Overcome AD Audit Log Limitations
Learn how ChangeAuditor for Active Directory helps you achieve full regulatory compliance by overcoming limits to Active Directory’s native audit log.
Read now »

ChangeAuditor for Active Directory

Track critical changes with Active Directory auditing tools

ChangeAuditor for Active Directory is a powerful windows auditing tool that proactively tracks, reports and alerts on vital configuration changes – in real time and without the overhead of native auditing.

This Active Directory reporting tool enhances security by telling you instantly who made what change when, where and from which workstation – eliminating the risks associated with day-to-day modifications. Plus, you can compare the original and current values for fast troubleshooting and remediation. 

For compliance, ChangeAuditor for AD generates intelligent, in-depth forensics for auditors and management.
You’ll have confidence knowing that your organization can pass its next internal security or regulatory compliance audit.

Features

  • At-a-Glance Display: Tracks user and administrator activity with detailed information including who, what, when, where and from which workstation for change events, plus original and current values for all changes.
  • Real Time and “Smart” Alerts: Sends an alert immediately when critical items are changed or when patterns of changes occur. 
  • Account Lockout: Captures the originating IP address/workstation name for account lockout events to simplify troubleshooting.
  • Object Protection: Provides protection against changes to the most critical AD objects, such as accidentally deleted OU and modified GPO settings.
  • Tracks Changes to Nested Group Memberships: Monitors groups that exist within groups without setting an explicit rule, streamlining the monitoring of group changes.
  • Does Not Require Native Auditing: Captures change information without the need for native audit logs, resulting in significant savings of storage resources.
  • Configurable Auditing: Keeps the audit database from database from overloading by disabling events and excluding high traffic or "safe" accounts from being audited.
  • Reporting: Generates predetermined or custom reports quickly using built-in reports and a comprehensive compliance reporting library.
  • Role-Based Access: Configures access so auditors can run searches and reports without making any configuration changes to the application, and without requiring the assistance and time of the administrator.

Sys Reqs

Before installing ChangeAuditor, ensure your system meets the following minimum hardware and software requirements:

ChangeAuditor Client (Client-side Component)

The ChangeAuditor Client connects to a ChangeAuditor Coordinator and queries the audited event database for the desired results.
Client HardwareMinimum: P4 2.0 GHz or better; 1 GB RAM or better
Recommended: P4 3.0 GHz or better; 2 GB RAM or better

A machine running on any x86 or x64 editions of the following minimum platforms:
    • Windows Server 2003
    • Windows Server 2003 R2
    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows XP SP2
    • Windows Vista
    • Windows 7
  • Screen resolution of at least 1024 x 768 with at least 256 colors
Client Software and Configuration
  • x86 or x64 versions of Microsoft's .NET Framework v3.5 SP1 or higher
    NOTE: To verify that you are running the appropriate version of Microsoft's .NET Framework use Add/Remove Programs (Start | Control Panel | Add or Remove Programs).
  • Microsoft Data Access Components (MDAC) 2.8 SP1
  • X86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • X86 or x64 versions of Microsoft SQLXML 4.0
  • Internet Explorer 6.0 (or higher)
Client Footprint
  • Estimated hard disk space usage of 70 MB
  • Estimated RAM physical memory of 100 - 200 MB
    NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM.

 

ChangeAuditor Coordinator (Server-side component)

The ChangeAuditor Coordinator is responsible for fulfilling client and agent requests and generating alerts.
Coordinator Hardware Minimum: P4 2.0 GHz or better; 1 GB RAM or better
Recommended: P4 3.0 GHz or better; 2 GB RAM or better
Member server running on any x86 or x64 editions of the following minimum platforms:
      • Windows Server 2003
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 R2
Coordinator Software and Configuration Coordinator Software and Configuration:
  • For the best performance Quest recommends:
    • The ChangeAuditor Coordinator be installed on a dedicated member server.
    • The ChangeAuditor database be configured on a separate, dedicated SQL server instance.
  • Supported SQL Server versions:
    • Microsoft SQL Server 2005 SP2 or higher service pack
    • Microsoft SQL Server 2008
    • Microsoft SQL Server 2008 R2
  • The Coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the  forest root domain.
  • x86 or x64 versions of Microsoft's .NET Framework v3.5 SP1 (or higher)
  • X86 or x64 versions of Microsoft XML Parser (MSXML) 6.0
  • X86 or x64 versions of Microsoft SQLXML 4.0
  • Microsoft Data Access Components (MDAC) 2.8. SP1
Coordinator Footprint
  • Estimated hard disk space used: 40 MB
  • Estimated RAM physical memory of 100 MB
  • Additional 80 MB disk space used by Agent MSI's
  • Estimated database size will vary depending on the number of agents deployed and audited events captured.
Minimum PermissionsUser account performing the coordinator installation:
The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server:
    • Windows permissions to create and modify registry values.
    • Windows administrative permissions to install software and stop/start services.
* It is recommended that the user account performing the installation, be a member of the Domain Admins group in the domain where the coordinator is being installed.
Service account running the coordinator service (LocalSystem by default):
    • Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a ChangeAuditor Coordinator.
    • Local Administrator permissions on the coordinator server.
SQL Server database access account specified during installation:
An account must be created to be used by the Coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions:
  • Must be assigned the db_owner role on the ChangeAuditor database
  • Must be assigned the SQL Server role of dbcreator
  • Must be assigned the following database roles in the msdb database:
    • db_datareader
    • db_datawriter
    • SQLAgentUserRole

 

Quest ChangeAuditor Agent (Server-side component)

A ChangeAuditor Agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. These agents will then report these audit events to the SQL database or ChangeAuditor Coordinator.
Agent Hardware
  • Minimum: PIII 1.0 GHz or better; 512 MB RAM or better
    Recommended: P4 2.0 GHz or better; 2 GB RAM or better
  • Server running on any x86 or x64 editions of the following minimum platforms:
      • Windows Server 2003 SP1
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 Core
      • Windows Server 2008 R2
      • Windows Server 2008 R2 Core
  • ChangeAuditor Agent requires File and Printer Sharing on Windows Server 2008. By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008 (Full UI and Server Core), enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
  • The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment.
  • Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the ChangeAuditor for Exchange Events Reference Guide for the minimum service packs required for Exchange events.
  • The ChangeAuditor Agent uses the COM+ and Distributed Transaction Coordinator (DTC) services locally on the host server for detecting Exchange Server message created, moved, copied and deleted events. If the COM+ or DTC services are disabled or inoperative, these events will not be detected but the Agent will otherwise run normally. Network access to DTC is not required. When enabling the COM+ service, a ChangeAuditor Agent restart is required, because COM+ service registration occurs at agent startup time.
Agent Software and Configuration
  • Microsoft .NET Framework 3.5 SP1 – ONLY where the agent is installed on Exchange servers with the CAS (OWA) role
  • Microsoft Data Access Components (MDAC) 2.8.
  • Requires an active Global Catalog
    ChangeAuditor Agents must be able to reach a global catalog (GC) server to resolve SIDs and mailbox names. If a GC is not available, the agent will temporarily use a DC to perform GC functions. The agent will attempt to connect to a GC every nine hours or on restart. The following events will not be captured while the GC is unavailable:
    • Exchange Mailbox events
    • Linked GPO changed events
    • QAS configuration events
Minimum Permissions
  • ChangeAuditor Agent must run as localsystem.
Exchange Monitoring Minimum Service Pack Requirements
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007 x64 Service Pack 1
  • Microsoft Exchange Server 2010 RTM and Service Pack 1
Agent Footprint Estimated hard disk space used: 500 MB or greater
Estimated RAM used:
  • Core Agent: 25 MB
  • CAAD: 25 MB
  • CAADAM: 3 MB
  • CAEX: 20 MB
  • CAWFS: 20 MB
  • CASQL: 15 MB
  • CALDAP: 15 MB
  • CAEMC: 10MB
  • CANETAPP: 10MB

Language Supported:
  • US English

Docs

Support Docs, Notes and Guides

Release Notes and User Guides back to top