Chat now with support
Chat with Support

IT Security Search 11.4.1 - Release Notes

Resolved issues

The following is a list of issues addressed in IT Security Search 11.4.1 Update 3.

Table 5: Resolved issues in IT Security Search 11.4.1 Update 3

Resolved Issue Issue ID

If you use a function in your search query but omit the closing parenthesis, you get an unclear "Unrecognized expression" error message.


On the Details page for any file, clicking the "Who has direct or indirect access permissions on this folder" action link in the left pane may cause an error.


A saved search doesn't work if its query contains an ampersand (&).


When you click a file or folder item to view its details, the details page takes a long time to open.


When you save a query that contains a pair of parentheses, they are dropped from the resulting saved search. This can break the query.


Table 6: Resolved issues in IT Security Search 11.4.1 Update 2

Resolved Issue Issue ID

When you run searches on data provided by Enterprise Reporter, you get the following error message:

Ambiguous column name 'WhenCreated'.

This is caused by changes in the Enterprise Reporter database schema in version 3.2.1.


IT Security Search uses an unreliable account impersonation method for connection to SQL Server. As a result, the connection uses the computer account of the IT Security Search server, and this fails with an error like the following:

System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'domain_name\itss_server_name$'.


If the network link used by any of the enabled IT Security Search connectors is slow, then it takes a long time to show the details pages for items and may make the application unresponsive indefinitely. This happens even where no data from that connector is actually used.


If you add tabs to the result grid and later try to remove them by clicking their cross icons, in some situations the tabs stay there.


The following issues were resolved in previous releases of IT Security Search.

Table 7: Resolved issues in IT Security Search 11.4.1 Update 1

Resolved Issue Issue ID

If an IT Security Search operator's scope is limited by a query that contains the name of a specific field (for example, Source="Active Roles"), then that operator may not be able to view details pages when clicking the links in search results.


If the data store for the Warehouse component is in a network share that is not hosted on the IT Security Search server, then Active Roles events can be absent from search results.


Indexing of effective group membership data from Enterprise Reporter is slow and causes the "tempdb" database to exceed its size limit.


Indexing fails during calculation of group membership data from Enterprise Reporter if there is circular membership among the groups (meaning that groups are their own members through membership in other groups).


In InTrust connector settings, if you select a repository but then click Cancel, the repository is still there the next time you reopen the settings.


The breadcrumbs area contains garbage.


Table 8: Resolved issues in IT Security Search 11.4.1

Resolved Issue Issue ID

In some cases the Warehouse connector can produce huge error messages.



In some cases, if you pin an object type as a tab and the object type name is not all-lowercase, then you get duplicate tabs for it: one has your original spelling and the other is all-lowercase.


Sometimes if you copy a value from the search grid, garbage can be appended to the copied string.


For computer local users, "null" is shown on the Member Of tab.


For some types of object (particularly, objects that reference other objects through attributes), when you click the VIew Details link, you get the details for the wrong object.


If you expand or collapse the contents of a facet while a search is in progress, you may get an incomplete list of results.


The Warehouse store index may become corrupted if the Warehouse service is stopped while the index is being built.


If you use negative expressions in Warehouse searches, you may get incorrect search results for Enterprise Reporter data.


The web UI doesn't get dates from the IT Security Search server in a consistent format. It isn't always clear which number is the month and which is the day.


The details view for an Active Directory account shows the Last Logon field with a timestamp taken from Active Directory. However, it's possible that there are more recent logons by the account. Information about the last logons should be available in the events view instead of the details view.


When you try to click a facet to filter results, it can suddenly move away from the cursor.


If you use the Warehouse connector for working with Enterprise Reporter data in an environment with a large number of Active Directory objects, then data for container objects with a lot of members may fail to be saved in the Warehouse store.


If multiple events of the same kind (meaning, with the same values in fields such as What, Who, Whom and Where) occur less than a second apart, then the View Details link for all of these events may point to the newest of them.


Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 9: General known issues

Known Issue

Issue ID

Internet Explorer becomes unresponsive when IT Security Search shows a modal dialog box on top of the browser windows. You can work around this by minimizing all windows and clicking the close button in the modal window; Internet Explorer resumes working.


After an IT Security Search upgrade, the layout of the controls in the web interface can appear broken (missing blocks of data, misplaced elements and so on). You can correct this by refreshing the page, preferably with a cache cleanup (Ctrl+F5).

During the IT Security Search Warehouse installation step of IT Security Search setup, an unused service connection point is created in Active Directory. This operation is skipped if the user account used for installation doesn't have the required privileges. Whether or not the service connection point is created, this has no effect on the installation or operation of IT Security Search.


If you are upgrading IT Security Search from version 11.3 or later and you use data sending from Enterprise Reporter 3.0, you may need to go to Enterprise Reporter Configuration Manager and resend all data to IT Security Search. Otherwise, no pre-upgrade Enterprise Reporter data will be available to IT Security Search.

Search results from InTrust repositories and IT Security Search Warehouse may be incomplete. Eligible objects will be skipped if their names contain any of the following characters:

. @ "

This issue affects the following:

  • Searches for InTrust-provided events
  • Searches for data stored in IT Security Search Warehouse (Enterprise Reporter data and Active Roles events)
  • Results from the Test query link in operator scope options (on the IT Security Search Settings page, on the Security tab)


The IT Security Search Warehouse component may become inaccessible if you reinstall IT Security Search into the same organization where IT Security Search was previously deployed.

Root-cause: Newly installed server will receive new identification and data collected by a server with another ID will not be available for it.


  1. In InTrust Deployment Manager select Storage tab
  2. On each Repository that have exclamation sign on the right panel on Security section, click Edit link
  3. Specify valid InTrust server in Managed by this server combobox. Click Apply.

After the reconfiguration is finished, the following services should be started on IT Security Search server:

  • Quest IT Security Search Warehouse API
  • Quest IT Security Search Active Roles Data Attendant

It is recommended to either deploy a separate InTrust organization for IT Security Search every time you install the server or always perform the reconfiguration. InTrust system protects data collected by a specific server and prevents unauthorized access even for queries from the same computer.


System requirements

Before installing IT Security Search 11.4.1 Update 3, ensure that your system meets the following minimum hardware and software requirements.


The following versions of data-providing systems are supported in this version of IT Security Search:

  • InTrust 11.4.1, 11.4, 11.3.2, 11.3.1, 11.3
  • Change Auditor 7.1, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0, 6.9.5, 6.9.4, 6.9.3, 6.9.2, 6.9.1, 6.9
  • Enterprise Reporter 3.2.1, 3.2, 3.1, 3.0
  • Recovery Manager for Active Directory 10.1, 10.0.1, 10.0, 9.0.1, 9.0, 8.8.1
  • Active Roles 7.4.1, 7.4, 7.3.2, 7.3.1, 7.2.1, 7.2, 7.1

Software Requirements

  • Operating system:
    • Microsoft Windows Server 2019
    • Microsoft Windows Server 2016
    • Microsoft Windows Server 2012 R2
    • Microsoft Windows Server 2012
    • Microsoft Windows Server 2008 R2
  • Additional software:
    • Microsoft .NET Framework 4.7.2 or later
    • Microsoft Windows PowerShell 3.0 or later
    • Microsoft SQL Server 2012 or later (all editions)
      This is a requirement of the IT Security Search Warehouse component, which needs it for internal configuration management.
  • Additional requirements for the Recovery Manager for Active Directory connector:
  • Additional requirements for the Active Roles connector:
    • Active Roles Management Tools
    • The PowerShell script execution policy must be set to RemoteSigned.

Browser Compatibility

The IT Security Search Web interface works correctly with the following browsers:

  • Microsoft Edge
  • Microsoft Internet Explorer 11
  • Google Chrome 72.0 or later
  • Mozilla Firefox 65.0 or later

The minimum supported monitor resolution is 1024x768.

Hardware Requirements

  • CPU: 6 cores minimum; 16 cores recommended
  • RAM: 8GB minimum; 16GB or more recommended
  • Disk: 200GB (SSD recommended); disk space requirements are very dependent on the volume of Enterprise Reporter and Active Roles data being processed, because the index size varies proportionally; the indexes for Change Auditor, Recovery Manager for AD and InTrust data do not consume any disk space on the IT Security Search computer, because they are located in the data stores used by these systems
  • If you deploy on a virtual machine, make sure the CPU and memory requirements above are met, and do not overload the virtual machine host

To find out the disk requirements for IT Security Search installation, consider the sections below. They describe how much disk space is used for indexing data provided by specific connectors.

Disk Space for Legacy Enterprise Reporter Data

These numbers are for a sample environment with 10000 of each type of Enterprise Reporter object. Scale the values according to your own circumstances.

Object type Size of an index entry Number of objects Size of the index
Computers 1KB 10000 10MB
Files 0.2KB 10000 2MB
Groups 2.5KB 10000 25MB
Shares 1KB 10000 10MB
Users 2KB 10000 20MB
Total   50000 67MB

Disk Space for Enterprise Reporter Data in Warehouse

These are the average index entry sizes for each type of Enterprise Reporter object. Use them in calculating the required disk space for your particular on-premises or hybrid environment.

Note that there are generally multiple index entries per object, depending on how often objects are changed.

Object type

Average size

of an index entry,

in kilobytes

AD Permissions


AD Contacts














Azure Applications


Azure Contacts


Azure Devices


Azure Groups


Azure Network Security Groups


Azure Resource Groups


Azure Resource Subscriptions


Azure Resources


Azure Roles


Azure Service Principals


Azure Tenants


Azure Users


Azure Virtual Machines


Disk Space for Active Roles Event Data

An index entry for a single Active Roles event in IT Security Search Warehouse takes 0.5KB on average. Estimate the event rate in your environment to calculate the required disk space.

Disk Space for InTrust and Change Auditor Data

To display InTrust and Change Auditor events, IT Security Search uses the built-in indexes in InTrust and Change Auditor data stores, so no additional disk space is required.


Where to Install

It is recommended that you install IT Security Search in the same domain as the servers of your data-providing systems: InTrust, Enterprise Reporter, Change Auditor, Recovery Manager for Active Directory and Active Roles. Do not install IT Security Search on any of those systems' servers.

Product licensing

This product does not require licensing.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating