.
Remote Registry service must be set to ‘Start Automatically’. By default, this service is stopped and set to ‘Manual’ for Windows 10.

Authentication Activity auditing

To capture Authentication Activity events, you must first enable (that is, set to Success, Failure) the ‘Audit Logon events’ audit policy for all servers or workstations:
Domain - Group Policy
Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policy\Audit Policy\Audit logon events
Workgroup - Local Group Policy
Local Computer Policy\Computer Configuration\Windows Sercurity\Security Settings\Local Policies\Audit Policy\Audit logon events

For more information

See the Change Auditor for Logon Activity User Guide for more information about using Change Auditor for Logon Activity.

Change Auditor web client (optional component)

The Change Auditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to Change Auditor through a standard or mobile web browser.

 
Table 18. Web client requirements
Component
Supported versions

Processor

Quad core Intel Core i7 equivalent or better

Change Auditor

Change Auditor (any license)

Installation platforms (x64) supported up to the following versions

Windows Server 2016
Windows Server 2019
Windows Server 2022
NOTE: Web Server (IIS) role must be installed.

Software and configuration
x64 version of Microsoft’s .NET Framework 4.8
ASP.NET 4.5.1 or higher
x64 version of Microsoft XML Parser (MSXML) 6.0
x64 version of Microsoft SQLXML 4.0

Browsers

 
Chrome
Edge
Firefox
Safari for Mac OS (Windows Safari is not supported)

Change Auditor role

To install the web client, you must have at minimum the operator role.

For more information

See the Change Auditor Web Client User Guide for more information about installing and using the web client.

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating