Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Deploying Change Auditor for Active Directory/Active Roles integration scripts

Previous Next

Deploying Change Auditor for Active Directory/Active Roles integration scripts

For Active Roles to retrieve the name of the user that was logged in to the Active Roles console and forward this information to Change Auditor for Active Directory, you must first deploy the integration scripts to an Active Roles server.

* 
NOTE: If the Active Roles scripting module has been deployed in a previous Change Auditor version, see the following knowledge base article which details the process to move to the updated version of these scripting modules that are available in Change Auditor 6.x and 7.x:

https://support.quest.com/change-auditor/kb?k=119136

* 
NOTE: The Quest certificate used to sign the deployed scripts is added to the current user trusted publishers certificate stored on the Active Roles server.
To deploy Change Auditor for Active Directory/Active Roles integration scripts:
1
Open the Deployment page.
2
Select a server where Active Roles is installed.
3
Expand Advanced Options and select one of the following options:
ActiveRoles Integration | Deploy Scripts Only
ActiveRoles Integration | Deploy Scripts and Excluded Account
4
If you select the Deploy Scripts Only option, Change Auditor for Active Directory copies and runs the Active Roles integration PowerShell script on the Active Roles server which triggers Active Roles to retrieve the initiator information for all users and pass this information onto Change Auditor for Active Directory.
5
If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects dialog is displayed. Use either the Browse or Search page to locate and select a user or computer to exclude. Change Auditor for Active Directory then deploys the integration script that signals Active Roles to retrieve the initiator information for all accounts except for those specified for exclusion.
6
Once successfully deployed, Success is displayed in the Deployment Results cell for the server.
* 
NOTE: If errors are encountered during the deployment process, corresponding error messages are displayed in the Deployment Results cell. Fix the errors reported and then redeploy the scripts.

Client components added to Change Auditor for Active Directory

Previous Next

Client components added to Change Auditor for Active Directory

After you have deployed the integration script, the initiator information retrieved from Active Roles can be viewed on the Search Results page in Change Auditor for Active Directory. Use the following to display additional information:
A field on the Event Details pane that displays the additional information retrieved from Active Roles.
A built-in report that retrieves all Active Directory changes, including changes initiated by Active Roles. Running this report also displays the Initiator UserName and EventSource columns in the search results.
Columns on the Layout tab that allow you to add the event source and initiator information to other search definitions.
Option on the Who tab that allows you to create a custom search to search for events initiated by a specific user, including events initiated by Active Roles.
Email tags to include the additional information in alert email notifications.

Event Details pane

A Source field in the Event Details pane displays the name of the application from which the change event was generated (Change Auditor for Active Directory, Active Roles, or GPOADmin). For change events generated by Active Roles or GPOADmin, the name of the user account that initiated the change is displayed in parentheses.

* 
NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest integration scripts. To take advantage of the additional events and initiator account information captured using the integration scripts, ensure that you are running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher).

All Active Directory events including Active Roles/GPOADmin initiator built-in report

A built-in report is available which retrieves events for all Active Directory changes, including events initiated by Active Roles or GPOADmin. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results.

To run the built-in Active Roles search:
1
Open the Searches page.
2
To display the available built-in searches, expand and select the Shared | Built-in | All Events folder.
3
Locate the All Active Directory Events Including ActiveRoles/GPOAdmin Initiator search and select the search definition and click Run.

A new Search Results page is displayed populated with the audited events that met the search criteria, including the Initiator UserName and EventSource information.

Layout tab

The Change Auditor for Active Directory database includes columns to record Active Roles and GPOADmin information. The columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information for all searches:
EventSource — for all events, the name of the application from which the event was generated (Change Auditor for Active Directory, Active Roles, or GPOADmin).
Initiator Mail — for all generated by Active Roles or GPOADmin, the email address of the user that initiated the change.
Initiator SID — for events generated by Active Roles or GPOADmin, the SID of the user that initiated the change.
Initiator UserName — for events generated by Active Roles or GPOADmin, the name of the user that initiated the change.
To add a column to the search results:
1
Open the Layout tab.
2
Locate the columns (EventSource, Initiator Mail, Initiator SID, or Initiator UserName) in the Unselected Columns table.
3
Select the columns to add and use the right arrow button to move them to the Selected Columns table.

The column is added to the bottom of the list or beneath the highlighted column in the Selected Columns table.

You can also ‘drag’ a column to the Selected Columns table.

4
The Selected Columns table also displays the order the columns are presented. To rearrange columns, use the up and down arrow buttons located to the right of the Selected Columns table.

You can also ‘drag’ columns within this table to define the order.

Who tab

When using the Who tab to retrieve change events initiated by a specific user, changes initiated by Active Roles are not automatically included in the search. A check box is available on the Who tab which instructs Change Auditor for Active Directory to retrieve all change events initiated by the specified user, including those made through Active Roles and GPOADmin.

To include Active Roles initiated events:
1
Open the Searches page
2
In the explorer view (left pane), expand and select the folder where you want to save your search (for example, Shared or Private).
3
Click New to enable the Search Properties tabs.
4
On the Who tab, click Add to add an active user, computer, or group to the ‘who’ list.
5
On the Select one or more Directory Objects dialog, use either the Browse or Search page to locate the user, computer, or group to include.

Once you have located the directory object, select it and click Add to add it to your selection list.

Repeat this step to include each additional directory object.

6
After selecting one or more directory objects, click Select to save your selection and close the dialog.
7
Back on the Who tab, select the Include Event Source Initiator check box.
* 
NOTE: Including the event source initiator, may have a noticeable effect on the search performance, depending on the size of the database and the number of results returned in the search.

When this search runs, Change Auditor for Active Directory retrieves all events made by the specified user account, including events initiated by Active Roles.

In addition, when the Include Event Source Initiator option is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by Active Roles, this column contains the user account that was logged in to the Active Roles console.

Email tags

Change Auditor for Active Directory/Active Roles integration email tags are available which can be added to the event details of alert email notifications. These new email tags are:
%EVENTSOURCE% - indicates the application where the change event came from: Change Auditor for Active Directory, Active Roles, or GPOADmin.
%INITIATORMAIL% - for events generated by Active Roles or GPOADmin, the email address of the user that initiated the event.
%INITIATORSID% - for events generated by Active Roles or GPOADmin, the SID of the user that initiated the event.
%INITIATORUSERNAME% - for events generated by Active Roles or GPOADmin, the name of the user that initiated the event.

See the Change Auditor User Guide for more information about how to configure and enable email notifications and customize email content.

Removing deployed Change Auditor for Active Directory/Active Roles integration scripts

Previous Next

Removing deployed Change Auditor for Active Directory/Active Roles integration scripts

You can use the Active Roles console to manually remove previously deployed integration scripts.

To remove integration scripts:
1
Open Configuration | Policies | Administration.
2
Right-click Change Auditor Integration Policy, select Policy Scope.
3
Remove Active Directory in the object list.
4
Delete Change Auditor Integration Policy.
5
Right-click Change Auditor Integration Deprovision Policy, select Policy Scope.
6
Remove Active Directory in the object list.
7
Delete Change Auditor Integration Deprovision Policy.

If you are using...

 

Active Roles 6.9

Active Roles 7.0

Active Roles 7.1
Navigate to Configuration | Script Modules and delete Quest Change Auditor Integration Script.

Troubleshooting Tips

Previous Next

Troubleshooting Tips

Not receiving events from Active Roles

To diagnose problems with receiving events from Active Roles, check the ‘Active Roles Admin Service’ event log on the Active Roles server.

Initiator information missing in events

Some events do not provide the initiator account information. This could be caused by the following:

Manually created objects

Computer objects that are manually created do not capture the initiator account information of the user that initiated the change.
Protected and unprotected objects

If an object is protected and unprotected through the Active Roles console, the initiator account will be missing from Change Auditor for Active Directory.

The Protect/Unprotect operation in Active Roles is not a direct Active Directory attribute operation. When you protect/unprotect an object, you actually add an Access Template link to the security descriptor in Active Directory. Because of this, the initiator account information is not captured for events related to protect/unprotect events.
In some scenarios, the following events do not capture the initiator account information when made through the Active Roles console:
User password changed
User password changed by non-owner
User must change password at next logon option changed
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating