Change Auditor alert for larger number of AD groups

Hello,

We have recently brought in Quest Change Auditor (6.9.4 Build 9177) to help us with Active Directory.

Our first directive is to use the tool to monitor up to 1,200 AD groups for membership changes.  When membership changes are detected, send an alert to a shared mailbox, etc.

We have this setup now with approximately 600 groups, and it seems to be working as intended.

We expect to have to update the AD group list on a monthly basis to add/remove groups as needed.

To make the updates, we plan to export the xml, edit it to include the newest group information, and import the updated search back into CA.

Having said all that, here are my questions:

1. Is it feasible to alert on ~1,200 AD groups with a single search?

2.  Is there a better way to design the search?

3.  Is there a better way to update the search?  Note: with the number of groups we're working with, we want to avoid using the UI for the updates.

4.  What special characters do we need to watch out for in the xml updates?  I'm only aware of these 5: &lt; (<), &amp; (&), &gt; (>), &quot; ("), and &apos; (')

5.  With regards to the SMTP alerts, is it possible to use the variables in the email body in the subject line?  For example, I tried to reference %TIMEZONETIMEDETECTED% in the subject, but it did not work.

If you made it this far, thanks for reading, and any feedback you have!

George

  • Hi George,

    Are you trying to alert on changes to any/all group membership changes or just a set of 1200 groups of an even larger total number of groups?

    Will try to answer your questions below...

    1. Is it feasible to alert on ~1,200 AD groups with a single search?

    Sure, it is possible. The SQL itself will contain many matching conditions but generally speaking, it's ok.

    2. Is there a better way to design the search?

    If these groups are all stored in a specific OU or follow some naming convention the search could be built much easier to just focus on groups in specific AD container or just groups with certain naming convention using wild-cards. If neither of these are applicable, you will need to populate the list as you have done currently since no other meaningful way to define the SQL.

    3. Is there a better way to update the search? Note: with the number of groups we're working with, we want to avoid using the UI for the updates.

    Currently there is not unfortuntely. We are looking at future enhancements in this area. For example, to allow import of object names from text file.

    4. What special characters do we need to watch out for in the xml updates? I'm only aware of these 5: &lt; (<), &amp; (&), &gt; (>), &quot; ("), and &apos; (')

    While we do not generally advertise or support updating the XML in this manner, there should not be any special characters to watch out for in the search xml/definition. At least for search with purpose described here.

    5. With regards to the SMTP alerts, is it possible to use the variables in the email body in the subject line? For example, I tried to reference %TIMEZONETIMEDETECTED% in the subject, but it did not work.

    Only very specific set of variables are allowed in the Subject line as not every event included in the alert (alert can contain many events) may share this same resolved variable. The allowed list of variables appears under the "..." | Insert Variables menu next to the "Alert Subject" field in the alert settings.