Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Info tab

Previous Next

Info tab

From the Info tab, you can view or enter the name and description of a search definition. You can also define the maximum number of records to be retrieve and display, or enable a refresh interval that defines how often the client is to retrieve and redisplay updated information.

The Info tab contains the following information and controls:

 

Table 2. Info tab: Field and control descriptions

Field and Control

Description

Search Name

Displays the name of the selected search.

When creating a search, place your cursor in this text box and enter a descriptive name for the search.

Search Description

Displays the description of the selected search.

To add a description to a new search, place your cursor in this text box to enter a brief description of the search.

Search Limit

Specifies the maximum number of records to retrieve and display. By default, the maximum of 50,000 records are returned from the database during a single request. Select this check box and use the arrow controls to change the search limit for the selected search.

NOTE: Clearing this check box removes the search limitation, which may increase both client memory and wait time if expected search results are over 100,000. Therefore, Quest recommends that you leave this check box checked and use the defined search limit.

Refresh Interval

Specifies how often the client is to retrieve and redisplay updated information. Select this check box and use the arrow controls to enable and set the refresh interval for the selected search.

When this option is checked, an extra field, Next Refresh, is added to the heading area of the Search Results grid.

NOTE: This option is not checked by default for new searches, only for the default favorite search (Change Auditor Real-Time) used in the Overview page. The default interval for the default favorite search is five minutes.
To name a new search:
1
Place your cursor in the Search Name text box and enter a descriptive name for the search.
* 
NOTE: If you do not enter a new name for your search, it is named ‘New Search’.
2
Place your cursor in the Search Description text box and enter a brief description of the search.
3
After entering the search name and optional description, proceed to the other Search Properties tabs to enter the search criteria.
To change the maximum number of records to retrieve:

The Search Limit field specifies the maximum number of records to retrieve and display for the selected search. By default, a maximum of 50,000 records are returned from the database during a single request.

1
To restrict the search results to a specific number of records, ensure that the Search Limit check box is checked.
2
Set the value to the maximum number of events to return.
* 
NOTE: Clearing this check box removes the search limitation, which may increase both client memory and wait time if expected search results are over 100,000. Quest recommends that you leave this check box checked and use the defined search limit.
To set a refresh interval:

The Refresh Interval field specifies how often to retrieve and redisplay updated information.

1
Select the Refresh Interval check box to enable this feature and activate the field to the right of this field.
* 
NOTE: This option is not checked by default for new searches, only for the default favorite search (Change Auditor Real-Time) used in the Overview page. The default interval for the default favorite search is five minutes.
2
Enter or use the arrow controls to set the refresh interval (how many minutes between refreshes) for the selected search.

When this option is checked, an extra field, Next Refresh, is added to the heading area of the search results grid whenever this search is run.

Who tab

Previous Next

Who tab

The Who tab allows you to view or define the users, computers, groups, or service accounts to include in (or exclude from) the search definition. You can also select to include or exclude administrators. When multiple ‘who’ criteria is specified, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events for activity performed by any of the users, computers, or groups listed.

* 
NOTE: You can add a group to a search to find all events by the members of that group. Change Auditor must expand and store the membership of the group before all expected events are returned when the search is run. When the search is saved, Change Auditor expands the group if it has not already been expanded. This may take several minutes, depending on your environment. See Group Membership Expansion for the options available regarding group expansion.
* 
NOTE: Activity performed by an account specified in an Excluded Accounts template is not captured by the agents to which this template is assigned. Change Auditor does not return any audit events for these excluded accounts even if you specify them in your ‘who’ search criteria. For more information about excluding accounts, see Account Exclusion.

The Who tab contains the following information and controls:

 

Table 3. Who tab: Field and control descriptions

Field and Control

Description

Runtime Prompt

Select this check box to prompt for the ‘who’ criteria when this search runs. That is, when you select Run, the Select Active Directory Object dialog is displayed allowing you to locate and select the users, computers, groups, or service accounts to search.

NOTE:  
When this check box is checked, the Add toolbar buttons are deactivated.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
 

Exclude the Following Selection(s)

Select this check box to specify the users, computers, or groups to exclude from the search. That is, Change Auditor is to search all users, computers, and groups except those listed.

Include Event Source Initiator

Select this check box if you want to include Active Roles or GPOADmin events in the search. Selecting this check box instructs Change Auditor to retrieve all change events made by the specified user account, including those initiated by Active Roles and GPOADmin.

NOTE: An extra column (Initiator UserName) is added to the Search Results grid that contains the user information of who made the change through Active Roles or GPOADmin.

Who list

Contains the individual users, computers, groups, or service accounts to include in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked).

By default, all users, computers, and groups are included in a new search definition and therefore, this list is empty.

To search for events generated by a specific user, computer, group, or service account:
* 
NOTE: By default, each new search searches for change events generated by all users, computers, gruops, and service accounts; therefore, the list box on the Who tab will be empty.
1
On the Who tab, click Add to add an active user, computer, group, or service account to the ‘who’ list.

On the Select Active Directory Object dialog, use either the Browse or Search page to search your environment to locate and select the user, computer, group, or service account to include.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

2
Click Add to add it to your selection list.

Repeat to include each additional directory object.

3
After selecting one or more directory objects, click Select to save your selection and close the dialog.
* 
NOTE: You can use Add with Events (instead of Add) to select a user, computer, or group that already has an audit event associated with it in the database. The accounts available for selection are based on the ‘when’ clause (When tab) and the search limit (Info tab) specified for the current search.

Use this to search for events that are tied to users who have been removed from Active Directory.

4
Optionally, select Add | Administrator, select Yes or No to include or exclude users with the Administrator right, and click OK.
5
When this search runs, Change Auditor searches for change events generated by only the selections listed on the Who tab.
* 
TIP: If you are running Active Roles or GPOADmin and want to include events generated by Active Roles or GPOADmin in the search, select the Include Event Source Initiator check box. For more information, see the Active Roles Integration or GPOADmin Integration sections in the Change Auditor Installation Guide.
To use a wildcard expression to specify a user or group:
1
On the Who tab, expand Add and select the Add Wildcard Expression option.
2
On the Add Who dialog, enter the wildcard expression to use to search for a user (domain\user name) or group (domain\group name):
Select the comparison operator to use: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.

For example, LIKE *admin* finds all users with the character string ‘admin’ anywhere in the name.
By default, the wildcard expression is used to search for a user. To search for a group, select the Group option.
 
* 
NOTE: When using the Group option, the Group Membership Expansion option on the Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all groups.
3
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘who’ list.
4
When this search runs, Change Auditor searches for change events generated by the users (or users that are members of the groups) whose name matches the specified wildcard expression.

What tab

Previous Next

What tab

Use the What tab to define ‘what’ entities to inlcude (or exclude) in the search. More specifically, using this tab you can create a search for events based on:
Subsystem
Event Class
Object Class
Severity
Result

When criteria is specified on the What tab, Change Auditor retrieves only those events that match the criteria listed on the What tab. When multiple ‘what’ criteria is specified on this tab, Change Auditor uses the ‘AND’ operator to evaluate an event and returns only those events that meet all the specified criteria. However, when multiple subsystems (for example, Active Directory, ADAM and Exchange) are specified, Change Auditor uses the ‘OR’ operator to evaluate these entities, returning events that meet any of the specified subsystem criteria. This also applies when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor uses the ‘OR’ operator and returns any of the specified events.

* 
NOTE: By default, all events are included in a new search definition and therefore the list box on the What tab will be empty.

Once criteria is added, the criteria list box contains an expandable view displaying the following information for all the criteria defined for the search definition:

Entity

Lists the entity (subsystem, event class, object class, severity, or result) selected. Expanding the Entity entry displays the specific criteria and any options or restrictions, defined as part of the search criteria.

Exclude

Indicates whether the criteria is included in (False) or excluded from (True) the search definition.

Action(s)

When applicable, this column displays the actions (all, add attribute, delete attribute, modify attribute, rename object, add object, delete object, or other) included in the search definition.

* 
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group Policy, Local Account, or Registry.
Transport(s)

When applicable, this column displays the transports (all, SSL/TLS, Kerberos, Simple Bind) included in the search definition.

* 
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, or AD Query.
Port

When applicable, this column displays the port included in the search definition.

Click the expansion box to the left of the Entity field to expand this view to display the following details:

Object

Displays the object selected for auditing.

Restriction

If applicable, this field displays the additional restrictions specified for the search definition.

* 
NOTE: Only displayed when the entity is an Event Class.
Scope

Indicates the scope specified (All Object, This Object, This Object and Child Objects Only, This Object, All Child Objects, and Members of this group).

Examples of custom searches based on ‘what’ criteria

* 
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group Policy, Local Account, or Registry.
* 
NOTE: Only the ‘what’ criteria that does not require a specific license is covered in this section. For more information about ‘what’ criteria that requires a specific license, refer to the appropriate Change Auditor User Guide:
Object Class - Change Auditor for Active Directory User Guide
Subsystem | Active Directory - Change Auditor for Active Directory User Guide
Subsystem | AD Query - Change Auditor for Active Directory Query User Guide
Subsystem | ADAM (AD LDS) - Change Auditor for Active Directory User Guide
Subsystem | Microsoft Entra - Microsoft 365 and Microsoft Entra ID Auditing User Guide
Subsystem | Exchange - Change Auditor for Exchange User Guide
Subsystem | File System - Change Auditor for Windows File Servers User Guide, Change Auditor for EMC User Guide or Change Auditor for NetApp User Guide
Subsystem | Group Policy - Change Auditor for Active Directory User Guide
Subsystem | Logon Activity - Change Auditor for Logon Activity User Guide
Subsystem | Microsoft 365 - Microsoft 365 and Microsoft Entra ID Auditing User Guide
Subsystem | SharePoint - Change Auditor for SharePoint User Guide
Subsystem | SQL - Change Auditor for SQL Server User Guide
To search for events based on an event class or facility:
1
On the What tab, click Add. (Or expand the Add button and select Event Class.)
* 
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to select an entity that already has an event in the database.
2
On the Add Facilities or Event Classes dialog, select a single event, click Add, and select Add This Event or Add All Events in Facility.
* 
NOTE: When multiple events are selected, Change Auditor uses the ‘OR’ operator to evaluate the change events, returning any of the events specified.
3
Depending on the event class entry selected in the data grid, an extra Restriction pane may display across the middle of this dialog.

For some event classes, use the restriction pane to specify 'from' and/or 'to' value restrictions. To define a restriction, select the appropriate check box and enter the value.

For other event classes (such as DNS Zone, Distribution and Security groups), use the restriction pane to apply filter options for filtering by individual parameter values (for example, auditing of static DNS entries).

To do this, select the Filter by parameter check box and then select from the available parameter values that are enabled (for example, for the DNS Entry Type parameter, you can select Static and/or Automatically expiring).

4
Once you have defined the restrictions, use either Add or Update Restriction:
If the event has not been added to the Selections list box, click Add to add the event to the selection list.
If the event was previously added to the Selections list box, click Update Restriction to update the restrictions for the event.
* 
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list. However, the restrictions pane and the Add | Add All Events in Facility command are not available when multiple event classes are selected.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event classes and facilities except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box to prompt for the facility or event class criteria every time the search runs. When this check box is checked, the data grid and buttons on this dialog are disabled.

You cannot enable alerting for search definitions that use the Runtime Prompt option.
5
Once you have made your selections, click OK.

The search criteria listed on the What tab now defines what will be searched for when this search is run.

To search for changes to local users or groups:
1
On the What tab, expand Add and select Subsystem | Local Account.
* 
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add | Subsystem | Local Account) to select an entity that already has an event in the database.
2
On the Add Local Account dialog, select one of the following options to define the scope of coverage:
All Objects - select this option to include all objects
This Object - select this option to include individual objects
3
If you selected This Object, the data grid, which displays a list of all the users and groups in the local SAM databases on the selected Member Server, and associated buttons are enabled.
4
To add an account, select the account in the data grid and click Add to add it to the selection list at the bottom of the dialog. Repeat to add more accounts.
5
To replace an account in the selection list, select the ‘new’ account in the data grid, select the ‘old’ account in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ account.
6
To select a local account on a different computer, click Browse to the right of the Account field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select another computer.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
Click Select to save your selection and close the dialog.

On the Add Local Account dialog, the local user and group accounts available on the specified computer are displayed in the data grid.

* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events generated by all local accounts except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box to prompt for a local account every time the search runs. When this check box is checked, the data grid and buttons on this dialog are disabled.

You cannot enable alerting for search definitions that use the Runtime Prompt option.
8
Once you have selected the local accounts to include in the search, click OK.

When this search is run, Change Auditor searches for events generated by the local accounts listed on the What tab.

To search for changes to registry keys:
* 
NOTE: Registry auditing is only available when you have applied custom Registry Auditing templates that define the registry changes to be audited. See Registry Auditing for more information about capturing registry events.
1
On the What tab, expand Add and select Subsystem | Registry.
* 
NOTE: You can use Add with Events | Subsystem | Registry (instead of Add | Subsystem | Registry) to select an entity that already has an event in the database.
2
On the Add Registry Key dialog, select one of the following options to define which system registry keys to include in your search definition:
All Registry Keys include all registry keys
This Object include only the selected objects
This Object and Child Objects Only include the selected objects and its direct child objects
This Object and All Child Objects include the selected objects and all subordinate objects (in all levels)
3
By default, All Actions is selected meaning that all the registry actions listed are included in the search definition. However, you can clear the All Actions option and select individual actions for auditing.

Select one or more of the following options:
All Actions include all the actions. When this option is selected, all the other options are disabled. (Default)
Add Value include when a new value is added to the selected registry key.
Delete Value include when a registry key value is removed.
Modify Value include when a registry key value is modified.
Add Key include when a new registry key is added.
Delete Key include when a registry key is removed.
4
When a scope option other than All Registry Keys is selected, the registry key hierarchy is enabled allowing you to locate and select an individual registry key.

Expand the hierarchy to locate and select a registry key. Then click Add to add it to the selection list box at the bottom of the dialog. Repeat to add more registry keys.

* 
NOTE: If you selected Add With Events, the registry key hierarchy pane is replaced with a data grid listing the registry keys that have an event associated with it in the database.
5
To replace a registry key in the selection list, select the ‘new’ registry key in the hierarchy, select the ‘old’ key in the selection list and click Update. The entry in the selection list is replaced with the ‘new’ registry key.
6
To select a registry key on a different computer, click Browse to the right of the Path field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
Click Select to save your selection and close the dialog.

On the Add Registry Key dialog, the system registry keys associated with the specified computer will then be displayed in the hierarchy view.

* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all registry keys except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box to prompt for a registry key every time the search runs. When this check box is checked, the data grid and buttons on this dialog are disabled.

You cannot enable alerting for search definitions that use the Runtime Prompt option.
8
Once you have selected the registry keys to include in the search, click OK.

When this search runs, Change Auditor searches for the selected events (actions) in the registry keys listed on the What tab.

To search for changes to services:
* 
NOTE: Service auditing is only available when you have applied custom Service Auditing templates that define the services to audit. See Service Auditing for more information about capturing service events.
1
On the What tab, expand Add and select Subsystem | Service.
* 
NOTE: You can use Add with Events | Subsystem | Service (instead of Add | Subsystem | Service) to select an entity that already has an event in the database.
2
On the Add Service dialog, select one or more services from the list at the top of the dialog and click Add to move them to the selection list box at the bottom of the page.

You can also click Add All to include all the listed services in the search definition.

3
To select services on a different computer, click Browse to the right of the You are viewing services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another computer.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

4
Click Select to save your selection and close the dialog.

On the Add Services dialog, the services found on the specified computer will then be displayed.

* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all services except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box to prompt for a service every time the search runs. When this check box is checked, the data grid and buttons on this dialog are disabled.

You cannot enable alerting for search definitions that use the Runtime Prompt option.
5
Once you have selected the services to include in the search, click OK.

When this search is run, Change Auditor searches for change events to the services listed on the What tab.

TTo search for events based on severity:
1
On the What tab, expand Add and select Severity.
* 
NOTE: You can use Add with Events | Severity (instead of Add | Severity) to select a severity that already has an event associated with it in the database.
2
On the Add Severities dialog, select one or more severity levels and click Add to add them to the selection list box at the bottom of the dialog.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events except those assigned a severity level that is listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.

 

3
Once you have defined the severity levels to include in the search, click OK.

When this search is run, Change Auditor searches for events with the severity levels included on the What tab.

To search for events based on result:
1
On the What tab, expand Add and select Result.
* 
NOTE: You can use Add with Events | Result (instead of Add | Result) to select an entity that already has an event associated with it in the database.
2
On the Add Results dialog, select one or more results (none, success, protected or failed) and use Add to add them to the selected list box at the bottom of the dialog.
* 
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events except those with the selected result.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the search is run. When this check box is checked, the data grid and buttons on this dialog are disabled.

 

3
Once you have defined the results to include in the search, click OK.

When this search is run, Change Auditor searches for events with the results included on the What tab.

Where tab

Previous Next

Where tab

The Where tab allows you to specify which agents to include (or exclude) in the search definition. You can select individual agents, all agents in a specific domain, or a given site. When multiple ‘where’ criteria is added to this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events captured by any of the specified agents, domains, or sites.

The Where tab contains the following information and controls:

 

Table 4. Where tab: Field and control descriptions

Field and Control

Description

Runtime Prompt

Select this check box to prompt for the ‘where’ criteria whenever the search is run. That is, when Run is selected, the Select Active Directory Objects dialog is displayed allowing you to locate and select the agents, domains, or sites to include in the search definition.

NOTE: When this check box is checked, Add is deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.

Exclude the Following Selection(s)

Select this check box to specify the agents, domains, or sites to exclude from the search. That is, Change Auditor is to return events generated from all agents except those listed in the Where list.

Where list

By default, all agents are included in a new search and therefore this list box is initially empty.

Once criteria is selected, this list box contains the agents, domains, sites, and server type (if specified) to include in the search (or exclude from the search if the Exclude the Following Selection(s) option is checked).

To search for events captured by a specific agent, domain or site:
* 
NOTE: By default, all agents are included in a new search, therefore the list box on the Where tab is empty.
1
Open the Where tab and click Add.
2
Use the Browse or Search pages to locate and select an individual agent, a domain, or a site.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

* 
NOTE: You can also select the Grid View option to select an agent from a list rather than using the Explorer View to locate it within your environment.
 
3
Click Add to add your selection to the selection list box at the bottom of the page.
* 
NOTE: You can use Add With Events (instead of Add) to select an agent, domain, or site which already has an event associated with it in the database.
4
Once you have selected the agents, domains and sites to include in the search, click OK.

The agents, domains and sites listed on the Where tab now defines where the search will be conducted when this search is run.

To use a wildcard expression to specify a domain, site or agent:
1
On the Where tab, expand Add and select Add Wildcard Expression.
2
Enter the wildcard expression to use to search for an agent (NetBIOS name), domain, or site:
Select the comparison operator to use: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.

For example, LIKE *local finds all agents with a NetBIOS name that ends in ‘local’.
By default, the wildcard expression is used to search for an agent. To search for a domain or site, select the Domain or Site option.
3
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘where’ list.
4
When this search runs, Change Auditor searches for change events generated on the domains, sites, or agents whose name matches the specified wildcard expression.
To filter based on server type:
1
On the Where tab, expand Add and select Add Server Types.
2
Select to include Domain Controllers, Member Servers, Workstation Servers, Exchange Servers as required.
3
Click OK to close the dialog and add the server type to the ‘Where’ list.

When this search runs, Change Auditor searches for events generated on the specified domains, sites, or agents for the specified server type.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating