https://www.quest.com/community/change-auditor/en-USTelligent Community 13https://www.quest.com/community/change-auditor/f/forum/37306/how-can-i-search-for-changes-in-extensionattributesMon, 20 Apr 2026 15:38:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:45c96220-c9f2-4f56-a288-9a464d5aedb1djmostWe are using v7.5 Build 31003. We are trying to understand who updated an extensionAttributes? How do I modify my Quick Search to look specifically for extensionAttrubtes?https://www.quest.com/community/change-auditor/f/forum/37262/emc-events-on-syslogMon, 30 Mar 2026 14:28:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:4565d514-a558-4947-a96e-e29d6dbd8c9blffernandezHi, Can you include EMC events on syslog subscriptions? I don't see them in the options to select.https://www.quest.com/community/change-auditor/f/forum/36525/reporting-with-powershell/86125Tue, 30 Dec 2025 07:54:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:cb839128-1614-42a0-a52b-df1034f8835by r i xe lfie c oThank you for the information.https://www.quest.com/community/change-auditor/f/forum/36525/reporting-with-powershell/86106Tue, 23 Dec 2025 19:20:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:fb2ef062-2e50-4aa3-811d-6339af675c38djmostI have looked at this section of the documentation. Unfortunately, it appears to build on an existing search with some filtering. We have tried unsuccessfully to build generic searches with specific filtering.https://www.quest.com/community/change-auditor/i/ideas/ca-for-sql-audit-for-read-only-queriesTue, 16 Sep 2025 08:24:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:ee40ef20-4cbf-4960-9513-29d40c98ad02rakesh chulliparambilSince the Apex SQL is EOL, the customers are expecting CA to audit the read only queries performed on the SQL databases. At present CA does not audit anything read only performed against the SQL DBs The use case is for eg In Banking industry the PCI data is stored in SQL tables and any one who is trying to read this data should be audited though they do not perform any changes.https://www.quest.com/community/change-auditor/i/ideas/protecting-the-ca-agent-servicesTue, 16 Sep 2025 07:53:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:66f2e360-827d-4633-8818-e5cd7c0d39cfrakesh chulliparambilThe CA Agents are running on Local system context in the domain controllers. This is a security RISK as this service can be exploited as the Local System on a DC is equivalent to Domain Administrator Privileges. Also the service can be stopped without any additional password. If the service is stopped the protection templates also stop working. We should ideally enable more security for this agent service to either remove it from local system context or enable a password to stop or disable the service like the Antivirus OEMS do.https://www.quest.com/community/change-auditor/f/forum/36678/upgrade-to-7-6Thu, 31 Jul 2025 16:09:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:bf86f06b-7652-4077-8d51-b7a61418f021lffernandezHas anyone upgraded to 7.6? Any known issue? We are getting ready to upgrade and wanted to make sure. Thanks in advance.https://www.quest.com/community/change-auditor/f/forum/36525/reporting-with-powershell/85085Thu, 10 Jul 2025 15:22:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:581bc7ff-59e3-4eb8-9b44-660c134301a0JohnnyQuestHave you looked at this part of the documentation? Take a look and feel free to post any follow-up questions.https://www.quest.com/community/change-auditor/f/forum/36526/using-power-biThu, 10 Jul 2025 13:19:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:5ef9aa0a-3a1f-4b4f-ac5a-488448e860eedjmostWe use quick searches to review specific events. Often, we would like to see the same type of quick search for multiple objects. Can we connect the underlying database to leverage Power BI to present the data?Change Auditor for Active DirectoryPower BIhttps://www.quest.com/community/change-auditor/f/forum/36525/reporting-with-powershellThu, 10 Jul 2025 13:16:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:50b78714-0d66-42ac-90fd-9ad2434697d0djmostWe use quick searches to review specific events. Often, we would like to see the same type of quick search for multiple objects. Has anyone been able to leverage Powershell to query instead of performing a Quick Search?Change Auditor for Active DirectoryPowershellhttps://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-users/84684Fri, 30 May 2025 21:03:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:65fdf7a8-c14e-4a9f-bf24-93144e3e2b1bjim.cochranDoh! That's an excellent idea. I don't currently have them in that group, but would be really easy to do and enforce with ARS. Thank you!!!https://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-users/84682Fri, 30 May 2025 17:25:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:5de0c398-9d23-4dc9-8fc5-906a1b92cedeJohnnyQuestAnother idea popped into my head - do you have an AD group that contains all people identified as employees via EA11? If you do then you could use the fact that the user being disabled is a member of that group to scope them into the search results.https://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-users/84681Fri, 30 May 2025 17:23:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:9f5e73f4-12ba-4f71-b2fe-311101cd87afJohnnyQuestMy pleasure. The challenge is that within the Change Auditor UI, there is no way to build a filter on that attribute because it's not being stored for every user and thus not available in the Who/What/Where tabs nor on the "Layout" tab for the Search. Now, what you could do is modify the actual SQL code for the Search (exposed on the SQL tab) and shoehorn in some code in there that would fetch the attribute from AD on the fly and check for your value. This would slow down the execution of the search. You would have to test to see whether it's worth the performance hit.https://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-users/84680Fri, 30 May 2025 15:37:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:b876d172-f5b4-4c86-822c-c7fb99083f5bjim.cochranThank you, I appreciate you taking the time to respond. I can manage the query in Powershell, but I was looking to create a smart alert from CA that would notify me anytime a user with that attribute set to that value was disabled.https://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-users/84679Fri, 30 May 2025 14:37:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:8d237730-1d16-4cb0-b984-48268177d3eeJohnnyQuestJust to be clear on what you need: You want a search for all transactions where a user account was disabled and the extensionattribute11 of that user equals the string "employee". The challenge is that Change Auditor doesn't store the contents of extensionattribute11 for any user except for the case where a transaction involves the attribute being modified. So you would probably have to compile your "report" in two steps: 1) Generate a Search for all account disable transactions 2) Take the list of usernames that you get from that and check each one's extensionattribute11 (EA11) in Active Directory. I would approach this task with a Powershell script that would combine extracting the Change Auditor data and then performing the EA11 lookup. Information on performing searches with Powershell may be found here For querying AD, you would just use the native Active Directory cmdlets. So probably Get-ADUser. If you come up with some code and it doesn't quite get you what you need, feel free to post it here and someone like me will give you a hand.https://www.quest.com/community/change-auditor/f/forum/36394/custom-search-filter-for-usersThu, 29 May 2025 20:22:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:a2bd8680-1ab0-458b-8a8f-302ba5a11061jim.cochranI want to search for all disabled users where "extensionAttribute11" = "employee" Is this possible?https://www.quest.com/community/change-auditor/f/forum/32384/failed-group-policy-container-access-change-auditor-protection/84552Tue, 20 May 2025 14:45:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:0bceb224-1119-4cbd-a066-fa9b9e90e06cjoe.whiteEncountered the similar issue. Here is a synopsis of what was done, seen, and steps take to resolve USERA: Authorized Domain Admin, whom was configured in CA-Protection as an Override Account (by AD group membership) Logged into Domain Controller (DC1) GPMC was opened on DC1, but connected to DC-2 (assume the Domain Admn had configured GPMC to connect DC2 sometime in the past) The Default Domain Policy was modified by USERA Change Auditor shows Events of Group Policy change was successful by USERA Started getting repeated alerts that Protected GP was triggering "“Access to Group Policy Default Domain Policy was denied” for User (DC2) Had USERA change the GPMC connection to DC1, and not DC2 Protected Events continued repeating every 3-6 minutes Added DC-2 to as an “Override account” in CA-Protection, Protected Events continued repeating every 3-6 minutes Restarted DC-2 The Protected Events Stopped Note, the Group Policy itself was consistent with the change made throughout all Domain Controllers in the Enterprise (DFS-R of the SYSVOL) The GP on DC-2 (Sysvol) was confirmed to have the changes, even while the Protection events were occurring Unsure why Domain Controllers are not by Default consider Override Accounts for all AD objects And unsure what DC-2 was trying to do exactly The going theory is that GPMC somehow kept the GP Container open in a State Protection could not access. How\Why , unknownhttps://www.quest.com/community/change-auditor/f/forum/36237/cleanup-activity-from-change-auditor-for-active-directory-for-decommissioned-dc-sTue, 22 Apr 2025 06:26:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:4f299c35-1207-49b6-b726-ec4c3135343cprabhbhangu1998Hi Experts, What cleanup activities can be performed on decommissioned DCs as well in CAAD portal in perspective of Change Auditor for Active Directory?Change Auditor for Active Directoryhttps://www.quest.com/community/change-auditor/f/forum/36120/licensingThu, 27 Mar 2025 13:24:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:b266c9a5-c93b-4268-8699-12e2d61d3356renato cardiaDo users who are listed as guests in Azure, for instance, to access the VPN or share data via SharePoint, also need to be licensed? Or is the licensing requirement applicable only to employees? Thank youhttps://www.quest.com/community/change-auditor/f/forum/36076/schedule-report---list-group-membershipFri, 21 Mar 2025 14:06:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:144f6e31-738d-477a-8afc-13bc4acae8d3tomas montielI would like to create a weekly report that lists the current members of a specific group. Although I have set up alerts for changes within the group, I also want to receive a weekly report detailing the current members. Can I make this report in Change Auditor?