立即与支持人员聊天
与支持团队交流

Change Auditor 7.3 - PowerShell User Guide

Working with searches

Searches (both built-in and private) allow you to view valuable information based on activity captured by Change Auditor.

When using the commands, consider the following:
You cannot create multiple folders with the same name in the same directory.
Microsoft folder naming standards are upheld and restrict folder names to a length between 1 and 4000 characters.
You cannot create multiple searches with the same name in the same directory.
The commands generate audit events when a folder that contains public searches is deleted.
Administrators have full access to all the search commands.
Operators access inlcudes the following:
Full access for:
Invoke-CASearch
Get-CASearches
Get-CASearchDefinition
Restricted access to private searches and folders for:
Set-CASearchProperties
Copy-CASearch
Add-CASearch
Move-CASearch
Remove-CASearch
Add-CASearchFolder
Remove-CASearchFolder

The following commands are available to manage searches:
Invoke-CASearch
Get-CASearches
Get-CASearchDefinition
Set-CASearchProperties
Copy-CASearch
Add-CASearch
Move-CASearch
Remove-CASearch
Add-CASearchFolder
Remove-CASearchFolder
Invoke-CASearch

Use this command to run a search.

Table 32. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search to run. Use Get-CASearches to find the PSCASearchInfo object required to identify the search.

-StartTime (Optional)

The start time for the events that will be retrieved. By default this is the start time defined in the search.

-EndTime (Optional)

The end time for the events that will be retrieved. By default this is the start time defined in the search.

-Limit (Optional)

The maximum number of records to retrieve and display. By default this is the limit defined in the search.

Example: Running a search and limit the display to 10 events

$connection = Connect-CAClient -InstallationName 'DEFAULT"

$search = Get-CASearches $connection | ? {$_.Name -eq "All Events"}

Invoke-CASearch -Connection $connection -Search $search -limit 10

 

Get-CASearches

Use this command to view information on all available searches and identify a search info object that is required for some other commands.

Table 33. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Viewing all available searches within a specific installation

Get-CASearches $connection

Example: Viewing a specific search

Get-CASearches $connection | ? {$_.Name -eq "All AD Queries in the last 30 days"}

Get-CASearchDefinition

Use this command to obtain the search definition from an existing search. The search definition is XML that can be modified and used to create a search.

Table 34. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

- Search

The search info object obtained from the Get-CASearches command.

Example: Getting the definition of a search with the name “All Events” and writing it to a file at the directory “C:\definitions\All Events.xml”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

[xml]$xmlString = Get-CASearches $connection | ? {$_.Name –eq “All Events”} | Get-CASearchDefinition $connection

$xmlString.Save(“C:\definitions\All Events.xml”)

Set-CASearchProperties

Use this command to update the search name, default folder, set the limit of a public or private search, or the path and subsystem for an imported .csv file of a list of directory objects.

Table 35. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-Name

Specifies a new name for the search.

-DefaultFolderPath

Specifies a new default folder path for the search.

-Limit

Specifies a new limit for the search.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

-Subsytem

The subsystem to update. The ability to import a .csv file with a list of objects is available for Active Directory, Exchange, and Group Policy.

-Path

Path to the .csv file to import.

Example: Changing the display name of a search, set the default folder path and limit

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ?{$_.Name –eq “All Owner Mailbox Events”}

Set-CASearchProperties $connection -Search $search -Name "NewName"
-DefaultFolderPath "C:\PATH\MYSEARCH" -Limit 1000

Example: Import a .csv file of Active Directory objects
* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

$connection=Connect-CAClient -InstallationName 'Default'

$search = Get-CASearches $connection | ? {$_.Name -eq "All My Events"}

Set-CASearchProperties $connection -Search $search -Subsystem "Active Directory" -Path "C:\MyCSVObjectList.csv"

Copy-CASearch

Use this command to copy a search in the installation.

Table 36. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-IsPublic (Optional)

An optional switch that specifies if the search is public. The default is private.

-UserSid

An optional parameter that is used (when –IsPublic is not used) to specify the SID of the user that owns the directory where the copy of the search is placed.

-Path

A parameter that specifies a path where the copy is to be placed. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Name (Optional)

An optional parameter that specifies a new name for the copy of the search.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

Example: Copying a search named “New Search for Employee” to a user’s private folder Searches\New and giving it a new name “All My Events”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “New Search for Employee”}

Copy-CASearch –Connection $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path Private\Searches\New –Name “All My Events” -PassThru

Add-CASearch

Use this command to create a search in the installation.

Table 37. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-XmlSearchDefinition

An XML string or object that represents a search definition.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies a path where the new search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Name

A parameter that specifies a new name for the search.

-PassThru (Optional)

A switch that specifies to return the new search after the command runs.

Example: Adding a public search to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$searchDefinition = Get-Content C:\Users\Admin\Documents\MySearchDefinition.xml

Add-CASearch –Connection $connection –XmlSearchDefinition $searchDefinition
–IsPublic –Path Shared\AllSearches\New –Name “All events in the past 23 hours”
-PassThru

Move-CASearch

Use this command to move a search from one folder path to another in the installation.

Table 38. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies the path where the search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Search

The search info object obtained from the Get-CASearches command.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

Example: Moving the search named “All AD Queries in the last 30 days” to the private folder “Shared\Skype\” of the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All AD Queries in the last 30 days”}

Move-CASearch $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path “Shared\Skype”

Remove-CASearch

Use this command to remove a public or private search from the installation.

Table 39. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-Force (Optional)

A parameter that removes the prompt before a search is removed.

Example 1: removing any search with the name “All Exchange Admin Events” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All Exchange Admin Events”}

Remove-CASearch $connection –Search $search

Example 2: Removing the search with the name “All Search Events”, owned by the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”, which exists in that user’s folder “Security\Internal\Searches” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.OwnerSid –eq “S-1-5-21-3623811015-3361044348-30300820-1013”} | ? {$_.FolderPath –eq “Security\Internal\Searches”} | ? {$_.Name –eq “All Search Events”}

Remove-CASearch $connection –Search $search

Add-CASearchFolder

Use this command to create a search folder in the installation.

Table 40. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new folder.

-Path

A parameter that specifies the path to create. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

Example: Adding the public folder Searches\New to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Add-CASearchFolder –Connection $connection –IsPublic –Path Shared\Searches\New

Remove-CASearchFolder

Use this command to remove a public or private folder from the installation.

Table 41. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies the folder being removed is public.

-UserSid

A parameter that is used if –IsPublic is not specified to speci-fy the SID of the user that owns the private folder being removed.

-Path

A parameter that specifies the path to the folder to remove. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Force (Optional)

An optional parameter that removes the prompt before a search is removed.

Example: Removing the public folder in the installation Miscellaneous\OldSearches

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Remove-CASearchFolder $connection –IsPublic –Path Shared\Miscellaneous\OldSearches

Managing Active Directory Database auditing

Change Auditor allows you to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach. The ability to audit changes to this file reduces the risk of the user account information from being accessed and tampered with by unwanted processes or users.

Managing Active Directory database auditing is available through the following PowerShell commands:
New-CAADDatabaseTemplate
Get-CAADDatabaseTemplate
Remove-CAADDatabaseTemplate
Set-CAADDatabaseTemplate
New-CAADDatabaseTemplate

Use this command to create an Active Directory Database auditing template.

Table 42. Parameter description
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from auditing. The default is none.

Example: Create a new Active Directory Database auditing template

New-CAADDatabaseTemplate -Connection $connection -TemplateName $template
-ExcludeProcess $excludeProcess -Disabled false

Get-CAADDatabaseTemplate

Use this command to see all the Active Directory Database auditing templates available within your installation.

Table 43. Parameter description
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Id (Optional)

The template GUID.

Example: Get a list of all Active Directory Database templates

Get-CAADDatabaseTemplates -Connection $connection

Remove-CAADDatabaseTemplate

Use this command to delete an Active Directory Database auditing template.

Table 44. Parameter description
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAADDatabaseTemplate object to remove. Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Example: Remove a Active Directory Database auditing template

Remove-CAADDatabaseTemplate -Connection $connection -Template $removeTemplate

Set-CAADDatabaseTemplate

Use this command to modify an Active Directory Database auditing template.

Table 45. Parameter description
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-Template

The PSCAProtectionTemplate object to update.

Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from auditing. The default is none.

Example: Modify an Active Directory Database auditing template

Set-CAADDatabaseTemplate -Connection $connection -template $template -templatename "Name" -ExcludeProcess $excludeProcess -Disabled false

Working with Active Directory Database protection templates

Change Auditor allows you to protect the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

The following commands are available to manage Active Directory Database protection:
New-CAADDProtectionTemplate
Set-CAADDProtectionTemplate
Get-CAADDProtectionTemplates
Remove-CAADDProtectionTemplate
New-CAADDProtectionTemplate

Use this command to create an Active Directory Database protection template.

Table 46. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

New-CAADDProtectionTemplate -Connection $connection -TemplateName TemplateSample

Set-CAADDProtectionTemplate

Use this command to modify an Active Directory Database protection template.

Table 47. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAADDProtectionTemplate object to edit. Obtain the template objects using the Get-CAADDProtectionTemplates command and filter to select the object to remove.

-TemplateName (Optional)

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

set-caaddprotectiontemplate -connection $connection -template $template -templatename "templatesample"

Get-CAADDProtectionTemplates

Use this command to see all the Active Directory Database protection templates that have been created.

Table 48. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-ID (Optional)

GUID for a specific template.

Example: Get a list of all Active Directory Database Protection templates

Get-CAADDProtectionTemplates -Connection $connection

Remove-CAADDProtectionTemplate

Use this command to remove an Active Directory Database protection template.

Table 49. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAADDatabaseTemplate command and filter to select the object to remove.

-Force (Optional)

Removes the template without providing confirmation.

Example: Remove an Active Directory Database protection template

Remove-CAADProtectionTemplate -Connection $connection -Template $template

 

 

 

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级