My name is Brian Hymer. I'm a solutions architect with Dell. I focus on our compliance solutions, of which ChangeAuditor is one. I wanted to show you how to do a little more specific search than normal, something that may spark some creativity for those of you that are trying to get a little bit more out of ChangeAuditor.
So let's take a look at some searches here. I think you all know that there are several types of searches that you can do. I, for example, have this group Membership Changes Search that I built over here. Here is also a bunch of pre-built searches.
I had a customer come to me recently and said, listen, we want to know when somebody removes the Domain Admins group from the Local Administrators group on a member server. Now, you might not even know that you can do that, that you can run ChangeAuditor on a member server. But you can.
And it can do things like watch local group memberships and SAM account changes, as well as a few other things on member servers. Let me show you how you do this particular search. I'll just click the New button here and make a new search. And we'll give it a good name.
Something like that, that looks pretty good. We'll save that. The name appears up here. And then we'll just go to or What Criteria. And What is always what happened?
So, in this case, we're dealing with local groups. So I'll hit my Add button here. And since I don't want to go scrolling through this, I can simply type Local Group. And that'll weed down all the events that we have that are available.
Here's the one that I want. And you notice, as soon as I highlighted that, I get this Where criteria, this restriction criteria. The previous value on a remove would be the group name or the account name that was removed. So here, I'll put Domain Admins.
OK, and I've got this little box checked. I'll go ahead and add this. And you can see here, it tells me that it's going to do that parameter with a restriction of the From value containing Domain Admins. That's exactly what I want, so I'll click OK. And we'll go ahead and run this and see how it looks.
Hey, it created my search. And you notice I got three results back. So let's just take a look at the detail here. I'll double-click on the first event.
And here, this is the Domain Admins group, which is what I want. But it's being removed from a different local account group, the Remote Desktop Users. And that's not what I want.
My next event here, that's Backup Operators. That's not correct. This last one is what I want. How do I get specific in this event so that I only show when it gets removed from the Local Administrators group? Let me show you that.
I'll come back here to my Search properties. And in my What criteria, I'm going to add another entity. I've got my event class entity where I've got the event that I wanted with a restriction.
Now, I'm going to use this little Drop Down next to the Add button. I'm going to go into Subsystem. Here we go. And we're going to look for a local account.
OK, this isn't an active directory account. This is the local account that we're looking for. And we'll be very specific, so we'll pick this object. And we'll pick the Administrators Group. You can see that line right there.
So I'll add that as criteria. And you'll see down below here, what I end up with is two different entities in my What criteria; one for domain admins being removed from a local group and another for that local group being the administrators. So I'll save that. And I'll run it.
You can see now I get back exactly the result that I expected. The other two results are not there. And that's how you do it. For more information about ChangeAuditor for Active Directory, and to download a free trial version of the product, visit www.quest.com/changeauditorforactivedirectory. Thanks for watching.