Dell Change Auditor 6.5. Installation Guide

Transcription

1 Dell Change Auditor 6.5

2 2014 Dell Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Dell Inc. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Dell Inc. Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA Refer to our web site (software.dell.com) for regional and international office information. Patents This product is protected by U.S. Patents # 7,979,494; 8,185,598; 8,266,231; and 8,650,578. Additional Patents Pending. Trademarks Dell, the Dell logo, GPOADmin, SonicWALL and InTrust are trademarks of Dell Inc. Microsoft, Active Directory, ActiveSync, Excel, Internet Explorer, Lync, Office 365, OneDrive, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell and Windows Server are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries. EMC, Celerra, Isilon, VNX, and VNXe are registered trademarks of EMC Corporation. VMware, ESX, ESXi, and vcenter are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. Safari and icloud are registered trademarks of Apple Inc. Amazon Cloud Drive is a trademark of Amazon.com, Inc. or its affiliates. Blackberry and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around world. Used under license from Research In Motion Limited. Itanium is a trademark of the Intel Corporation in the U.S. and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. Change Auditor Updated - July 2014 Software Version - 6.5

3 Contents Installation Overview Introduction Before you begin System requirements Change Auditor coordinator (Server-side component) Change Auditor client (Client-side component) Change Auditor agent (Server-side component) Change Auditor workstation agent (Optional) Change Auditor web client (Optional) System statistics and facilities Network traffic Interval settings System overview Installation overview Install Change Auditor Introduction Install the first Change Auditor coordinator Installation procedure Install the Change Auditor client Installation procedure Install multiple coordinators Installation procedure Add Users to Change Auditor Security Groups Introduction Add accounts to security groups Add accounts to ChangeAuditor database role Deploy Change Auditor Agents Introduction Start the Change Auditor client Deploy agents Upgrade Change Auditor Introduction Before you begin Upgrade Change Auditor Step 1: Upgrade all Change Auditor coordinators (and database schema) Step 2: Upgrade all Change Auditor clients Step 3: Upgrade the Change Auditor agents Post upgrade considerations

4 Installation Notes and Best Practices Licensing Change Auditor products Permissions Other installation notes Change Auditor for Exchange Change Auditor for Authentication Services Change Auditor for SharePoint Backup notes Agent behavior notes Client notes ADAM (AD LDS) auditing Change Auditor for SQL Server - SQL auditing Multi-Forest Deployments Requirements Installation Configuration Audit and protection configuration flow Event flow Reports and queries from the client Workstation Agent Deployment Recommendations/Deployment requirements Manual Workstation Agent Deployment Install Change Auditor Agent to Audit ADAM (AD LDS) on Workgroup Servers Agent installation Dell One Identity Active Roles Server Integration Requirements Deploying Change Auditor/ARS integration scripts Client components added to Change Auditor Removing deployed Change Auditor/ARS integration scripts Troubleshooting Tips Dell GPOADmin Integration Requirements Client components added to Change Auditor Troubleshooting tips Windows Installer Command Line Options Change Auditor agent options Change Auditor coordinator options Data Migration Before you begin Data Migration tool Source Database page

5 Destination Database page Options page Migration Progress page About Dell Contacting Dell Technical Support Resources Index

6 1 Installation Overview This document has been prepared to assist you in becoming familiar with Dell Change Auditor. The Installation Guide contains the information required to install and configure Change Auditor as well as upgrade from a previous Change Auditor release. It is intended for network administrators, consultants, analysts, and any other IT professionals installing the product. This first chapter of the guide provides the following information to get you started: Introduction Before you begin System requirements System statistics and facilities System overview Installation overview Introduction Dell Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management -- and reduce the risks associated with day-to-day modifications. Audit all critical changes across your enterprise including Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, VMware vcenter, SharePoint, and Microsoft Lync. Collect user logon and logoff activity for regulatory compliance and user activity tracking. Automate ongoing compliance with tracking and reporting for best practices and regulatory compliance mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA and more. Speed troubleshooting through real-time insight into changes with a comprehensive audit library including built-in audit alerts, reports and powerful searches. Proactively protect (lock down) critical Active Directory objects, Exchange Mailboxes and Windows files and folders from harmful changes that could open security holes or cause resources to become unavailable. Modular approach allows separate product deployment and management for key environments including Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Query, SharePoint, Logon Activity, and Lync. Integrate with other Dell products to track, audit, report and alert on critical changes made using Dell One Identity Authentication Services, Dell One Identity Defender, and Dell SonicWALL. This document defines the system requirements as well as procedures for installing and upgrading Change Auditor. 6

7 Before you begin It is recommended that you perform the following steps before you begin the installation procedure: If you do not already have Change Auditor, you can download it from the Dell web site at Before you can download the product, you must register with Dell. If you are a registered Dell user, log on using your address and password. Once you have registered or logged in, locate the product and version that you want to download from the product list. On the download window, click the link and save the file to an appropriate directory (e.g., c:\temp). NOTE: If you have purchased multiple Change Auditor products (e.g., Dell Change Auditor for Active Directory, Dell Change Auditor for Exchange, Dell Change Auditor for Windows File Servers, etc.), you only need to download one instance of the Change Auditor product. The code is the same for all and the license keys are the mechanism used to determine what features are enabled/disabled in the product. Review the System Requirements Review the complete installation process Review Appendix A: Installation Notes and Best Practices in the Dell Change Auditor Read the Release Notes for updated information Ensure you have the appropriate license files to enable Change Auditor auditing module(s). A separate license file is required to enable the functionality of each of the Change Auditor auditing modules: Dell Change Auditor for Active Directory Dell Change Auditor for Exchange Dell Change Auditor for Windows File Servers Dell Change Auditor for SQL Server Dell Change Auditor for Active Directory Queries Dell Change Auditor for Authentication Services Dell Change Auditor for Defender Dell Change Auditor for EMC Dell Change Auditor for NetApp Dell Change Auditor for SharePoint Dell Change Auditor for Logon Activity User (captures logon activity on monitored server agents) Dell Change Auditor for Logon Activity Workstation (captures logon activity on monitored workstation agents) Dell Change Auditor for SonicWALL Dell Change Auditor for Lync NOTE: Change Auditor will prompt you for a valid license during the coordinator installation. If an invalid or expired license is entered, the coordinator installation will not continue. If you are upgrading from Change Auditor 5.8, 5.9 or 6.0 you will NOT require a new license(s). 7

8 System requirements Change Auditor is made up of the following components, all which have specific system requirements: Change Auditor coordinator(s) Change Auditor client Change Auditor agents Change Auditor workstation agents Microsoft SQL Server database Change Auditor web client Change Auditor coordinator (Server-side component) The Change Auditor coordinator is responsible for fulfilling client and agent requests. Coordinator hardware: Minimum: Quad core 2.0 GHz or better; 8 GB RAM or better Recommended: Quad core 3.0 GHz or better; 32 GB RAM or better Member server running on the following minimum platforms: Windows Server 2003 SP2 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 (Essentials, Standard and Datacenter) Windows Server 2012 R2 (Essentials, Standard and Datacenter) Microsoft s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.) NOTE: Microsoft s Windows Small Business Server 2003, 2008 and 2011 are NOT supported. NOTE: Microsoft s Windows Server 2012 Foundation edition is NOT supported. Coordinator software and configuration: Install the Change Auditor coordinator on a dedicated member server. The Change Auditor database should be configured on a separate, dedicated SQL Server instance. IMPORTANT: Do NOT pre-allocate a fixed size for the Change Auditor database. Supported SQL Server versions: Microsoft SQL Server 2008 SP1, SP2 or SP3 Microsoft SQL Server 2008 R2, SP1 or SP2 Microsoft SQL Server 2012 or SP1 NOTE: Change Auditor does not support SQL high availability technology other than clusters. The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain. x86 or x64 versions of Microsoft s.net framework 4.0 (or higher) 8

9 x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 x86 or x64 versions of Microsoft SQLXML 4.0 Coordinator footprint: Estimated hard disk space used: 200 MB Estimated physical memory (RAM) used for an agent-less coordinator: 100 MB NOTE: Coordinator RAM usage is highly dependent on the environment, number of agent connections, and event volume. Estimated database size will vary depending on the number of agents deployed and audited events captured. IMPORTANT: Minimum permissions User account performing the coordinator installation: The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and stop/start services. * The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed. Service account running the coordinator service (LocalSystem by default): Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a Change Auditor coordinator. Local Administrator permissions on the coordinator server. If you are running the coordinator under a service account (instead of LocalSystem), define a Manual connection profile where you can specify the IP address of the server hosting the Change Auditor coordinator. You can specify and select connection profiles whenever you launch the Change Auditor client. See the Dell Change Auditor User Guide or online help for more information on defining and selecting a connection profile. SQL Server database access account specified during installation: An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions: Must be assigned the db_owner role on the Change Auditor database Must be assigned the SQL Server role of dbcreator Change Auditor client (Client-side component) The Change Auditor client connects to a Change Auditor coordinator and queries the audit event database for the desired results. Client hardware: Minimum: Dual core 2.0 GHz or better; 4 GB RAM or better Recommended: Quad core 3.0 GHz or better; 8 GB RAM or better A machine running on the following minimum platforms: Windows Server 2003 Windows Server 2003 R2 9

10 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 (Essentials, Standard and Datacenter) Windows Server 2012 R2 (Essentials, Standard and Datacenter) Windows 7 (Pro, Enterprise and Ultimate) Windows 8 and 8.1 (Pro and Enterprise) Microsoft s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.) NOTE: Microsoft s Windows Small Business Server 2003, 2008 and 2011 are NOT supported. NOTE: Microsoft s Windows Server 2012 Foundation edition is NOT supported. Screen resolution of at least 1024 x 768 with at least 256 colors Client software and configuration: x86 or x64 versions of Microsoft s.net framework 4.0 (or higher) x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 x86 or x64 versions of Microsoft SQLXML 4.0 Client footprint: Estimated hard disk space used: 140 MB Estimated physical memory (RAM) used: MB NOTE: Client RAM usage is dependent on the number of tabs you have open. NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM. Change Auditor agent (Server-side component) A Change Auditor agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. The agents will then report these audit events to a Change Auditor coordinator which will insert the event details into the Change Auditor database. Agent hardware: Minimum: Dual core 2.0 GHz or better; 4 GB RAM or better Recommended: Quad core 3.0 GHz or better; 8 GB RAM or better Server running on the following minimum platforms: Windows Server 2003 SP1 Windows Server 2003 R2 Windows Server 2008 NOTE: Windows Server 2008 Core is no longer supported because it does not support the required.net 4.0 framework for Change Auditor 6.5 agents. Windows Server 2008 R2 Windows Server 2008 R2 Core SP1 Windows Server 2012 (Essentials, Standard and Datacenter) 10

11 Windows Server 2012 Core (Essentials, Standard and Datacenter) Windows Server 2012 R2 (Essentials, Standard and Datacenter) Windows Server 2012 R2 Core (Essentials, Standard and Datacenter) Microsoft s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default.) NOTE: Microsoft s Windows Small Business Server 2003, 2008 and 2011 are NOT supported. NOTE: Microsoft s Windows Server 2012 Foundation edition is NOT supported. NOTE: Change Auditor agent requires File and Printer Sharing on Windows Server By default, File and Printer sharing is not enabled on Windows Server 2008 installations. In order to remotely deploy agents to Windows Server 2008, enable the File and Printer sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine. The File and Printer Sharing for Microsoft Networks service on the network adapter must also be enabled for remote deployment. NOTE: Auditing of some Exchange events require the latest Exchange service pack to be installed. Please refer to the Dell Change Auditor for Exchange Event Reference Guide for the minimum service packs required for Exchange events. Agent software and configuration: x86 or x64 versions of Microsoft s.net framework 4.0 (or higher) x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain. The Change Auditor agent service depends on the following Windows services to be running: DNS client Remote Procedure Call (RPC) Windows event log NOTE: Ensure communication over RPC between coordinators and agents. Agent footprint: Estimated hard disk space used: 120 MB + local database size + agent logs NOTE: Change Auditor agent log retention and content is configurable. That is, you can define how many files to retain and the level of logging. Estimated physical memory (RAM) used: MB NOTE: Agent RAM usage is dependent on the auditing modules you have licensed. Agent installation is NOT compatible with the following applications: Pre-5.6 versions of Change Auditor SecurityManager Dell InTrust plug-ins: ITAD, ITADAM, ITFA and ITEX ScriptLogic Active Administrator DirectoryLockdown EMC Xtender 11

12 IMPORTANT: Minimum permissions Permissions required for deploying agents: The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation. If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest. In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error. IMPORTANT: Minimum permissions Change Auditor agents must run as localsystem. Exchange Servers auditing requirements Change Auditor license requirement: Change Auditor for Exchange Minimum service pack requirements: Windows Server 2003 and 2003 R2: Microsoft Exchange Server 2007 x64 SP1 Windows Server 2008 and 2008 R2: Microsoft Exchange Server 2007 x64 SP1 Microsoft Exchange Server 2010 RTM Windows Server 2008 R2 SP1: Microsoft Exchange Server 2007 x64 SP1 Microsoft Exchange Server 2010 RTM Microsoft Exchange Server 2013 CU1 Windows Server 2012: Microsoft Exchange Server 2010 SP3 Microsoft Exchange Server 2013 RTM Windows Server 2012 R2: Microsoft Exchange Server 2013 SP1 12

13 SQL Server auditing requirements Change Auditor license requirement: Change Auditor for SQL Server Supported SQL server versions: Microsoft SQL Server 2005 Microsoft SQL Server 2008 SP1, SP2 or SP3 Microsoft SQL Server 2008 R2, SP1 or SP2 Microsoft SQL Server 2012 or SP1 Authentication Services auditing requirements Change Auditor license requirement: Change Auditor for Authentication Services Authentication Services versions: Dell One Identity Authentication Services 4.0 (or higher) Defender auditing requirements Change Auditor license requirement: Change Auditor for Defender Defender versions: Dell One Identity Defender 5.7 (or higher) EMC auditing requirements Change Auditor license requirement: Change Auditor for EMC EMC requirements: EMC Celerra Event Enabler (CEE) Framework or 6.x EMC VNX Event Enabler (VEE) Framework (through 5.1) EMC Isilon : NOTE: VNXe is NOT supported. VNXe does not support CEPA at this time and therefore Change Auditor for EMC will NOT run successfully in VNXe environments. CEE (or higher) Change Auditor for EMC 6.5 (or higher) Requires manual configuration to audit Isilon file servers See the Dell Change Auditor for EMC User Guide for information on installing, configuring and using Change Auditor for EMC. 13

14 NetApp auditing requirements Change Auditor license requirement: Change Auditor for NetApp NetApp requirements: NetApp Filer with Data ONTAP 7.2 (or higher) NOTE: Clustering FPolicy was added in NetApp 8.2; but has not yet been implemented in Change Auditor. See the Dell Change Auditor for NetApp User Guide for more information on installing, configuring and using Change Auditor for NetApp. SharePoint auditing requirements Change Auditor license requirement: Change Auditor for SharePoint SharePoint auditing requirements: SharePoint Server 2010 or 2013 SharePoint Foundation 2010 or 2013 See the Dell Change Auditor for SharePoint User Guide for detailed information on installing, configuring and using Change Auditor for SharePoint. VMware auditing requirements Change Auditor license requirement: Change Auditor (any license) VMware auditing requirements: ESX/ESXi 5.0 or 5.1 vcenter 5.0 or 5.1 Exchange Online/Office 365 auditing requirements Change Auditor license requirement: Change Auditor for Exchange 6.5 (or higher) Office 365 platforms supported and required permissions Office 365 Small Business Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business. The account must also be licensed for Exchange Online (other Office 365 licenses are not required). 14

15 Office 365 Small Business Premium Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business Premium. The account must also be licensed for Exchange Online (other Office 365 licenses are not required). Office 365 Midsize Business Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Midsize Business. The account must also be licensed for Exchange Online (other Office 365 licenses are not required). Office 365 Enterprise Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Enterprise. The account must also be licensed for Exchange Online (other Office 365 licenses are not required). See the Dell Change Auditor for Exchange User Guide for more information on Exchange Online auditing. SonicWALL auditing requirements Change Auditor license requirement: Change Auditor for SonicWALL SonicWALL requirements: SonicWALL firewall device running SonicOS firmware version (or higher) Firewall requirements: At least one SonicWALL firewall that supports AppFlow with the IPFIX with extensions external flow reporting format. The SonicWALL firewall must support the SonicOS DPI-SSL feature for cloud or SSL-based web site activity auditing. The firewall must be configured to send AppFlow data to the Change Auditor agent. See the Dell Change Auditor for SonicWALL User Guide for more information on configuring and using Change Auditor for SonicWALL. Logon Activity auditing requirements Change Auditor license requirement: Change Auditor for Logon Activity User for auditing server agents NOTE: See Change Auditor agent (Server-side component) for server agent system requirements Change Auditor for Logon Activity Workstation for auditing workstation agents NOTE: See Change Auditor workstation agent (Optional) for workstation agent system requirements. 15

16 Change Auditor workstation agent (Optional) Change Auditor workstation agents can be deployed to capture authentication activity and logon session events from monitored workstations when the Dell Change Auditor for Logon Activity Workstation license is applied. NOTE: The recommended installation for domain workstations is from the Deployment tab of the Change Auditor Windows client. However, for non-domain workstations you must manually install the Change Auditor workstation agent. See Workstation Agent Deployment for recommendations and instructions on manually deploying workstation agents. Workstation agent hardware: Minimum: 1 GHz CPU; 1 GB RAM (x86)/2 GB RAM (x64) Recommended: Dual core 2.0 GHz or better; 4 GB RAM or better A machine running on the following minimum platforms: Windows 7 (Pro, Enterprise and Ultimate) Windows 8 and 8.1 (Pro and Enterprise) Microsoft s Windows Data Access Components (MDAC) must be enabled. (MDAC is part of the operating system and enabled by default. Workstation agent software and configuration: x86 or x64 versions of Microsoft s.net framework 4.0 (or higher) x86 or x64 versions of Microsoft XML Parser (MSXML) 6.0 The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain. The Change Auditor workstation agent service depends on the following Windows services to be running: DNS client Remote Procedure Call (RPC) Windows event log NOTE: Ensure communications over RPC between coordinators and agents. IMPORTANT: For workstation log management (such as Get Logs or View Agent Log), the following must be enabled on the workstation: Windows Management Instrumentation (WMI) must be enabled in the firewall rule set (usually domain) on the workstation Network Discovery and File Sharing must be enabled Remote Registry Service must be set to Start Automatically. By default, this service is stopped and set to Manual for Windows 7 and Windows 8/8.1. In order to capture Authentication Activity events, you must first enable (that is, set to Success,Failure) the Audit Logon events audit policy for all servers and workstations. Domain - Group Policy: Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events Workgroup - Local Group Policy: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events See the Dell Change Auditor for Logon Activity User Guide for more information on using Change Auditor for Logon Activity. 16

17 Change Auditor web client (Optional) The Change Auditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to Change Auditor data through a standard or mobile web browser. Application server running on the following minimum platforms: Windows Server 2008 (with IIS 7 or above) Windows Server 2012 (with IIS 8 or above) Minimum standard browser versions supported: Chrome 17 (or higher) Firefox 10 (or higher) Internet Explorer 9 (or higher) NOT running in Compatibility View mode Safari 5.x for Mac OS (Windows Safari is not supported) See the Dell Change Auditor Web Client User Guide for more information on installing, configuring and using the web client. System statistics and facilities Network traffic 1-3 KB of TCP traffic is generated per audit event sent from a Change Auditor agent to a Change Auditor coordinator. 1-3 KB of TCP traffic is generated per record upon a successfully executed search query. 1 KB of TCP traffic is generated every five minutes to update the Change Auditor agent statistics, which are displayed on the Agent Statistics page. NOTE: There are other network communications, primarily the agent downloading licensing or configuration data from the coordinator. This configuration can be quite large, depending on the auditing modules licensed and how they are configured. Interval settings Table 1. Interval settings Setting Connection Interval Forwarding Interval Description Every five minutes a Change Auditor agent tries to establish a connection/communication channel with a Change Auditor coordinator. NOTE: Connection attempts can also be triggered when an agent loses its connection to the coordinator, where the agent will try to re-establish a connection. Every five seconds an agent forwards all of the audited events stored in the local queue (agent s database) to a Change Auditor coordinator. These are the audited events that have not been previously sent to the coordinator. This interval is configurable using the Configuration Setup dialog. 17

18 Table 1. Interval settings Setting Polling Interval Retry Interval Description Every 900 seconds (15 minutes) the agent checks to determine if there have been any modifications to the agent s configuration. This interval is configurable using the Configuration Setup dialog. If the agent does not receive an immediate success acknowledgment from the coordinator for the audited events it just transmitted, the agent will resend all unacknowledged events after five minutes (300 seconds) from the previous attempt. This interval is configurable using the Configuration Setup dialog. To display the Configuration Setup page use the View Administration menu command to open the Administration Tasks tab and select Configuration Agent from the navigation pane. On the Agent Configuration page click the Configurations button to display the Configuration Setup dialog, open the System Settings tab to view/modify the Forwarding Interval, Polling Interval or Retry Interval settings. System overview The Change Auditor agents are deployed to all servers (domain controllers and member servers) tracking configuration changes in real-time. When a change is made on a server running a Change Auditor agent, the change information (audit event) is captured by the agent, batched and forwarded to a Change Auditor coordinator, which then inserts the event details into the Change Auditor database. NOTE: If the Change Auditor for Logon Activity Workstations auditing module is licensed, you will also deploy agents to the workstations to be monitored. For each configuration change detected, Change Auditor creates an audit event entry in the Change Auditor database with the following information: the type of configuration change event the time and date of the configuration change event the identity of the machine the change was made on the identity of the managed object the change pertains to the old and the new value of the change (if applicable) the IP address of the workstation/client machine from which the change originated The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts. Multiple coordinators can be installed in a single forest and an agent can be connected to multiple coordinators simultaneously. All connected coordinators can participate in receiving events from the agent, allowing a high volume of events to be distributed for processing. NOTE: Server agents will submit events to all available coordinators and load balancing will occur automatically. However, workstation agents randomly connect to a single coordinator. This design enables scaling out options for large workstation agent deployments within a single site. The Change Auditor client is the user interface that provides immediate access to key configuration change information. From the Change Auditor client you can perform tasks such as: install, upgrade or uninstall Change Auditor agents define search criteria to return specific events and view the search results enable/disable alerts and view the events that triggered these alerts enable and schedule reporting for individual search queries view agent and coordinator statistics define custom Active Directory and ADAM (AD LDS) object and attribute auditing 18

19 define the hosts to be audited for VMware auditing define the farm and paths to be audited for SharePoint auditing define file system auditing for Windows File Servers, EMC and NetApp devices specify the SQL instances to be audited for SQL Server auditing specify the mailboxes to be audited for Exchange Mailbox auditing specify the mailboxes or administration cmdlets to be audited for Exchange Online/Office 365 auditing specify the containers to be excluded from Active Directory query auditing specify the web sites or cloud storage sites to be audited for SonicWALL auditing configure object protection for Active Directory, Exchange, File Systems and Group Policies define and assign agent configurations configure SMTP for alerting and reporting create and schedule purge jobs for maintaining the database define who is authorized to use the Change Auditor client (Windows and web) features 19

20 NOTE: For more information about how Change Auditor integrates with EMC, NetApp, SharePoint, Exchange Online/Office 365, or SonicWALL to capture events, see the corresponding user guide: Dell Change Auditor for EMC User Guide Dell Change Auditor for NetApp User Guide Dell Change Auditor for SharePoint User Guide Dell Change Auditor for Exchange User Guide Dell Change Auditor for SonicWALL User Guide 20

21 Installation overview Prior to installing Change Auditor, choose the SQL database you are going to use. If you wish to install the Change Auditor database to a SQL instance other than the default instance of the selected SQL Server, create the new instance before running the installer. Using the Change Auditor product DVD or running the autorun.exe file will launch the Dell Change Auditor autorun, allowing you to install the different Change Auditor components, access the product documentation, and install other related Dell products and knowledge packs. Use the Open buttons on the Install page to install the Change Auditor coordinator and client. Clicking an Open button launches the appropriate wizard to step you through that component s installation process. Refer to Install Change Auditor for more information on installing these components. During the coordinator installation, you will be presented with the option to add the current user to the ChangeAuditor Administrators security group. If you elect NOT to do this during the coordinator installation process, you will need to add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups. It is also recommended that you add the ChangeAuditor Administrators and ChangeAuditor Operators groups to the appropriate SQL database role. Refer to Add Users to Change Auditor Security Groups for more information regarding these security groups. Launch the Change Auditor client to deploy Change Auditor agents to the desired servers. Also, if you have the Change Auditor for Logon Activity Workstation auditing module licensed, deploy Change Auditor agents to the domain workstations to be monitored for logon activity. Refer to Deploy Change Auditor Agents for more details. IMPORTANT: You must be a member of the ChangeAuditor Administrators group and have local permissions to deploy agents. You can also optionally, install the Change Auditor web-based client which allows users to access (search and report on) the data collected by Change Auditor, create custom search queries and perform administration tasks to manage Change Auditor. Refer to the Dell Change Auditor Web Client User Guide for more information on installing and launching the web-based client. 21

22 2 Install Change Auditor Introduction Install the first Change Auditor coordinator Install the Change Auditor client Install multiple coordinators Introduction Dell recommends installing the Change Auditor components in the following order: Database (SQL Server) - Choose the SQL database you are going to use. If you wish to install the Change Auditor database to a SQL instance other than the default instance of the selected SQL Server, create the new instance before running the installer. Coordinator - Once you have confirmed that the database instance you are going to use is installed and functioning correctly, install the Change Auditor coordinator. Client - Once you have confirmed that the coordinator is functioning correctly, install the Change Auditor client. TIP: It is recommended that you install the first Change Auditor coordinator and client, but do NOT deploy agents until after you have installed all of the additional coordinators required. When deploying agents you can select which installation is to be used for each of the agents. NOTE: During the coordinator installation, you are presented the option of adding the current user to the ChangeAuditor Administrators security group. If you elected NOT to add the current user during the installation process or want to add additional user accounts to the Change Auditor security groups, you need to add them prior to launching the Change Auditor client. It is also recommended that you then add these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators - <InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators - <InstallationName> group to the ChangeAuditor_Operators role). Refer to Add Users to Change Auditor Security Groups in the Dell Change Auditor for more information about these security groups. Agents - Launch the Change Auditor client to deploy agents to your domain controllers and member servers. Also, if you have the Change Auditor for Logon Activity Workstation auditing module licensed, deploy Change Auditor agents to the domain workstations to be monitored for logon activity. Web-based Client - Optionally, install the web-based portal on the IIS web server. This chapter provides instructions for installing Change Auditor coordinators and the Change Auditor client. Refer to Deploy Change Auditor Agents for instructions on launching the client and deploying agents. Refer to the Dell Change Auditor Web Client User Guide for instructions on installing and launching the web-based client. 22

23 Install the first Change Auditor coordinator The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts. Multiple coordinators can be installed in a single forest to provide fault tolerance of the Change Auditor service tier. The coordinator installation will create the following components: the coordinator a coordinator system tray icon, which allows you to enable/disable the coordinator, display the status of the coordinator installed on the current machine, change the database instance or service accounts used to access the database, or specify a static ports to be used for communicating with the coordinator. NOTE: Refer to the Dell Change Auditor User Guide for more information about the Change Auditor coordinator system tray icon. three installation specific Active Directory security groups to enable access to the Change Auditor client and shared overviews distributed using the Change Auditor web client. ChangeAuditor Administrators - <InstallationName> ChangeAuditor Operators - <InstallationName> ChangeAuditor Web Shared Overview Users - <InstallationName> Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest. NOTE: Refer to the Dell Change Auditor Web Client User Guide for more information on the ChangeAuditor Web Shared Overview Users security group. two SQL database roles (ChangeAuditor_Administrators and ChangeAuditor_Operators). These roles will be added to the Change Auditor database to facilitate database connections from an untrusted forest with the least amount of privileges. The two roles will allow Admins to control access to the Change Auditor database via SQL security. 23

24 Installation procedure IMPORTANT: Minimum permissions User account performing the coordinator installation: The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and stop/start services. * The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed. Service account running the coordinator service (LocalSystem by default): Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a Change Auditor coordinator. Local Administrator permissions on the coordinator server. If you are running the coordinator under a service account (instead of LocalSystem), define a Manual connection profile where you can specify the IP address of the server hosting the Change Auditor coordinator. You can specify and select connection profiles whenever you launch the Change Auditor client. See the Dell Change Auditor User Guide or online help for more information on defining and selecting a connection profile. SQL Server database access account specified during installation: An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions: Must be assigned the db_owner role on the Change Auditor database Must be assigned the SQL Server role of dbcreator To install the first Change Auditor coordinator: NOTE: You should have received separate license files from Dell to enable the Change Auditor products you purchased: Change Auditor for Active Directory Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for SQL Change Auditor for Active Directory Queries Change Auditor for EMC Change Auditor for NetApp Change Auditor for Defender Change Auditor for Authentication Services Change Auditor for SharePoint Change Auditor for Logon Activity User (captures logon activity on monitored server agents) Change Auditor for Logon Activity Workstation (captures logon activity on monitored workstation agents) Change Auditor for SonicWALL Change Auditor for Lync Ensure that you have the appropriate license files before you begin an installation. Copy the.asc license files to the local hard drive where you are installing Change Auditor. 24

25 1 Verify that the user account you will be using to execute the coordinator installation is at least a Domain Admin in the domain to which the coordinator server belongs. 2 Use an existing account or create a new user account in Active Directory that will be used by Change Auditor to access the SQL Server. 3 Create a SQL Login for this AD user account and assign the following permissions to this login: Server role: dbcreator 4 From the desired member server, insert the Change Auditor DVD or if you downloaded the product from the Dell web site, run the autorun.exe file to launch the Dell Change Auditor autorun. 5 On the Install page of the autorun, click the Open button for the Install Change Auditor Coordinator option to launch the Change Auditor Coordinator Setup wizard. NOTE: Both x86 and x64 are supported in the Change Auditor product. Therefore, you will need to install the proper version of the coordinator software. 6 Enter the information requested in the Coordinator Setup wizard. Review the following table for additional information. This table only covers unfamiliar information. It does not include all the wizard screens or field descriptions. Table 2. Coordinator Setup wizard - installing first coordinator Product Licensing screen Licenses Click the Licenses button to locate and apply a new license file or update an existing license. On the License Status dialog, click the Browse License button to locate the Change Auditor license(s) to be applied. Installation Name screen After licensing the product, the setup wizard will prompt you to enter a unique installation name to identify the database to which the coordinator is to be connected. NOTE: If you plan on installing multiple coordinators, please refer to Install multiple coordinators for additional details regarding the ChangeAuditor installation name. ChangeAuditor Installation Name Enter a ChangeAuditor installation name that uniquely identifies the current installation within your Active Directory environment. An installation name is required; has a limit of 80 characters; can only contain alphanumeric characters and underscores; and will be converted to all caps. NOTE: It is recommended that you use the default (DEFAULT) installation name. NOTE: If you entered an installation name that already exists, you will be prompted to confirm that you want to join this component to an existing installation. If this was your intent, click Yes to proceed. However, if this was not what you intended to do, click No to re-enter a unique installation name. SQL Server Information screen SQL Server and Instance Enter the server name or IP address (member server running the SQL instance) and the SQL instance name to be used for the Change Auditor coordinator database. (i.e., <FQDN of the SQL server>\<instance name>. Or click the browse button to the right of the text field to browse your Active Directory network to locate the instance to be used. NOTE: If you will be using Windows security to access your SQL Server, ensure that the domain user is granted access to the SQL Server. 25

26 Table 2. Coordinator Setup wizard - installing first coordinator Name of database catalog Enter the name to be assigned to the Change Auditor database. NOTE: If an existing Change Auditor database is present, you should provide a unique name for the Change Auditor database. If a database with the name entered is found, a warning message will be displayed explaining the need to provide a unique name for your new Change Auditor database. On this warning dialog, click the Cancel button to specify a different database name. Clicking OK will proceed to the Ready to Install the Program screen. Authentication/ Credentials Use the authentication section of this screen to specify whether Windows authentication or SQL authentication is to be used when communicating with the SQL database instance. (The authentication method is set up when SQL is installed.) NOTE: If the Windows Authentication option is used to access the designated SQL instance, a verification screen will be displayed. From this screen, verify that the server name, SQL instance name and credentials are correct before proceeding. Incorrect entries will cause the Change Auditor coordinator service to fail on startup. ChangeAuditor Administrators screen Add the current user to the ChangeAuditor Administrators - <InstallationName> security group This check box is selected by default and will add the current user to the ChangeAuditor Administrators - <InstallationName> group. Any user that will be running a Change Auditor client must be added to either this security group or the ChangeAuditor Operators security group. In addition, users responsible for deploying Change Auditor agents must be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation. Refer to Add Users to Change Auditor Security Groups for more information about these security groups and how to add additional user accounts. Specify Port Information screen By default Change Auditor dynamically assigns communication ports to be used to communicate with each installed coordinator. However, using the port settings on this screen you can specify static SCP listening ports to be used instead. NOTE: A zero (0) indicates that a dynamic port is being used. These port assignments can also be set using the Coordinator Configuration Tool which is accessed by right-clicking the Change Auditor coordinator system tray icon. Client Port Enter the static port number to be used by the Change Auditor client to communicate with the coordinator. TIP: If you are planning on installing the Change Auditor web client, enter a static client port. Public SDK Port Enter the static port number to be used by external applications to access the coordinator. Agent Port (Legacy) Enter the static port number to be used by legacy (5.x) Change Auditor agents to communicate with the coordinator. Agent Port Enter the static port number to be used by the Change Auditor 6.x agents to communicate with the coordinator. 7 Once you have entered all the requested information, click Install to start the installation process. 8 Once the coordinator is successfully installed, you can now use the Dell Change Auditor autorun to install the Change Auditor client. NOTE: If you have any other Dell solutions installed on this same server, you will be prompted to reboot the server at this time. 26

27 Install the Change Auditor client The Change Auditor client connects directly to the Change Auditor coordinator or to an archive database and is the user interface that provides immediate access to key configuration change information. Installation procedure To install the client: 1 On the desired workstation, laptop or member server, insert the Change Auditor DVD or run the autorun.exe file to launch the Dell Change Auditor autorun. 2 On the Install page of the autorun, click the Open button for the Install Change Auditor Client option to launch the Change Auditor Client Setup wizard. NOTE: Both x86 and x64 are supported in the Change Auditor product. Therefore, you will need to install the proper version of the client software. 3 Enter the requested information on the Client Setup wizard. NOTE: If Microsoft s.net 4.0 is not installed on the machine, an additional screen will be displayed explaining that this application was not found and the install cannot continue. Click the Close button to stop the Change Auditor client install. Download and install the required.net version. After.NET is successfully installed, restart the Change Auditor client installation. 4 Once the coordinator and client are successfully installed, click the Close button in the upper right-hand corner to close the autorun program. If you are installing multiple coordinators, install your additional coordinators at this time. Install multiple coordinators Change Auditor allows you to install multiple coordinators in a single forest. When installing multiple coordinators in your Active Directory forest, the ChangeAuditor installation name entered during the coordinator installation will determine if these coordinators will connect to the same SQL database or connect to different database installations. That is, If you use an existing installation name for each coordinator, these coordinators will all connect to the same SQL database installation. If you enter a unique installation name for each coordinator, these coordinators will connect to different SQL database installations. A unique installation name allows you to isolate your installation of Change Auditor from any other installations of Change Auditor in your Active Directory forest. When all Change Auditor installations are upgraded in the forest, the installation name: allows all of your coordinators to use your central SQL database, while ensuring no other installation s coordinators use your SQL database. ensures that only agents in your installation connect to your coordinator. See Deploy Change Auditor Agents. ensures only users in your installation s security groups can use the Change Auditor client to manipulate your configuration and view your data. 27

28 Installation procedure TIP: It is recommended that you install the first Change Auditor coordinator and client, but do NOT deploy agents until after you have installed all of the additional coordinators required. When deploying agents you can select which installation is to be used for each of the agents. To install additional coordinators: 1 Run the autorun program (autorun.exe) on the individual member servers that are to host a coordinator. 2 On the Install page of the autorun, click the Open button for the Install Change Auditor Coordinator option. Enter the information requested in the Coordinator Setup wizard. Review the following table for additional information. This table only covers information regarding multiple coordinator installations. It does not include all the wizard screens or field descriptions. Table 3. Coordinator Setup wizard - installing multiple coordinators Product Licensing screen Licenses Use the same license files that were used for the first coordinator. NOTE: If you have installed/licensed multiple Change Auditor auditing modules, apply the appropriate license for each of the installed auditing modules. Installation Name screen ChangeAuditor Installation Name Enter a unique installation name to use a different database. Enter an existing installation name or use the browse button to connect to an existing Change Auditor installation. NOTE: By selecting an existing ChangeAuditor installation, you are joining this component to the specified installation (i.e., multiple coordinators will be connected to the same database and agents can connect to any of the coordinators in this installation). NOTE: If you entered an installation name that already exists, you will be prompted to confirm that you want to join this component to an existing installation. If this was your intent, click Yes to proceed. However, if this was not what you intended to do, click No to re-enter a unique installation name. Specify Port Information screen By default Change Auditor dynamically assigns communication ports to be used to communicate with each installed coordinator. However, using the port settings on this screen you can specify static SCP listening ports to be used instead. NOTE: A zero (0) indicates that a dynamic port is being used. These port assignments can also be set using the Coordinator Configuration Tool which is accessed by right-clicking the Change Auditor coordinator system tray icon. Client Port Enter the static port number to be used by the Change Auditor client to communicate with the coordinator. Public SDK Port Enter the static port number to be used by external applications to access the coordinator. Agent Port (Legacy) Enter the static port number to be used by legacy (5.x) Change Auditor agents to communicate with the coordinator. Agent Port Enter the static port number to be used by the Change Auditor 6.x agents to communicate with the coordinator. 28

29 Add Users to Change Auditor Security Groups 3 Introduction Add accounts to ChangeAuditor database role Add accounts to security groups Introduction During the Change Auditor coordinator installation, the following security groups are created to allow access for performing various functions within Change Auditor: ChangeAuditor Administrators - <InstallationName> Group - provides access to all aspects of Change Auditor and to roll out Change Auditor agents. ChangeAuditor Operators - <InstallationName> Group - provides access to Change Auditor with the exception of making configuration changes. ChangeAuditor Web Shared Overview Users - <InstallationName> Group - provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Dell Change Auditor Web Client User Guide for more information about sharing overviews. The installation name assigned during the coordinator installation is appended to these security groups. For example, when using the default installation name, these groups will be named: ChangeAuditor Administrators - DEFAULT ChangeAuditor Operators - DEFAULT ChangeAuditor Web Shared Overview Users - DEFAULT More specifically, two Domain Local Security Groups will be created in the same domain as the Change Auditor coordinator. The Group Scope can be changed to Universal as long as the Group Names remain ChangeAuditor Administrators - <InstallationName> and ChangeAuditor Operators - <InstallationName>. NOTE: If the domain s Functional Level is in Windows 2000 Mixed mode, then Local Security groups will be created on each Change Auditor coordinator member server. Membership in the ChangeAuditor Administrators and ChangeAuditor Operators groups enable the Change Auditor client to connect and authenticate to a Change Auditor coordinator; therefore, any user that will be running a Change Auditor client must be added to one of these groups. In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error. NOTE: If multiple coordinators are installed in a mixed mode environment, in order to connect to each coordinator, you must add your user account to one of these groups on each of the member servers where the coordinators reside. All users running a Change Auditor client must also have the proper SQL credentials for accessing a Change Auditor archive database. One way of accomplishing this would be to add the ChangeAuditor Administrators and ChangeAuditor Operators groups into the appropriate SQL database roles which were also created during the coordinator installation: ChangeAuditor_Administrators and ChangeAuditor_Operators. 29

30 Add accounts to security groups During the coordinator installation process, you were presented with the option to add the current user to the ChangeAuditor Administrators security group in the specified Change Auditor installation. If you elected NOT to add the current user during the installation process or wish to add additional user accounts, please use the following procedure. To add user accounts to security groups: Use the Active Directory Users and Computers MMC snap-in to add the appropriate user account(s) to one of the Change Auditor groups: 1 Launch the Active Directory Users and Computers snap-in. 2 Connect to the domain where the coordinator was installed. 3 Right-click and select Properties on the group called ChangeAuditor Administrators - <InstallationName> or ChangeAuditor Operators - <InstallationName>. 4 Select the Members tab. 5 Click the Add button and browse to the appropriate user object. 6 Click OK to close the Active Directory Users and Computers snap-in. 7 To apply this change, logout and back in. Adding the appropriate user(s) to one of these groups will allow (group membership permissions) the Change Auditor client to successfully connect to the Change Auditor coordinator. To add user account(s) to security groups (Domain in Windows 2000 mixed mode): Use the Microsoft Computer Management native tool to add the appropriate user account(s) to one of the Change Auditor groups: 1 From the member server where the Change Auditor coordinator is installed, right-click on 'My Computer' and select Manage. 2 From the Computer Management dialog, expand 'Local Users and Groups' and select Groups. 3 Right-click and select Properties on the group called ChangeAuditor Administrators - <InstallationName> or ChangeAuditor Operators - <InstallationName>. 4 Click the Add button and browse to the appropriate user object. 5 Click OK to close the Computer Management tool. 6 To apply this change, logout and back in. Adding the appropriate user(s) to one of these groups will allow (group membership permissions) the Change Auditor client to successfully connect to the Change Auditor coordinator. Add accounts to ChangeAuditor database role NOTE: This process only applies to archive databases and will need to be modified each year to apply to the new archive for that year To add accounts to the ChangeAuditor database role: Use the Microsoft SQL Management Studio to add the appropriate user or group account(s) to one of the ChangeAuditor database roles: 1 Launch the Microsoft SQL Server Management Studio and connect to the SQL database server. 2 Navigate to the <SQL Server(Instance)> Security Logins directory. Expand the Logins node. 30

31 3 Right-click on the Logins node and select New Login to open the Login dialog. 4 On the Select User or Group dialog, click the Object Types button and make sure that the Groups check box is selected. Click the Location button to search either the Entire Directory or local SQL server (depending on where the group was created, which is determined by the domain functional level). Click the Check Names button to locate and select the user or group account (e.g., ChangeAuditor Administrators) to be added. 5 In the Select a Page pane (left pane), select User Mapping. 6 In the Users mapped to this login pane (top pane), select the Change Auditor database. 7 In the bottom pane, Database role membership for: ChangeAuditor, select the ChangeAuditor_Administrators role. 8 Click OK. Your SQL Login account for Change Auditor database access is now mapped to the appropriate role. Repeat the above steps to also create a SQL Login for the ChangeAuditor Operators group and assign this login to the ChangeAuditor_Operators role for the Change Auditor database. 31

32 Deploy Change Auditor Agents 4 Introduction Start the Change Auditor client Deploy agents Introduction Once the Change Auditor coordinator(s) and Change Auditor client are successfully installed, you are ready to deploy Change Auditor agents to the desired servers and/or workstations. NOTE: If you have not added the appropriate user account(s) to either the ChangeAuditor Administrators or ChangeAuditor Operators group, you will be denied access to the Change Auditor coordinator when you launch the client. Refer to Add Users to Change Auditor Security Groups for more information on these security groups and SQL database roles. It is recommended that a Change Auditor server agent be deployed to all servers (domain controllers and member servers) to track configuration changes in real-time. However for workstations, deploy a workstation agent to only the workstations that need to be monitored for logon activity. See Agent behavior notes for information on how the different types of agents connect to the Change Auditor coordinators in your environment and the limits set for agent connections. When a change is made on a server running a Change Auditor agent, the change information (audited event) is captured by the agent and is forwarded to the specified Change Auditor database. NOTE: The agent database supports up to 3 GB. Once the database size reaches this limit, no new events will be audited and the Agent service has reached a critical load event will be generated. The most likely scenario for when this would happen is when an agent is disconnected from a coordinator for an extended period of time. NOTE: Refer to the Installation Notes and Best Practices appendix for additional notes regarding deploying agents for Change Auditor for Exchange and Change Auditor for Authentication Services. NOTE: To install Change Auditor agents to monitor ADAM (AD LDS) instances on workgroup servers, run the appropriate agent installer package (Dell Change Auditor Agent 6 (x64).msi or Dell Change Auditor Agent 6 (x86). msi). See the Install Change Auditor Agent to Audit ADAM (AD LDS) on Workgroup Servers appendix for more information. NOTE: When you are using Dell One Identify Active Roles Server, there is an additional integration step that can be taken in order to capture the actual user who initiated the change through One Identity Active Roles Server. See the Dell One Identity Active Roles Server Integration appendix for more information. The Deployment page in the Change Auditor client displays all the servers and workstations discovered in your Active Directory environment. From this page you will specify the servers (and workstations if Change Auditor for Logon Activity Workstation auditing module is licensed) to host a Change Auditor agent. For a description of the Deployment page, see the online help or Dell Change Auditor User Guide. NOTE: The Deployment page will not display non-member objects, such as ADAM workgroup servers or non-domain workstations, because agents cannot be deployed to non-member objects using the Deployment tab. See Install Change Auditor Agent to Audit ADAM (AD LDS) on Workgroup Servers for more information on manually installing agents to workgroup servers. See Workstation Agent Deployment for more information on manually installing agents to non-domain workstations. 32

33 The following procedures step you through the process of launching the Change Auditor client and deploying Change Auditor agents. See the Dell Change Auditor User Guide for procedures on using the advanced options and setting up auto deployment of new servers. Start the Change Auditor client The following conditions must be met for a client to properly connect: Communications are successful, meaning the coordinator service is running and has a valid SCP listening port (no firewall implications). If this condition fails, the Change Auditor client will display an error dialog stating the appropriate issue. The current authenticated user running the Change Auditor client has the proper credentials for accessing the Change Auditor coordinator service. If this condition fails, the client will display the Coordinator Credentials Required dialog allowing you to enter the proper logon credentials to access the Change Auditor coordinator. The current authenticated user is a member of either the ChangeAuditor Administrators or ChangeAuditor Operators AD group. If this condition fails, the Change Auditor logon screen will display an error and credential text boxes for entering the appropriate credentials. When using a direct database connection, the current authenticated user running the Change Auditor client has the proper SQL credentials for accessing the SQL database. If this condition fails, the client will display the Database Credentials Required dialog allowing you to enter the proper logon credentials to access the SQL database. To launch the Change Auditor client: 1 Select Start All Programs Dell Change Auditor Change Auditor Client. When you launch the Change Auditor client, the Connection screen appears allowing you to connect to the default connection profile or define/specify a different connection profile. 33

34 A connection profile defines the connection method to be used to connect to a Change Auditor coordinator in trusted or untrusted forests, or to the database directly without connecting with the Change Auditor coordinator. See Manage Connection Profiles in the Dell Change Auditor User Guide for more information on defining connection profiles. 2 Initially, select the Connect button to use the default connection profile. After you have defined alternate connection profiles, select the appropriate profile from the drop-down list and click Connect. 3 If you do not have the proper credentials required for access, the appropriate credentials dialogs will be displayed allowing you to enter the required credentials. NOTE: When the client is initially launched, you will be asked if you d like to participate in the Change Auditor customer experience improvement program, which automatically transmits feedback on how you use Change Auditor to the product team. The generalized metrics collected include: Anonymous information about your hardware configuration Anonymous information about how you use Change Auditor to help identify and prioritize improvements. Internal and external IP addresses. IMPORTANT: We will NOT collect any personal information about you. To participate, click the link in the message or the Change Auditor Customer Experience Improvement Program icon which was added to the system tray. On the Software Improvement Program dialog, select the Yes, I am willing to participate in the Software Improvement Program option and click OK. You can opt out of the program at any time. To do this, launch the Change Auditor client and select the Help About menu command to launch the Dell Change Auditor dialog. On the About page, clear the Participate in the Change Auditor customer experience improvement program check box and click Done. 4 The first time the client is launched, you will be presented with the Deployment page to deploy Change Auditor agents. This page may initially be empty until the current forest s server topology has been initially harvested. This page will be automatically refreshed once this task has completed. 5 Once agents are deployed and you launch the Change Auditor client, you will be presented with the Overview page, which provides a real-time stream of events based on a favorite search definition as well as other valuable summary information about the application. Deploy agents IMPORTANT: Minimum permissions Permissions required for deploying agents: The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation. If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest. In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error. 34

35 To deploy Change Auditor agents: 1 Verify that the user account you will be using to deploy agents is at least a Domain Admin in every domain that contains servers/workstations where agents are to be deployed. 2 Verify that the user account is also a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. 3 Launch the Change Auditor client. The Deployment page will automatically be displayed if agents have not yet been deployed. Otherwise, use View Deployment to open the Deployment page. The Deployment page will be populated with the servers (domain controllers and member servers) and workstations discovered in your Active Directory environment. NOTE: The Deployment page may initially be empty until the current forest s server topology has been initially harvested. This page will be automatically refreshed once this task has completed. 4 From this list, select an entry and use the Credentials Set tool bar button or right-click command to enter the proper user credentials for installing agents on the selected domain. On the Domain Credentials dialog, select the domain from the list and click the Set button. On the Logon Credentials dialog enter the credentials of a user with administrator rights on the selected domain. 5 After entering the proper credentials, select the entry back on the Deployment page and select Credentials Test from the tool bar or right-click menu. If you get a Valid Creds status in the Deployment Result column, you can start deploying agents to that domain. If you get a Logon Failure status in the Deployment Result column, use the Credentials Set command to re-enter the proper credentials for installing agents. 6 By default, the Change Auditor agent folders (Agent, Systray) will be installed to %ProgramFiles%\Dell\ChangeAuditor\. You can, however, change the location of the installation folder by clicking the Advanced Options tool bar button. 7 Select one or more servers/workstations on the Deployment page and click the Install or Upgrade tool bar button or right-click command. 8 On the Install or Upgrade dialog select one of the following options to schedule the deployment task: Now (default) When If you select the When option, enter the date and time when you want the deployment task to be initiated. Click OK to initiate or schedule the deployment task. Back on the Deployment page, the Agent Status column will display Pending and the When column will display the date and time specified. NOTE: To cancel a pending deployment task, select the server/workstation and then click the Install or Upgrade button or right-click command. On the Install or Upgrade dialog, click the Clear Pending button. 9 As agents are successfully connected to the Change Auditor coordinator, the corresponding Deployment Result cell will display Success, the Agent Status cell will display Active and a desktop notification will be displayed in the lower right-hand corner of your screen. NOTE: To deactivate these desktop notifications, select the Action Agent Notifications menu command. 35

36 Upgrade Change Auditor Introduction Before you begin Upgrade Change Auditor Post upgrade considerations Introduction You can upgrade to Change Auditor 6.5 from the following versions of Change Auditor: 5.8, 5.9 or 6.0. If you are upgrading from one of these versions, you will NOT require new Change Auditor 6.5 licenses. Before you begin Please read the following information that should be taken into consideration before you begin the upgrade process. Upgrade best practice Ensure you have a good backup of SQL databases and Change Auditor configuration prior to beginning any upgrade/data migration. In-place upgrade vs. offline data migration The Change Auditor 6.x database schema has been redesigned to support high volume event streams and enhanced auditing capabilities. In order to utilize the new 6.x database schema, you can perform an in-place upgrade similar to previous upgrades or perform an offline data migration to use events from legacy 5.x databases into a 6.x database. The in-place upgrade should be used to upgrade your current operational 5.x database; whereas, the offline data migration utility is intended for migrating legacy or archived data into an upgraded or new 6.x database. IMPORTANT: Creating a new Change Auditor database in an existing installation requires careful planning to ensure that the agents and configurations can be properly migrated to the new database. See the Dell Change Auditor Data Migration Guide for more information about these two processes. Services using Change Auditor SDK Stop any services that use the Change Auditor SDK, such as Dell One Identity Active Roles Server or Dell GPOADmin, before starting the upgrade process. Close ALL Event Log Viewers in Windows 2008 (and higher) environments Before upgrading the Change Auditor coordinators or server agents, ensure that all Event Log Viewers are closed. If any user has an Event Viewer open and had at any point opened a Change Auditor event log to load 36

37 and display a message, the Windows EventLog will lock the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services. NOTE: If the coordinator or agent installer detects that the Windows EventLog service has one or more Change Auditor event message file open and locked, a warning message is displayed allowing you to override this warning and continue with the install. However, this is not recommended since it may cause undesired service restarts. If detected when deploying agents through the Deployment page, the following error appears in the Deployment Result column: The Windows EventLog service has a Change Auditor event message file locked, which could cause undesired service restarts. Close all Event Log viewers and try again or run the installer manually to override. You cannot deploy agents that detect this problem without fixing the problem (closing all Event Log Viewers) or running the agent installer manually (or scripted) to override this warning. Protection configurations It is highly recommended that you do NOT modify any protection configurations (Active Directory or Exchange) in Change Auditor during the upgrade process. Upgrading enterprises with large Change Auditor databases If your existing Change Auditor database is of significant size, consider upgrading during off peak hours, as database configuration can cause your SQL Server to perform slowly during the upgrade/reconfiguration process. Change Auditor coordinator upgrades Shut down all legacy (5.x) coordinators before you start the upgrade process. The Change Auditor 6.x coordinator installation program upgrades the database, preventing legacy coordinators from working; therefore, you must upgrade all coordinators in order for them to work in your upgraded environment. After the first upgraded coordinator updates the database schema it will begin moving existing data to the new database. You do not have to wait for the first coordinator to finish moving data to the new database before upgrading the other coordinators. Only one coordinator upgrade process moves the data from your 5.x database to the 6.x database; meanwhile, all other coordinators will accept agent connections and forward new events to the 6.x database. Server collation differences Starting with Change Auditor 6.0, whenever a coordinator is started/restarted and a database collation difference is detected, the coordinator will stop and will log a collation does not match error. This error indicates that something has changed in the collation of your SQL database since you last ran the coordinator. To fix this problem, it is recommended that you fix the collation difference in your SQL Server database. Once the fix has been made, restart your coordinator to start the in-place upgrade. However, if the database MUST be imported into SQL Server with a different collation, you can do one of the following: Create a new 6.x database and use the Data Migration tool to migrate your 5.x data into this new database. See Data Migration tool for more information. Use the AllowCollationSwitch registry key to allow the detection of a collation switch to proceed whenever a coordinator is started/restarted. However, using this in environments with large databases will significantly increase the load on SQL servers. See the Dell Change Auditor Technical Insight Guide for more information on setting this registry key. 37

38 Change Auditor client upgrades You must run the Change Auditor 6.5 client installers to upgrade ALL existing clients, including web clients. Change Auditor agent upgrades The Change Auditor 6.5 agent requires.net 4.0 which is supported in Server Core beginning with Windows Server 2008 R2. If you are running a pre-r2 version of Windows Server 2008, you will need to continue running a legacy (5.x) or 6.0 agent. However, you will not get user logon activity events from the server running the legacy or 6.0 agent. Previous versions of Change Auditor agents (5.8, 5.9 or 6.0) can connect and work with the new Change Auditor 6.5 coordinator and client. Therefore, you can upgrade your agents on an as needed basis. SQL direct connect has been depreciated in Change Auditor 6.x. agents that were previously configured to use SQL direct connections will automatically begin forwarding events to a Change Auditor coordinator. Change Auditor for Exchange - Exchange 2003 Auditing of Exchange 2003 is no longer supported beginning with Change Auditor 6.5. If you want to continue monitoring Exchange 2003 servers, do NOT upgrade to Change Auditor 6.5 (or higher). Upgrading Change Auditor agents on high volume Exchange servers It is critical that Change Auditor for Exchange agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent upgrades should NOT be attempted on an active Exchange Server cluster node in any case. Attempting to upgrade the agent on a very busy Exchange Server may result in: Exchange 2007 mailbox role: failed agent upgrade, require MSExchangeIS server restart, or unscheduled Exchange cluster node failover Exchange 2010 client access role: failed agent upgrade, unwanted RpcClientAccess service restart, or unscheduled Exchange cluster node failover Exchange 2013 mailbox role: failed agent upgrade, unwanted RpcClientAccess service restart, or unscheduled Exchange cluster node failover Exchange 2007, 2010 or 2013 client access role: unwanted IIS Exchange application pool restarts To eliminate the possibility of unscheduled Exchange Server downtime, please perform agent upgrades to Exchange Servers during periods of low or no mailbox activity. When upgrading agents on busy Exchange Servers, it is also recommended that you manually stop the agent before upgrading to avoid a possible timeout on the stop command. Verify that the Change Auditor agent service is stopped on the Exchange Server before proceeding with the agent upgrade. Upgrading pre-5.8 versions of Change Auditor If you are running a pre-5.8 version of Change Auditor, you will need to follow a prescribed upgrade path BEFORE you can upgrade to Change Auditor 6.5. This upgrade path is dependent upon the Change Auditor version you are running. If you are running Change Auditor 4.8 or 4.9, in addition to following the prescribed upgrade path, you WILL require new Change Auditor licenses for all licensed Change Auditor products, which will need to be applied during the coordinator installation process. 38

39 Upgrading InTrust plug-ins You cannot upgrade from any InTrust plug-ins directly to Change Auditor 6.x. If you are running InTrust plug-ins that need to be upgraded to Change Auditor, you must first upgrade the InTrust plug-ins to Change Auditor 5.7; once that upgrade is completed, you can then upgrade Change Auditor to version 6.x. For more information on upgrading InTrust Plug-ins, see the Dell Change Auditor released with version 5.7. SSRS Reports Change Auditor 6.5 uses a new reporting engine that allows you to design, schedule and deliver Change Auditor query-based reports without any third-party (SSRS) technology. Therefore, any previously defined SSRS reports will no longer be available in Change Auditor 6.5 (or higher). Scheduled Purge Jobs Change Auditor 6.5 reintroduced a scheduled purge job feature; however, even if you upgrade from a Change Auditor 5.x version any previously defined purge jobs will no longer be available in Change Auditor 6.5 (or higher). Event class insertion warnings in logs When upgrading from a version prior to , you may see event class insertion warnings in the agent and coordinator logs. These warnings can be ignored because they are simply indicating that the new event classes introduced in later Change Auditor versions are not available in the earlier version. These warning messages only appear in the log the first time the legacy agent connects to the upgraded coordinator. Upgrade Change Auditor To ensure a successful upgrade of Change Auditor, please upgrade the Change Auditor components in the following order: Step 1: Upgrade all Change Auditor coordinators (and database schema) Step 2: Upgrade all Change Auditor clients Step 3: Upgrade the Change Auditor agents Step 1: Upgrade all Change Auditor coordinators (and database schema) NOTE: This installation must be performed locally on the member server. To upgrade all coordinators (and database schema): 1 From the desired member server, run the autorun.exe file. 2 On the Install page of the Dell Change Auditor autorun, click the Open button for the Install Change Auditor Coordinator option to invoke the Coordinator Setup wizard. 3 A message will be displayed asking you to confirm that you want to upgrade the Change Auditor coordinator. Click OK to confirm the upgrade. 4 The fields on the Change Auditor Coordinator Setup wizard screens will contain the previously entered data. Simply click through them. 39

40 NOTE: If you are upgrading from Change Auditor 5.8, 5.9 or 6.0, you will NOT require new licenses, and can click through the Product Licensing screen. If you purchased an additional Change Auditor product (i.e., Change Auditor for SharePoint) you will need to apply this new license as well. New product licenses can be applied at this time or at a later time using the Change Auditor License Manager (Start All Programs Dell Change Auditor License Manager). Refer to Install the first Change Auditor coordinator for more detailed information about the Change Auditor Coordinator Setup wizard. 5 Wait until the coordinator goes from an Initializing status to a Running status. To determine the coordinator s status, right-click the Change Auditor coordinator system tray icon and select the Coordinator Status command. 6 Continue to upgrade the remaining coordinators one at a time. NOTE: Select the installation name and the database name originally assigned to each of your coordinators. Step 2: Upgrade all Change Auditor clients To upgrade a Change Auditor client: 1 From the desired workstation, laptop or member server, run the autorun.exe file. 2 On the Install page of the Dell Change Auditor autorun, click the Open button for the Install Change Auditor Client option to launch the Client Setup wizard. 3 A message will be displayed asking you to confirm that you want to upgrade the Change Auditor client. Click OK to confirm the upgrade. 4 The fields on the Change Auditor Client Setup wizard screens will contain the previously entered data. Simply click through them. Refer to Install the Change Auditor client for more detailed information about the Change Auditor Client Setup wizard. 40

41 To upgrade a Change Auditor web client: 1 On the IIS server, run the autorun.exe file. 2 On the Install page of the Dell Change Auditor autorun, click the Open button for the Install Change Auditor Web Client option to launch the Change Auditor Web Client Setup wizard. 3 A message will be displayed asking you to confirm that you want to upgrade the Change Auditor web client. Click OK to confirm the upgrade. 4 The Change Auditor Web Client Setup wizard will step you through the web client installation, where you will need to provide the following information: Web site name of the Change Auditor web client and default port for the web site. Change Auditor coordinator to which data is to be made available through the web client. Refer to the Dell Change Auditor Web Client User Guide for more detailed information about the Change Auditor Web Client Setup wizard. Step 3: Upgrade the Change Auditor agents NOTE: Previous versions of Change Auditor agents (5.8, 5.9 or 6.0) can connect and work with the new Change Auditor 6.5 coordinator and client. Therefore, you can upgrade your agents on an as needed basis. To upgrade Change Auditor agents: 1 Launch the Change Auditor client and open the Deployment page (View Deployment menu command). 2 Select the agents to be upgraded and click the Install or Upgrade tool bar button or right-click command. NOTE: If you get an Access Denied status in the Deployment Results column, use the Credentials Set command to enter the proper credentials for installing agents. 3 On the Install or Upgrade dialog select one of the following options to schedule the deployment task: Now (default) When If you select the When option, enter the date and time when you want the deployment task to be initiated. Click OK to initiate or schedule the deployment task. Post upgrade considerations Static port assignments If you upgraded from a 5.x installation where static ports were defined, these static ports will be retained as part of the upgrade process. However, the Agent Port setting (on the Ports page of the Coordinator Configuration tool) which is now used by your 6.x agents, will be set to use a dynamic port. (Note that the 5.x agents now use the Agent Port (Legacy) setting on this page.) Check with your system administrator to determine whether this new connection should also be using a static port. 41

42 Querying the Change Auditor database directly is NOT supported Beginning with Change Auditor 6.0, the database structure has changed and any SQL statements and scripts previously created to manipulate the 5.x (or earlier) database will NOT work and could have a negative impact on any production Change Auditor client or through the Change Auditor SDK. NOTE: In order to better understand how Change Auditor creates its queries, we recommend using the (normally hidden) SQL tab in the Change Auditor client. Built-in searches and any custom searches created using the client will display it s SQL query in the SQL tab. Custom queries can ONLY read events. You cannot build custom queries to add or delete data; you must use the supported Change Auditor SDK. CAUTION: Running a manual SQL script against the Change Auditor database may corrupt the event index tables or statistic counts now being used. If this happens, you will need to call Technical Support to get the Consistency Checker tool to rebuild the indexes and statistics on the database. Change Auditor client behavior Only the clients connected to the first upgraded coordinator (the coordinator moving data to the new database) will see the migration progress. Client searches will return more and more results as legacy events are moved to the new database. Change Auditor for Windows File Servers File System Auditing templates which include exclusions using a single asterisk (*) or (*\) in front of file/folder names to exclude folders and files recursively will not function after upgrading from a 5.x version to a 6.x version of Change Auditor. The new syntax uses: a single asterisk (*) to specify a non-recursive match (find match in folder only; does not match any slash characters (\)) a double-asterisk (**) to specify a recursive match (find match in folder and all subfolders in the audit path; matches slash characters (\) and directory names in paths) After the upgrade, edit any existing File System Auditing templates that include exclusions and apply the new rules for non-recursive and recursive matches. Refer to the File/Folder Inclusion and Exclusion Examples Appendix in the Dell Change Auditor for Windows File Servers User Guide or online help for valid exclusion examples. Change Auditor for SharePoint Beginning with Change Auditor 5.9, Change Auditor for SharePoint includes the GUID of the SharePoint farm server in the template name. Therefore, when upgrading from a previous Change Auditor version, you must open and edit any existing SharePoint Auditing templates to capture this additional information. Be sure that all of the SharePoint Auditing templates contain a GUID in their Farm name (Farm field on the SharePoint Auditing page) BEFORE you attempt to add any new SharePoint Auditing templates. See the Dell Change Auditor for SharePoint User Guide for more information on upgrading Change Auditor for SharePoint. Data Gateway Service The Data Gateway Service is no longer used beginning in Change Auditor 6.5 for capturing user logon activity events. If you had an earlier version of this service running, you can remove it. 42

43 One Identity Active Roles Server Integration If the ActiveRoles scripting module has been deployed in a previous Change Auditor version, please refer to the following knowledge base article which details the process to move to the updated version of these scripting modules that are available in Change Auditor 6.x: 43

44 Installation Notes and Best Practices A This appendix contains notes and best practices that should be taken into consideration when installing Change Auditor. These notes/best practices are listed under the following topics: Licensing Change Auditor products Permissions Other installation notes Change Auditor for Exchange Change Auditor for Authentication Services Change Auditor for SharePoint Backup notes Agent behavior notes Client notes ADAM (AD LDS) auditing Change Auditor for SQL Server - SQL auditing Licensing Change Auditor products Upgrading Change Auditor If you are upgrading from Change Auditor 5.8, 5.9 or 6.0 you will NOT require new Change Auditor 6.5 licenses. If you are running a pre-5.8 version of Change Auditor, you will need to follow a prescribed upgrade path BEFORE you can upgrade to Change Auditor 6.x. This upgrade path is dependent upon the Change Auditor version you are running. If you are running Change Auditor 4.8 or 4.9, in addition to following the prescribed upgrade path, you WILL require new Change Auditor licenses for all licensed Change Auditor products, which will need to be applied during the coordinator installation process. Please contact Dell Technical Support. Applying licenses for multiple Change Auditor products If this is a new installation (not an upgrade), you will require new Change Auditor 6.x licenses. The following Change Auditor products all require separate licenses which can be applied during the coordinator installation process: Change Auditor for Active Directory Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for SQL Server Change Auditor for Active Directory Queries 44

45 Change Auditor for EMC Change Auditor for NetApp Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for SharePoint Change Auditor for Logon Activity User (captures logon activity on monitored server agents) Change Auditor for Logon Activity Workstation (captures logon activity on monitored workstation agents) Change Auditor for SonicWALL Change Auditor for Lync If you are licensing multiple Change Auditor products, you can apply the licenses in any order but must apply all the licenses provided. Applying licenses after initial installation If you purchased additional Change Auditor product(s) after the initial installation, you can use the Change Auditor License Manager to apply these new Change Auditor product licenses. 1 From the member server where the coordinator is installed, use the following path: Start All Programs Dell Change Auditor License Manager. 2 From the About Change Auditor dialog, click the Update License button to locate and apply the new product licenses. 3 After applying new product licenses, restart the Change Auditor agents to capture the new events. Permissions Required permissions for Change Auditor coordinator User account performing the coordinator installation: The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and stop/start services. * The user account performing the installation, must be a member of the Domain Admins group in the domain where the coordinator is being installed. Service account running the coordinator service (LocalSystem by default): Active Directory permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running a Change Auditor coordinator. Local Administrator permissions on the coordinator server. If you are running the coordinator under a service account (instead of LocalSystem), define a Manual connection profile where you can specify the IP address of the server hosting the Change Auditor coordinator. You can specify and select connection profiles whenever you launch the Change Auditor client. See the Dell Change Auditor User Guide or online help for more information on defining and selecting a connection profile. SQL Server database access account specified during installation: An account must be created to be used by the coordinator service on an ongoing basis for access to the SQL Server database. This account must have a SQL Login and be assigned the following SQL permissions: 45

46 Must be assigned the db_owner role on the Change Auditor database Must be assigned the SQL Server role of dbcreator Required permissions for deploying Change Auditor agents The Agent Deployment wizard runs under the security context of the currently logged on user account. Therefore, you must have administrative authority to install software on every target machine. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation. If you are targeting domain controllers only, membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest. In addition, all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. If you are not a member of this security group for this installation, you will get an access denied error. Required permissions to deploy agents using the Windows Installer (MSIEXEC.exe) The user account that will be performing the agent installation by running the Windows Installer directly on the domain controller/member server/workgroup server or workstation needs the appropriate permissions to perform the following tasks on the server: Windows permissions to create and modify registry values. Windows administrative permissions to install software and start/stop services. Required SQL permissions needed for coordinator and SQL Change Auditor database communications The Change Auditor coordinator's supplied SQL login credentials (SQL or Windows) need the Database Owner (DBO) permission to the database in the SQL instance. Other installation notes Stopping MMC modules Certain MMC modules disrupt or hinder the addition or removal of services, therefore, MMC modules can NOT be running (directly on the server or in a Terminal Services session) when installing or uninstalling Change Auditor. These MMC files must first be stopped before proceeding with the Change Auditor install/uninstall. Close ALL Event Log Viewers in Windows 2008 (and higher) environments Before installing or upgrading the Change Auditor coordinators or server agents, ensure that all Event Log Viewers are closed. If any user has an Event Viewer open and had at any point opened a Change Auditor event log to load and display a message, the Windows EventLog will lock the event message DLL which can cause the Windows Installer Restart Manager to restart dependent services. 46

47 NOTE: If the coordinator or agent installer detects that the Windows EventLog service has one or more Change Auditor event message file open and locked, a warning message is displayed allowing you to override this warning and continue with the install. However, this is not recommended since it may cause undesired service restarts. If detected when deploying agents through the Deployment page, the following error appears in the Deployment Result column: The Windows EventLog service has a Change Auditor event message file locked, which could cause undesired service restarts. Close all Event Log viewers and try again or run the installer manually to override. You cannot deploy agents that detect this problem without fixing the problem (closing all Event Log Viewers) or running the agent installer manually (or scripted) to override this warning. Microsoft s.net framework Microsoft s.net 4.0 (or higher) framework is required in the Change Auditor coordinator, client and agents. If an attempt is made to install these components on a machine with an earlier version, the installation will fail and you will be notified that a newer version is required. To verify that you are running the appropriate version of Microsoft s.net framework, use Add or Remove Programs. NOTE: A link to the.net 4.0 framework is available in Change Auditor s Autorun.exe Redistributables. Component installation order Dell recommends installing the Change Auditor components in the following order: Database (SQL Server) - Choose the SQL database you are going to use. If you wish to install the Change Auditor database to a SQL instance other than the default instance of the selected SQL Server, create the new instance before running the installer. Coordinator - Once you have confirmed that the database instance you are going to use is installed and functioning correctly, install the Change Auditor coordinator. Client - Once you have confirmed that the coordinator is functioning correctly, install the Change Auditor client. TIP: It is recommended that you install the first Change Auditor coordinator and client, but do NOT deploy agents until after you have installed all of the additional coordinators required. When deploying agents you can select which installation is to be used for each of the agents. NOTE: During the coordinator installation, you are presented the option of adding the current user to the ChangeAuditor Administrators security group. If you elected NOT to add the current user during the installation process or want to add additional user accounts to the Change Auditor security groups, you need to add them prior to launching the Change Auditor client. It is also recommended that you then add these security groups to the appropriate SQL database role (i.e., ChangeAuditor Administrators - <InstallationName> group to the ChangeAuditor_Administrators role and ChangeAuditor Operators - <InstallationName> group to the ChangeAuditor_Operators role). Refer to Add Users to Change Auditor Security Groups in the Dell Change Auditor for more information about these security groups. Agents - Launch the Change Auditor client to deploy agents to your domain controllers and member servers. Also, if you have the Change Auditor for Logon Activity Workstation auditing module licensed, deploy Change Auditor agents to the domain workstations to be monitored for logon activity. Web-based client - Optionally, install the web-based client on the IIS web server to allow users access to Change Auditor data through a standard or mobile browser. Refer to the Dell Change Auditor Web Client User Guide for more information about installing and using the web client. 47

48 Deploying Change Auditor agents For a complete and comprehensive Active Directory change auditing solution, we recommend deploying Change Auditor agents to every server in the forest. For best results in capturing Group Policy changes, we recommend installing a Change Auditor agent on the domain s PDC operations master role holder. Security groups During the coordinator installation, three installation specific security groups are created in the domain where the member server hosting a Change Auditor coordinator resides. ChangeAuditor Administrators - <InstallationName> Group - provides access to all aspects of Change Auditor and to roll out Change Auditor agents. ChangeAuditor Operators - <InstallationName> Group - provides access to Change Auditor with the exception of making configuration changes. ChangeAuditor Web Shared Overview Users - <InstallationName> Group - provides access to the Change Auditor web client shared overviews, while restricting access to only what has been shared. See the Dell Change Auditor Web Client User Guide for more information about sharing overviews. Where <InstallationName> is a unique name selected during the coordinator installation to isolate your components from any other Change Auditor installation in your Active Directory forest. You must add your user account to either the ChangeAuditor Administrators or ChangeAuditor Operators group prior to launching the Change Auditor client. If multiple coordinators are installed in a mixed mode environment, in order to connect to each coordinator, you must add your user account to one of these groups on each of the member servers where a coordinator resides. In addition, users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified Change Auditor installation. During the coordinator installation, you will be presented with the option to add the current user to the ChangeAuditor Administrators security group. If you elected NOT to do this during the coordinator installation process or you want to add additional user accounts, you will need to add your user account (and any other appropriate user accounts) to one of the Change Auditor security groups prior to launching the Change Auditor client. See Add Users to Change Auditor Security Groups for more detailed information about the security groups that are created when the coordinator is installed. NOTE: In addition, when the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group in order to properly authenticate. Change Auditor for Exchange Agent deployment High volume Exchange Servers. Agent processing of large Exchange auditing and protection configurations may slow down initial user logon access or cause timeouts if a large number of end user logons are occurring at the same time. To avoid this issue, it is recommended that the following actions be performed during maintenance intervals or other periods of low user mailbox activity: Change Auditor Exchange agent deployment Change Auditor Exchange agent upgrade Change Auditor Exchange Mailbox auditing or protection configuration changes 48

49 Before the system returns to a normal load, one user should logon to Outlook Web Access (OWA), Outlook, and Exchange Web Services (EWS, Outlook for Mac ) clients. This will trigger the Change Auditor agent to process Exchange Mailbox auditing and protection configuration changes when the fewest logons are occurring. Exchange Change Auditor for Exchange requires Change Auditor agents to be deployed on all Active Directory domain controllers in the forest in order to capture changes to the Exchange settings that are stored in Active Directory. Also, if you want to capture Exchange mailbox access events, a Change Auditor agent must be deployed to the Exchange 2007 Mailbox role server AND the Client Access (OWA/CAS) role server. Exchange 2010/2013. Similar to Exchange 2007, Exchange 2010/2013 stores its configuration data in Active Directory, and installing Change Auditor agents on the domain controller will capture all of these change actions. However, starting with Exchange 2010, Microsoft re-architected how they process configuration changes. Therefore, in order for Change Auditor for Exchange to retrieve the correct who information for these Active Directory based events it now audits Windows PowerShell. So you can: Deploy a Change Auditor agent to all Active Directory domain controllers in the forest. However, the who value will be missing (reported as the Exchange server computer account) from all of the Exchange 2010/2013 Active Directory based events. Depending on the Exchange version you are running, deploy a Change Auditor agent to Exchange servers as described below. This will capture the correct who value for many of the Exchange 2010/2013 Active Directory based events, but not all Exchange 2010/2013 events are being audited in this scenario. Exchange 2010: Deploy a Change Auditor agent to all Exchange 2010 CAS role servers. Exchange 2013: Deploy a Change Auditor agent to all Exchange 2013 servers with the Mailbox role. Recommended: Deploy a Change Auditor agent to all Active Directory domain controllers AND to all required Exchange 2010/2013 servers. However, duplicate events will be generated for Exchange 2010/2013 Active Directory events: one from the agent auditing attribute changes on a domain controller (contains no who value) and one from the new agent auditing PowerShell on an Exchange server (contains the correct who value). To capture Exchange mailbox access events: Exchange 2010: Deploy a Change Auditor agent to all Exchange 2010 CAS role servers. Exchange 2013: Deploy a Change Auditor agent to all Exchange 2013 Mailbox role servers. Exchange 2010/ Deploy agents to all Exchange Servers. When a Change Auditor 5.6 (or higher) agent is deployed on Exchange Server 2010/2013, it automatically enables the scripting extension in Active Directory. This is a domain-wide setting and applies to ALL Exchange 2010/2013 servers. This extension requires that the ScriptingAgentConfig.xml file be present in the Exchange Server folder; otherwise, Exchange management tools will display error messages each time the Scripting Agent cmdlet runs. The Change Auditor 5.6 (or higher) agent automatically creates the required ScriptingAgentConfig.xml file in the Exchange Server folder if one is not already present. Therefore, it is highly recommended that a Change Auditor agent be installed on ALL Exchange servers to ensure all servers are using the same scripting agent. NOTE: If the scripting agent was NOT enabled on your Exchange 2010/2013 servers prior to deploying Change Auditor agents, you should perform backups of your Exchange servers in accordance with your company s disaster recovery plan once you have successfully deployed Change Auditor agents to all of your Exchange 2010/2013 servers. If you need to restore your Exchange servers and they were NOT backed up after you deployed Change Auditor agents that enabled the scripting agent, you will need to disable the CmdletExtensionAgent BEFORE recovering your Exchange 2010/2013 servers. If Change Auditor cannot be installed on all of your Exchange 2010/2013 servers, use the following procedure on all Exchange 2010/2013 servers where a Change Auditor agent is not yet deployed: 1 Create an empty ScriptingAgentConfig.xml file under the following directory: %ProgramFiles%\Microsoft\Exchange Server\V14\Bin\CmdletExtensionAgents\ 49

50 Enter the following text into this ScriptingAgentConfig.xml file: <?xml version="1.0" encoding="utf-8"?> <Configuration version="1.0"/> 2 Save and close the file. Exchange cluster node servers. When deploying/upgrading Change Auditor agents on Exchange cluster node servers, use the following recommended procedure: 1 Deploy/upgrade the Change Auditor agent on the passive Exchange cluster nodes. 2 Perform a scheduled fail-over on the active cluster nodes. 3 Then deploy/upgrade the Change Auditor agent on the newly-passive cluster nodes. If you find the need to deploy/upgrade a Change Auditor agent on an active cluster node, schedule the deployment during low-utilization periods. A visual check of the server utilization to ensure utilization is below 20% should be sufficient. BlackBerry Enterprise Server (BES) service To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry Enterprise Server (BES) or similar service accounts. These accounts have both Receive All and Administer Information Store rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts will also be excluded from mailbox auditing, which may not be desired. If necessary, this automated exclusion can be disabled on a server-by-server basis. Contact Dell Technical Support for additional information. Exchange 2003: Not supported Beginning with Change Auditor 6.5, Exchange 2003 is no longer supported. If you have an Exchange 2003 environment that you want to continue auditing, do NOT upgraded to Change Auditor 6.5 (or higher). Exchange 2007: 32-bit - Not supported Change Auditor for Exchange does not support Exchange bit. SMTP authentications and alerts on Exchange 2007 (and above) Exchange versions 2007 and above deny authentication to all well-known accounts, including Administrator. You must use a new user account that is not a built-in account to authenticate to the Receive Connector(s) on Hub Transport servers in order to allow SMTP mail to go through. This references the setting for My Server Requires Authentication on the SMTP Configuration pane on the Coordinator Configuration page (Administration Tasks tab) in the Change Auditor client. It may also be necessary to configure additional Transport settings (authentication and permissions) to allow mail relay from the Change Auditor coordinator machine in order to receive SMTP alerts. Microsoft Outlook 2000 and Not supported Change Auditor for Exchange does not support Microsoft Outlook 2000 or

51 Change Auditor Exchange Server monitoring and Outlook cached mode For improved performance, Outlook offers an option to cache requests to Exchange Server. This option is enabled by default when you configure an account for Exchange Server. To disable this setting, select the Outlook Tools Account Settings menu command, open the tab and click the Change button, and then clear the Use Cached Exchange Mode check box on the Microsoft Exchange Settings dialog. While Change Auditor Exchange monitoring events closely track user input in non-cached Outlook and Outlook Web Access clients, this is not the case with cached-mode Outlook. User activity in cached-mode Outlook can provide complex results with Change Auditor Exchange monitoring; the timing and order of Exchange requests is not obvious or intuitive. This note describes a few of the effects you will see when monitoring an Outlook cached connection to Exchange Server: Cached-mode Outlook frequently defers message copy, move and delete requests until seconds or even minutes later. When opening cached-mode Outlook, several folders may be opened at the same time. Outlook examines all folders with recent changes at startup. When opening cached-mode Outlook or selecting a different mail folder, several message read events may occur at the same time. Outlook reads all new Inbox messages as they become available (independent of user activity) and then keeps local copies for reading. When opening messages that have previously been read (or selecting messages with the preview pane enabled) you will not see a message read event. Since cached-mode Outlook keeps local copies of the messages they never need to be read from the server again, even after closing and re-starting Outlook. The original read from the server does produce a message read event. When deleting messages (moving them to the Deleted Items folder), instead of message deleted and moved to the Deleted Items folder events as in non-cached mode you will receive two events: message created in the Deleted Items folder, and message permanently deleted in the original folder. This is an accurate report of how cached-mode Outlook implements message deletions to the Deleted Items folder. When permanently deleting messages (emptying the Deleted Items folder) you will see a message read event as cached-mode Outlook obtains information from the message followed somewhat later by a message permanently deleted event. If the user closes cached-mode Outlook before it has a chance to synchronize permanently deleted items with the Exchange Server, it will do so the next time Outlook is started. Other clients viewing the mailbox will be able to access the deleted items until cached-mode Outlook synchronizes with the server. Note that you will still receive all notifications of critical non-owner events from cached-mode Outlook clients, but the timing and sequence may not be obvious. Understanding the effect that cached-mode Outlook has on your Change Auditor Exchange monitoring will give you confidence that the results you are seeing are accurate. Change Auditor for Authentication Services Agent deployment Change Auditor for Authentication Services requires Change Auditor agents to be deployed on all Active Directory domain controllers in the forest in order to capture modifications to the Authentication Services configuration container. 51

52 Change Auditor for SharePoint The SharePoint requirements as defined by Microsoft must be met. Change Auditor for SharePoint does NOT need any additional requirements. Refer to the Dell Change Auditor for SharePoint User Guide for more detailed information about installing, configuring and using Change Auditor for SharePoint. Agent Deployment A Change Auditor agent must be deployed on ONE of the SharePoint Central Administration servers in the SharePoint farm to be monitored. Required rights and permissions The Change Auditor agent selected to connect to and collect events from the SharePoint farm must have the following permissions: At a minimum, the account must have full access to all SharePoint sites. It must also have read permissions on all SharePoint SQL databases. Recommended: Use the SharePoint farm administrator account that was supplied when SharePoint was installed. For proper auditing of the sites within the MySite Site Collection or Web Application, the account Change Auditor uses to access the SharePoint database must be added as a Site Collection Administrator (primary or secondary) or to the User Web Policy for the MySite host. Depending on how your MySite host is initially set up, use the Central Administration Web Site to verify, and if necessary add, this account. SharePoint settings In order for Change Auditor to capture some of the SharePoint audited events, the following SharePoint settings must be enabled: Native Auditing must be enabled for all SharePoint web applications (including each user site under MySite) to be audited by Change Auditor. NOTE: Log trimming is off by default. Enable log trimming to meet your policies, but note that if the Change Auditor agent is offline or is otherwise unable to retrieve event information from the SharePoint database for a period longer than the trim period, events could be lost. Versioning must be enabled for each individual Library and List Item pertaining to the Site(s) to be audited by Change Auditor, if you want Change Auditor to capture versioning activities. See the appendix in the Dell Change Auditor for SharePoint User Guide or Dell Change Auditor for SharePoint Event Reference Guide for a list of the events that require these additional settings. Backup notes Backup and protect the coordinator database The Change Auditor coordinator utilizes Microsoft SQL Server as the main database for collecting and reporting audit information. This data needs to be protected and backed up on a regular basis, acceptable to your data retention policies. There are several third-party tools available, including Microsoft s SQL Tools, which provide backup and restore functions. 52

53 Exclude the local agent directory and files from your backup The Change Auditor agent uses a SQLCE database file (ChangeAuditorAgent.sdf) on the local drive of each agented DC/member server. This database is primarily used to capture the state values for Active Directory objects, File System values and Windows Registry changes. The agent files do NOT need to be part of the backup job since the data contained in the database files can be recreated upon agent installation. We recommend that you exclude the agent files (%ProgramFiles%\Dell\ChangeAuditor\Agent\DBScripts) from your backup solution. Agent behavior notes Agent connection behavior When an agent comes online, it queries the Active Directory Catalog (GC) for a list of all coordinator SCPs within its same installation. After receiving the list of published coordinators, it prioritizes them by Active Directory site to locate the nearest coordinator. The connection behavior after these initial steps depends on the type of agent: Legacy Change Auditor (5.x) agents: If there are multiple coordinators available in the local subnet, it will look at the current load on the coordinator (also posted in the SCP). It will then try to connect to the coordinator that has the fewest agents connected. If it can t connect to its nearest, least loaded coordinator (if that coordinator doesn t respond) it will go to the next available coordinator. NOTE: Legacy (5.x) agents can only be connected to a single coordinator. Change Auditor 6.x server agents: Starting with Change Auditor 6.0, server agents submit events to all available coordinators and load balancing occurs automatically. That is, each agent simultaneously connects to all available coordinators. All connected coordinators can then participate in receiving events from the server agent, allowing a high volume of events to be distributed for processing. Change Auditor workstation agents: The workstation agents introduced in Change Auditor 6.5, randomly connect to a single coordinator. This design, enables scaling out options for large workstation agent deployments within a single site. NOTE: A maximum of 10,000 agents (server and/or workstation) can connect to a single coordinator. If this connection limit is problematic for your environment, contact Dell Technical Support to discuss possible configuration options. NOTE: Change Auditor 6.x agents will prefer available coordinators within the same site, but if none are found, all available coordinators within the same installation will be considered. If one or more (depending on agent type) non-site coordinators are connected, and one or more coordinators are later discovered within the agent site, the agents will connect to site-located coordinator(s) and drop non-site coordinator connection(s). If this behavior is problematic for your environment, contact Dell Technical Support to discuss possible configuration options. Incompatibility with Symantec Backup Exec CPS agent Junction point creation may hang on a server where both a Symantec Backup Exec CPS agent and a Change Auditor agent are running. To resolve the problem, upgrade the CPS agent to 12.5 or later. 53

54 Client notes Disabled audit events Some events are disabled by default to improve the initial deployment process and reduce the amount of audited event information that Change Auditor is initially collecting. These audited events can easily be enabled on the Audited Events page of the Administration Tasks tab. Refer to the online help or appropriate Change Auditor Event Reference Guide for a list of the events that are disabled by default. Enabling encrypted SQL Server connections By default, connections to a SQL Server are not encrypted; however to encrypt all data transmitted between an application computer and a computer running a SQL Server instance, you can use the Secure Sockets Layer (SSL). For more details on configuring client network protocols, please refer to the following Microsoft article: ADAM (AD LDS) auditing Monitoring ADAM (AD LDS) instances on workgroup servers Run the appropriate Dell Change Auditor Agent 6.msi file on the workgroup server to install a Change Auditor agent to monitor ADAM (AD LDS) instances on non-domain servers. Refer to Install Change Auditor Agent to Audit ADAM (AD LDS) on Workgroup Servers for more information. Change Auditor for SQL Server - SQL auditing Auditing events on SQL Server 2008 SP1 Update 5 (or higher) Due to a hotfix Microsoft released for SQL Server 2008 SP1 Update 5 (or higher), Change Auditor agents will no longer capture SQL-related events unless the following action is taken on the SQL Server: SQL Server 2008: Using SQL Server Configuration Manager, add the string ";-T1906" to the end of the SQL Server Startup Parameters on the Advanced tab in the SQL Server Properties dialog. SQL Server 2012: Using SQL Server Configuration Manager, add a new startup parameter called -T1906 on the Startup Parameters tab in the SQL Server Properties dialog. This requires a SQL Server service restart. See the following article for more information: 54

55 SQL Server auditing for Itanium platform - Not supported Auditing of SQL Servers running on Itanium platforms is NOT supported. 55

56 B Multi-Forest Deployments Change Auditor can be configured to audit and report on one or many Active Directory forests. For many customers, searching for compliance audit data over multiple forests can be a challenging task. Deploying Change Auditor using a single database backend allows you to collect and store data across your forests. This appendix covers the following multi-forest deployment topics: Requirements Installation Configuration Requirements Network connectivity between each monitored forest Coordinators in all forests connect directly to the SQL server that is hosting the Change Auditor audit database. Coordinators require the ability to resolve the hostname of the SQL server OR must be configured to use the IP address of the SQL server. At least one (1) Change Auditor coordinator must be deployed in each forest The coordinator is responsible for collecting and maintaining the topology information for each forest. This includes domains, sites, domain controllers, and member servers. The coordinator is also responsible for many other periodic tasks such as: Sending alerts via , SMNP, or WMI Sending agent configuration settings, auditing and protection templates License enforcement Agent status updates Agent installation and upgrade Auto-deployment Event statistics Group membership expansion 56

57 Change Auditor groups are created in each forest Users that wish to connect to coordinators in other forests must be added to either the ChangeAuditor Administrators - <InstallationName> OR ChangeAuditor Operators - <InstallationName> in the forest where the coordinator is joined. Credentials for the Microsoft SQL Server backend Depending on whether or not the Active Directory forests have a trust in place, Change Auditor will need to be configured to use the appropriate SQL credentials. Two example scenarios are described below. Scenario A One or more of the forests DO NOT have a valid trust in place The SQL server MUST have SQL authentication enabled. By default, SQL Server Authentication is disabled and must be manually enabled. The Change Auditor coordinator that is NOT part of the same forest where the SQL server is joined to, must be configured to use a SQL user account, NOT a domain user account. NOTE: This is required because SQL Server only allows Kerberos authentications when attempting to connect using a Windows user account. Passing credentials is NOT allowed. Scenario B All forests HAVE a valid trust in place Each of the Change Auditor coordinators may be configured to use either authentication type. Both Windows OR SQL user accounts may be used in each of the forests. 57

58 Installation In the following diagram, there are two separate forests where Change Auditor will be deployed. Forest A will be deployed first and Forest B will be added afterwards. Forest A Installation 1 Install the Change Auditor coordinator on a member server in Forest A. In this example, Coordinator1.ForestA.com will be used as the coordinator server. While installing the first coordinator, make note of the Installation name that is used. The same installation name will be used to deploy the coordinator in Forest B (ForestB.net). Also take note of the SQL server host and credential information. This server and account will also be used in the second forest. The required information will be as follows: SQL Server hostname or IP address AND Instance name if applicable Database or Catalog name User name, password, and domain if applicable 2 Install the Change Auditor client on either a workstation OR member server. In this example, CAClient1.ForestA.com will be used as the client computer. 3 Using the Change Auditor client, connect to the coordinator in Forest A to deploy Change Auditor agents on to the domain controllers and/or member servers in Forest A. See Deploy Change Auditor Agents for further details about deploying agents using the client. 58

59 4 At this point, Change Auditor should be fully deployed to the first forest in the organization (ForestA.com in this example). Forest B Installation 5 Install the Change Auditor coordinator on a member server in Forest B. In this example, Coordinator2.ForestB.net will be used as the coordinator server. While installing the second coordinator, you must use the Installation name that was selected in the first forest. Also during the installation of the second coordinator, you must use the same SQL server and Database name that was used in the first coordinator s installation. The Windows or SQL user account may be different than the account used in the first installation. It is strongly recommended that the same database access account used in the first forest also be used in the second forest. If a different user account for database access is used in the second coordinator's installation, the following permissions must be granted before the installation is started: db_owner database role on the Change Auditor database dbcreator server role 6 Install the Change Auditor client on either a workstation OR member server. In this example, CAClient2.ForestB.net will be used as the client computer. 7 Using any client, connect to the coordinator in Forest B to deploy Change Auditor agents on to the domain controllers and/or member servers in Forest B. 8 Change Auditor is now fully configured to collect audit data from both forests into a single database. Reports and alerts can be run from any client to return data related to one or all of the deployed forests. 9 Additional forests may be deployed by following steps 5 through 9. Configuration This section discusses how Change Auditor configurations are handled in multi-forest environments, including: Audit and protection configuration flow Event flow Reports and queries from the client Audit and protection configuration flow Audit and protection configurations are maintained using the Change Auditor client that is installed on either workstations or member servers. Configuration changes are stored in the SQL backend database by the coordinator service. The following configurations can be shared across forests regardless of the forest trust level: Active Directory Auditing - Object Class\Attributes ADAM\AD (LDS) Auditing - Object Class\Attributes Excluded Accounts templates File System Auditing templates Registry Auditing templates Service Auditing templates VMware Auditing templates 59

60 SQL Auditing templates SonicWALL Auditing templates Audit Event configurations (e.g., enabled/disabled, severity level) The following configurations can be shared when a two-way trust exists: Active Directory Protection templates ADAM\AD (LDS) Protection templates Exchange Protection templates File System Protection templates Group Policy Protection templates NOTE: A trust is required in order to view the Active Directory accounts in the other forest for protection account exclusions. 60

61 Event flow Audit events that are recorded by Change Auditor agents are first queued in a local database on each agent computer. Events are then batched and forwarded to a Change Auditor coordinator. The coordinator checks for new events every 10 seconds and does a bulk insert of the event details to the SQL database. 61

62 Reports and queries from the client Change Auditor clients do not connect directly to the SQL backend database. Instead, search results and configuration change requests are processed by the coordinator to which the client is currently connected. Clients can connect to any coordinator provided that the logged on user is a member of either the ChangeAuditor Administrators - <InstallationName> or the ChangeAuditor Operators - <InstallationName> group in the respective forest. By default, user-configured alerts (SMTP, SNMP, and WMI) are generated and sent from the first installed coordinator in the Change Auditor installation. 62

63 Workstation Agent Deployment C Change Auditor workstation agents are required to capture logon activity events when a Change Auditor for Logon Activity Workstation license is applied. This appendix provides recommendations for deploying Change Auditor agents necessary for auditing both domain workstations and non-domain workstations. It also includes instructions on manually deploying workstation agents. Recommendations/Deployment requirements Manual Workstation Agent Deployment Recommendations/Deployment requirements All workstation agents.net framework 4.0 is the minimum requirement (available in Autorun.exe Redistributables). See Change Auditor workstation agent (Optional) for a full list of the system requirements for workstation agents. Dell highly recommends a phased approach to deploying workstation agents. A phased approach, where a maximum of 100 workstation agents are deployed at a time will allow you to monitor the coordinator performance before deploying another batch of agents. Deploying workstation agents (domain workstations) Recommended installation is from the Deployment tab of the Change Auditor Windows client. See Deploy Change Auditor Agents for more information on using the Deployment tab to deploy agents. Alternately, Change Auditor workstation agents can be manually deployed. See Manual Workstation Agent Deployment for more information on manually installing agents. Deploying foreign workstation agents (non-domain workstations) A routable network path must exist between non-domain workstations, domain controllers and the Change Auditor coordinator server(s). Name resolution of domain controller(s) and the coordinator servers is also required from the non-domain workstations, whether DNS server configuration, NetBIOS/WINS configuration or local hosts file entries are used. Required installation is to manually deploy the Change Auditor workstation agent. See Manual Workstation Agent Deployment for more information. During installation, the Change Auditor workstation agent prompts for Active Directory domain and credential information in order to locate a Change Auditor coordinator and installation name. 63

64 When the first foreign workstation agent is manually installed, a ChangeAuditor Agents - <InstallationName> security group is created. User accounts must be added to this security group in order to properly authenticate. The Workstation Agent installer allows you to add the domain user account to the ChangeAuditor Agents <InstallationName> security group, if appropriate LDAP and network protocol access is available. NOTE: In some cases, it might be necessary to pre-stage\create the ChangeAuditor Agents <InstallationName> security group and manually add the configured workstation agent user account to the security group. The Coordinator Credential Configurator can also be used to change between coordinator domains at any time after the agent is installed, if desired. NOTE: The Coordinator Credential Configurator application can be launched using the CoordinatorCredentialConfigurator.exe file in the agent installation folder on the workstation. The default agent installation location is: %ProgramFiles%\Dell\ChangeAuditor\Agent Manual Workstation Agent Deployment When installed manually, the Change Auditor Workstation Agent installer must be run as an account with the local administrator account privileges and with elevated User Account Control (UAC) permissions. NOTE: Depending on the User Account Control (UAC) policies (refer to User Account Control (UAC) Settings for more information), elevated UAC permissions may require launching the installer using one of the following methods: Shift + Right-click installer to select Run as a different user From the Windows Task Manager, select File Run New Task, browse and select the Change Auditor Workstation Agent installer file, and select the Create this task with administrative privileges option, then click OK. 64

65 To manually install a workstation agent: 1 Copy the appropriate agent installer package from the Change Auditor service installation directory (%ProgramFiles%\Dell\ChangeAuditor\Service) to the workstation to be monitored: Dell Change Auditor Workstation Agent 6 (x64).msi Dell Change Auditor Workstation Agent 6 (x86).msi 2 Execute the installer file on the workstation. This will launch the Dell Change Auditor Workstation Agent Setup wizard which will step you through the installation process. 3 Review the following table for additional information about the information requested in this wizard. This table only covers unfamiliar information. It does not include all the wizard pages or field descriptions. Table 4. Change Auditor Workstation Agent wizard Active Directory Information screen On the Active Directory Information screen, enter the Active Directory information which will allow the Change Auditor agent to establish a coordinator connection. Name of Active Directory Root Domain (domain.com) Account Name (domain\user) Account Password Add this user to the ChangeAuditor Agents - <InstallationName> security group Enter the DNS name (domain.com) of the root domain of Active Directory. Enter the name of the user (domain\user) that can find and connect to a Change Auditor coordinator in the Active Directory forest. Enter the password associated with the user account entered above. This check box is selected by default indicating that the user account specified above will be added to the ChangeAuditor Agents security group. NOTE: User accounts must be added to this security group in order to properly authenticate. Installation Name screen The Installation Name screen will prompt you to enter the installation name to identify the database to which the coordinator is to be connected. A workstation agent must join an existing Change Auditor installation. ChangeAuditor Installation Name Click Next to use the DEFAULT installation name. If you want to use a different Change Auditor installation, enter the installation name of an existing Change Auditor installation or click the Browse button to select an existing Change Auditor installation. Clicking the Browse button will display the Browse for ChangeAuditor Installation dialog allowing you to select from a list of existing installations. 4 Repeat to install a workstation agent to all of the workstations to be monitored. 5 In order to enable the workstation agent detection of authentication activity events, the Audit Logon events audit policy must be enabled on all monitored workstations. Use either Local Security Policy or Group Policy Object (GPO) settings where appropriate. 65

66 User Account Control (UAC) Settings UAC policies typically use different settings for the Administrator account and other accounts with Administrative privileges, so it may be easier to run the Change Auditor Workstation Agent installer with elevated UAC permissions if the Administrator account is used. General UAC elevation and prompt level configurations can be accessed via the Control Panel User Access Control configuration. More specific UAC policies can be configured in the Local Security Policy or a Group Policy Object (where appropriate) to determine whether all Administrators or the built-in Administrator account are run in Admin Approval Mode, the elevation prompt level, whether the secure desktop is used for prompting, whether elevation is possible without prompting, etc. 66

67 Install Change Auditor Agent to Audit ADAM (AD LDS) on Workgroup Servers D Change Auditor provides the ability to audit Active Directory Application Mode (ADAM) or Active Directory Lightweight Directory Services (AD LDS) events. One use case scenario for this feature is the use of an ADAM (AD LDS) instance for the Exchange 2007 Edge Transport Server Role. This appendix provides information regarding the agent installation necessary for auditing ADAM (AD LDS) instances on workgroup servers. Agent installation NOTE: A Change Auditor agent must be installed on the server where the ADAM (AD LDS) instance to be audited resides. To install agents to audit ADAM (AD LDS) on workgroup servers: 1 Copy the appropriate agent installer package from the Change Auditor service installation directory (the default directory is %ProgramFiles%\Dell\ChangeAuditor\Service) to the workgroup server to be monitored: Dell Change Auditor Agent 6 (x64).msi Dell Change Auditor Agent 6 (x86).msi 2 Execute the installer file on the workgroup server. This will launch the Change Auditor Agent wizard which will step you through the installation process. 3 Review the following table for additional information about the information being requested in this wizard. This table only covers unfamiliar information. It does not include all the wizard screens or field descriptions. Table 5. Change Auditor Agent wizard Active Directory Information screen On the Active Directory Information screen, enter the Active Directory information which will allow the Change Auditor agent to establish a coordinator connection. Name of Active Directory Root Domain (domain.com) Account Name (domain\user) Account Password Enter the DNS name (domain.com) of the root domain of Active Directory. Enter the name of the user (domain\user) that can find and connect to a Change Auditor coordinator in the Active Directory forest. Enter the password associated with the user account entered above. 67

68 Table 5. Change Auditor Agent wizard Installation Name screen The Installation Name screen will prompt you to enter the installation name to identify the database to which the coordinator is to be connected. A workgroup agent must join an existing Change Auditor installation. ChangeAuditor Installation Name Enter the installation name of an existing Change Auditor installation. Or click the Browse button to select an existing Change Auditor installation. Clicking the Browse button will display the Browse for ChangeAuditor Installations dialog allowing you to select from a list of existing installations. 68

69 Dell One Identity Active Roles Server Integration E One Identify Active Roles Server (ARS) uses a proxy account (service account) to connect and make changes to Active Directory objects and group policies. Change Auditor provides a means for deploying to an ARS server which signals ARS to retrieve and send the name of the user that was logged into the ARS console to Change Auditor. This additional information is then displayed in the Change Auditor client for events initiated using ARS. NOTE: Change Auditor audits changes made via ARS workflow as being initiated by the ARS service account. This appendix covers the following topics for ARS integrations: Requirements Deploying Change Auditor/ARS integration scripts Client components added to Change Auditor Removing deployed Change Auditor/ARS integration scripts Troubleshooting Tips Requirements One Identity Active Roles Server One Identity Active Roles Server 6.7 (or higher) NOTE: In order to capture the additional events and initiator account information available with the latest integration scripts, you must be running One Identity Active Roles Server 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher). Microsoft.NET framework must be installed and enabled on the target ARS server: One Identity Active Roles Server pre-6.9:.net framework 3.5 One Identity Active Roles Server 6.9 (or higher):.net framework 4.5 (or higher) PowerShell 2.0 must be installed on the target ARS server PowerShell Execution policy must be set to all signed, remote signed or unrestricted on the target ARS server. (For more information on running Windows PowerShell scripts, see ARS administrator rights is required to deploy the Change Auditor/ARS integration scripts. 69

70 The ARS service account (or the override account) must be authorized to access the Change Auditor SDK. That is, add the ARS service account to the ChangeAuditor Administrators security group. NOTE: If you need to use a role with the minimum permissions, use the Application User Interface page on the Administration Tasks tab to define a new role that contains the Add Sdk and View Sdk operations. For more information on using the Application User Interface page to define a new role, see the Dell Change Auditor User Guide. Change Auditor for Active Directory Change Auditor for Active Directory 5.6 (or higher) NOTE: In order to capture the additional events and initiator account information available with the latest integration scripts, you must be running One Identity Active Roles Server 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher). A Change Auditor agent must be deployed to a server running One Identity Active Roles Server NOTE: If ARS replication is configured correctly, you only need to deploy the integration script to one ARS server. Deploying Change Auditor/ARS integration scripts In order for ARS to retrieve the name of the user that was logged into the ARS console and forward this information onto Change Auditor, you must first deploy the Change Auditor/ARS integration scripts to an ARS server. NOTE: If the ActiveRoles scripting module has been deployed in a previous Change Auditor version, please refer to the following knowledge base article which details the process to move to the updated version of these scripting modules that are available in Change Auditor 6.x: To deploy Change Auditor/ARS integration scripts: 1 Open the Deployment page. 2 Select a server where One Identity Active Roles Server is installed. 3 Expand the Advanced Options tool bar and select one of the following options: Active Roles Integration Deploy Scripts Only Active Roles Integration Deploy Scripts and Excluded Account 4 If you select the Deploy Scripts Only option, Change Auditor copies and runs the ARS integration PowerShell script on the ARS server which triggers ARS to retrieve the initiator information for all users and pass this information onto Change Auditor. 5 If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects dialog appears. Use either the Browse or Search page to locate and select a user or computer to be excluded. Change Auditor then deploys the integration scripts that signals ARS to retrieve the initiator information for all accounts except for those specified for exclusion. 70

71 6 Once successfully deployed, Success is displayed in the Deployment Results cell for the server. NOTE: If errors are encountered during the deployment process, corresponding error messages are displayed in the Deployment Results cell. Fix the errors reported and then redeploy the scripts. Client components added to Change Auditor Once the Change Auditor/ARS script is deployed, the initiator information retrieved from ARS can be viewed on the Search Results page in the Change Auditor client. You can use the following features, that have been added to the Change Auditor client, to display this additional information: New field on the Event Details pane that displays the additional information retrieved from ARS. New built-in report that retrieves all Active Directory changes, including those initiated by ARS. Running this report also displays the Initiator UserName and EventSource columns in the search results. New columns on the Layout tab allowing you to add the event source and initiator information to other search definitions. New option on the Who tab that allows you to create a custom search to search for events initiated by a specific user, including those initiated by ARS. New tags to include the additional information in alert notifications. Event Details pane A new field, Source, has been added to the Event Details pane which displays the name of the application from which the change event was generated (i.e., Change Auditor, ActiveRoles Server, or GPOADmin). In addition, for change events generated by ARS or GPOADmin, the name of the user account that initiated the change is displayed in parenthesis. NOTE: If the Source field displays ActiveRoles (instead of ActiveRoles Server ) you are not using the latest integration scripts. If you want to take advantage of the additional events and initiator account information captured using the new integration scripts, ensure you are running One Identity Active Roles Server 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher). All Active Directory events including ActiveRoles/GPOADmin initiator built-in report A built-in report has been created, which retrieves events for all Active Directory changes, including those initiated by ARS or GPOADmin. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results. To execute the built-in ARS search: 1 Open the Searches page. 2 Expand and select the Shared Built-in All Events folder to display the built-in searches available. 3 In the right-hand pane, locate the All Active Directory Events Including ActiveRoles/GPOAdmin Initiator search and use one of the following methods to run the selected search: 71

72 Double-click a search definition Right-click a search definition and select the Run menu command Select the search definition and click the Run tool bar button at the top of the Searches page 4 A new Search Results page appears populated with the audited events that met the search criteria, including the Initiator UserName and EventSource information. Layout tab New columns have been added to the Change Auditor database to record the information retrieved from ARS or GPOADmin. These new columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information to the Search Results grid for all searches: EventSource - for all events, the name of the application from which the event was generated (i.e., Change Auditor, ActiveRoles Server, or GPOADmin) Initiator Mail - for all generated by ARS or GPOADmin, the address of the user that initiated the change. Initiator SID - for events generated by ARS or GPOADmin, the SID of the user that initiated the change. Initiator UserName - for events generated by ARS or GPOADmin, the name of the user that initiated the change. To add new columns to the Search Results grid: 1 Open the Layout tab. 2 Locate the new columns (EventSource, Initiator Mail, Initiator SID, and/or Initiator UserName) in the Unselected Columns table. 3 Select the columns to be added to the Search Results grid and use the right arrow button to move them to the Selected Columns table. The column will be added to the bottom of the list or beneath the highlighted column in the Selected Columns table. You can also drag and drop a column to the Selected Columns table. 4 The Selected Columns table also displays the order the columns will be presented. To rearrange the order of columns, use the up and down arrow buttons located to the right of the Selected Columns table. You can also drag and drop columns within this table to define the order. Who tab When using the Who tab to retrieve change events initiated by a specific user, changes initiated by ARS will not automatically be included in the search. A new check box has been added to the Who tab which instructs Change Auditor to retrieve all change events initiated by the specified user, including those made through ARS and GPOADmin. To include ARS initiated events: 1 Open the Searches page 2 In the explorer view (left pane), expand and select the folder where you want to save your search (e.g., Shared or Private). 3 Click the New tool bar button to enable the Search Properties tabs. 4 On the Who tab, click the Add tool bar button to add an active user, computer or group to the who list. 5 On the Select one or more Directory Objects dialog, use either the Browse or Search page to search your environment to locate the user, computer or group to be included. 72

73 Once you have located the directory object to be included, select it and click the Add button to add it to your selection list. Repeat this step to include each additional directory object. 6 After selecting one or more directory objects, click the Select button to save your selection and close the dialog. 7 Back on the Who tab, select the Include Event Source Initiator check box. NOTE: Including the event source initiator, may have a noticeable effect on the search performance, depending on the size of the database and the number of results returned in the search. When this search is run, Change Auditor will retrieve all events made by the specified user account, including those initiated by ARS. In addition, when this check box is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by ARS, this column contains the user account that was logged into the ARS console. tags New Change Auditor/ARS integration tags are available which can be added to the event details of alert notifications. These new tags are: %EVENTSOURCE% - indicates the application where the change event came from: Change Auditor, ActiveRoles Server, or GPOADmin. %INITIATORMAIL% - for events generated by ARS or GPOADmin, the address of the user that initiated the event. %INITIATORSID% - for events generated by ARS or GPOADmin, the SID of the user that initiated the event. %INITIATORUSERNAME% - for events generated by ARS or GPOADmin, the name of the user that initiated the event. See the Dell Change Auditor User Guide for more information on how to configure and enable notifications and customize content. 73

74 Removing deployed Change Auditor/ARS integration scripts You can use the ARS console to manually remove previously deployed Change Auditor/ARS integration scripts, as described below: 1 Open Configuration Policies Administration. 2 Right-click Quest ChangeAuditor Integration Policy, select Policy Scope. 3 Remove Active Directory in the object list. 4 Delete Quest ChangeAuditor Integration Policy. 5 Navigate to Configuration Server Configuration Scheduled Task and delete ChangeAuditor Event Store Task. 6 Navigate to Configuration Script Modules and delete Quest ChangeAuditor Integration Script and Quest ChangeAuditor Event Store Script. 7 Open View Mode and select Raw Mode. 8 Navigate to Configuration Application Configuration Services and delete Quest ChangeAuditor Event Store. Troubleshooting Tips Not receiving events from ARS To diagnose problems with receiving events from ARS, check the EDM Server event log on the ARS server. Initiator information missing in Change Auditor event Some events do not provide the initiator account information; some reasons for this are described below: 1 Manually created objects As of this release, computer objects that are manually created do not capture the initiator account information of the user that initiated the change. 2 Protect/Unprotect objects If an object is protected/unprotected via the ARS console, the initiator account will be missing from Change Auditor. The Protect/Unprotect operation in ARS is not a direct Active Directory attribute operation. When you protect/unprotect an object, you actually add an Access Template link to the security descriptor in Active Directory. Because of this, the initiator account information is not captured for events related to protect/unprotect events. 3 Deprovisioned objects Objects that have been deprovisioned do not capture the initiator account information; this is by design. 4 In some scenarios, the following events do not capture the initiator account information when made through the ARS console: User password changed User password changed by non-owner User must change password at next logon option changed 74

75 F Dell GPOADmin Integration GPOADmin uses a proxy account (service account) to connect and make changes to Active Directory objects and group policies. In past releases, Change Auditor only captured the service account name in the event details for changes initiated through GPOADmin. GPOADmin now integrates with Change Auditor and allows the name of the user who initiated the GPOADmin operation and comments to be displayed in the Change Auditor client. NOTE: GPOADmin only sends initiator and comment information to Change Auditor for the following operations: GPO deployment Working copy check in Working copy check out This appendix covers the following topics for GPOADmin integrations: Requirements Client components added to Change Auditor Troubleshooting tips Requirements GPOADmin GPOADmin 5.5 (or higher) NOTE: Change Auditor 5.7, 5.8 and 5.9 are compatible with GPOADmin 5.5, 5.6 or 5.7. Change Auditor 5.9, 6.0 and 6.5 are compatible with GPOADmin 5.8. The GPOADmin service account must be authorized to access the Change Auditor SDK. That is, add the GPOADmin service account to the ChangeAuditor Administrators security group. NOTE: If you need to use a role with the minimum permissions, use the Application User Interface page on the Administration Tasks tab to define a new role that contains the Add Sdk and View Sdk operations. For more information on using the Application User Interface page to define a new role, see the Dell Change Auditor User Guide.) Change Auditor for Active Directory Change Auditor for Active Directory 5.7 (or higher) NOTE: Change Auditor 5.7, 5.8 and 5.9 are compatible with GPOADmin 5.5, 5.6 or 5.7. Change Auditor 5.9, 6.0 and 6.5 are compatible with GPOADmin

76 Client components added to Change Auditor The initiator information retrieved from GPOADmin can be viewed on the Search Results page in the Change Auditor client. You can use the following features, that have been added to the Change Auditor client, to display this additional information: New field on the Event Details pane that displays the additional information retrieved from GPOADmin. New built-in report that retrieves all Active Directory changes, including those initiated by GPOADmin. Running this report also displays the Initiator UserName and EventSource columns in the search results. New columns on the Layout tab allowing you to add the event source and initiator information to other search definitions. New option on the Who tab that allows you to create a custom search to search for events initiated by a specific user, including those initiated by GPOADmin. New tags to include the additional information in alert notifications. Event Details pane A new field, Source, has been added to the Event Details pane which displays the name of the application from which the change event was generated (i.e., Change Auditor, ActiveRoles Server, or GPOADmin). In addition, for change events generated by GPOADmin or One Identity Active Roles Server, the name of the user account that initiated the change is displayed in parenthesis. All Active Directory events including ActiveRoles/GPOADmin initiator built-in report A built-in report has been created, which retrieves events for all Active Directory changes, including those initiated by GPOADmin and ARS. The search definition for this report also includes the initiator information (Initiator UserName and EventSource columns) in the search results. To execute the built-in GPOADmin search: 1 Open the Searches page. 2 Expand and select the Shared Built-in All Events folder to display the built-in searches available. 3 In the right-hand pane, locate the All Active Directory Events Including ActiveRoles/GPOADmin Initiator search and use one of the following methods to run the selected search: Double-click a search definition Right-click a search definition and select the Run menu command Select the search definition and click the Run tool bar button at the top of the Searches page 4 A new Search Results page appears populated with the audited events that met the search criteria, including the Initiator UserName and EventSource information. Layout tab New columns have been added to the Change Auditor database to record the information retrieved from GPOADmin or ARS. These new columns are not displayed by default on a Search Results page for most searches. However, using the Layout tab you can add the following information to the Search Results grid for all searches: EventSource - for all events, the name of the application from which the event was generated (i.e., Change Auditor, ActiveRoles Server, or GPOADmin). Initiator Mail - for events generated by GPOADmin or ARS, the address of the user that initiated the change. 76

77 Initiator SID - for events generated by GPOADmin or ARS, the SID of the user that initiated the change. Initiator UserName - for events generated by GPOADmin or ARS, the name of the user that initiated the change. To add new columns to the Search Results grid: 1 Open the Layout tab. 2 Locate the new columns (EventSource, Initiator Mail, Initiator SID, and/or Initiator UserName) in the Unselected Columns table. 3 Select the columns to be added to the Search Results grid and use the right arrow button to move them to the Selected Columns table. The column will be added to the bottom of the list or beneath the highlighted column in the Selected Columns table. You can also drag and drop a column to the Selected Columns table. 4 The Selected Columns table also displays the order the columns will be presented. To rearrange the order of columns, use the up and down arrow buttons located to the right of the Selected Columns table. You can also drag and drop columns within this table to define the order. Who tab When using the Who tab to retrieve change events initiated by a specific user, changes initiated by GPOADmin will not automatically be included in the search. A new check box has been added to the Who tab which instructs Change Auditor to retrieve all change events initiated by the specified user, including those made through GPOADmin. To include GPOADmin initiated events: 1 Open the Searches page. 2 In the explorer view (left pane), expand and select the folder where you want to save your search (e.g., Shared or Private). 3 Click the New tool bar button to enable the Search Properties tabs. 4 On the Who tab, click the Add tool bar button to add an active user, computer or group to the who list. 5 On the Select one or more Directory Objects dialog, use either the Browse or Search page to search your environment to locate the user, computer or group to be included. Once you have located the directory object to be included, select it and click the Add button to add it to your selection list. Repeat this step to include each additional directory object. 6 After selecting one or more directory objects, click the Select button to save your selection and close the dialog. 7 Back on the Who tab, select the Include Event Source Initiator check box. NOTE: Including the event source initiator, may have a noticeable effect on the search performance, depending on the size of the database and the number of results returned in the search. When this search is run, Change Auditor will retrieve all events made by the specified user account, including those initiated by GPOADmin. In addition, when this check box is selected the Initiator UserName column is added to the Search Results grid for this search. For events initiated by GPOADmin, this column contains the user account that was logged into the GPOADmin console. 77

78 tags The following tags are available which can be added to the event details of alert notifications: %EVENTSOURCE% - indicates the application where the change event came from: Change Auditor, Active Roles Server, or GPOADmin. %INITIATORMAIL% - for events generated by GPOADmin or ARS, the address of the user that initiated the event. %INITIATORSID% - for events generated by GPOADmin or ARS, the SID of the user that initiated the event. %INITIATORUSERNAME% - for events generated by GPOADmin or ARS, the name of the user that initiated the event. See the Dell Change Auditor User Guide for more information on how to configure and enable notifications and customize content. Troubleshooting tips If GPO events initiated by GPOADmin do not appear in the Change Auditor client as expected, check the following: GPOADmin/Change Auditor integration is through the SDK. Once configured, Change Auditor agents receive the configured settings in the next configuration polling interval (default every 15 minutes). Before the configuration is received by a Change Auditor agent, GPOADmin initiator and comment information will not be available for GPO events. To make sure Change Auditor has the latest GPOADmin configuration, manually refresh the agent configuration (Refresh Configuration tool bar button on Agent Configuration Page on the Administration Tasks tab). NOTE: This delay is only applicable when you first install GPOADmin/Change Auditor or when the service account in GPOADmin has changed. Verify that the GPO is not being protected by Change Auditor s Group Policy Object Protection feature. When configured, Change Auditor prevents all changes to GPOs, regardless of the tool that is used to make the change (including GPOADmin). GPOADmin only sends initiator and comment information to Change Auditor for GPO deployment, working copy check in, and working copy check out operations. It may be necessary to restart the GPOADmin service before correct initiator information can be retrieve by Change Auditor. BEFORE restarting the GPOADmin service, check the Change Auditor coordinator s status to ensure that the coordinator has been initialized and is running. 78

79 G Windows Installer Command Line Options This appendix lists the Windows Installer command line options (MSIEXEC.exe) that are available for deploying a Change Auditor agent or installing a Change Auditor coordinator. Change Auditor agent options Change Auditor coordinator options For more information on using the Windows Installer (MSIEXEC.exe) refer to Microsoft s MSDN library. Change Auditor agent options Table 6. Change Auditor agent command line options Option INSTALLATION_NAME="<name>", INSTALLATION_NAME_VALID="1" APPDIR="<install directory>" INSTALLER_ITAD_GPTBACKUP="<path>" ADAM_LOGON= "<username>" ADAM_DOMAIN="<domain name>" ADAM_PASSWORD="<password>" SYSTRAY_AUTOSTART="1" SYSTRAY_AUTOSTART="0" RESTARTONFAILURE="3" RESTARTONFAILURE="0" Description Use these options to specify the Change Auditor installation name. Use this option to specify the installation path. Use this option to specify a GPO backup path. Use these options to specify the user credentials to be used to access an ADAM instance. Use this option to specify whether to launch the agent system tray icon on startup. Set to "1" to launch agent system tray icon Set to "0" to not launch the agent system tray icon Use this option to specify whether to automatically restart the agent on failure. Set to "3" to automatically restart the agent Set to "0" to not automatically restart the agent 79

80 Table 6. Change Auditor agent command line options Option EVENTLOG_BLOCK_OVERRIDE="1" FOREIGN_LOGON_ACCOUNT="<domain\user>" FOREIGN_PASSWORD="<password>" FOREIGN_FOREST_ROOT_DOMAIN="<FQDN>" FOREIGN_CREATE_AGENT_GROUP="1" Description Use this option to specify whether to override event log block detection. Set to "1" to enable this override NOTE: When this setting is set to "0" (default), the event log detection is active which detects whether or not the system EventLog service is holding one of Change Auditor s event log message DLLs open. If one of these DLLs are open, the Windows Installer Restart Manager can cause unpredictable restarts of dependent services. NOTE: This applies to server agents running Windows Server 2008 (or later). For foreign agents (non-domain members), use the following options to specify the foreign credentials to be used to find and connect to a Change Auditor coordinator in the Active Directory forest. For foreign agents (non-domain members), use this option to specify the fully-qualified domain name (domain.com) of the root domain of Active Directory. For foreign agents (non-domain members), use this option to specify whether the logged in user is to be added to the ChangeAuditor Agents security group. Set to "1" to add the user to this security group. Change Auditor coordinator options Table 7. Change Auditor coordinator command line options Option AGENT_LEGACY_PORT="<static port number>" AGENT_PORT="<static port number>" AGREETOLICENSE="YES" CLIENT_PORT="<static port number>" INSTALLATION_NAME="<installation name>" SDK_PORT="<static port number>" SQLSERVER_DATABASE="<database name>" Description Use this option to assign the static port number to be used by legacy (5.x) Change Auditor agents to communicate with the coordinator. Use this option to assign the static port number to be used by the Change Auditor 6.x agents to communicate with the coordinator. Use this option to agree to the Software License Agreement. Use this option to assign the static port number to be used by the Change Auditor client when communicating with the coordinator. Use this option to set the Change Auditor installation name. Use this option to assign the static port number to be used by external applications to access the coordinator. Use this option to provide the name of the Change Auditor database. 80

81 Table 7. Change Auditor coordinator command line options Option SQLSERVER_AUTH="1" SQLSERVER_SQLSERVER="<IP address\server name>" SQLSERVER_LOGINID="<user name>" SQLSERVER_PASSWORD="<password>" SQLSERVER_DOMAIN="<domain name>" ADD_USER_CAADMINS="1" EVENTLOG_BLOCK_OVERRIDE="1" Description Use this option to specify whether to use SQL or Windows authentication. Set to "1" to use SQL authentication. Use this option to specify the SQL instance to be used to store the Change Auditor database. Use this option to specify the user name to be used to connect to the SQL instance. Use this option to specify the password to be used to connect to the SQL instance. If Windows authentication is being used, use this option to specify the domain of the user credentials used to connect to the SQL instance. Use this option to specify whether the logged in user is to be added to the ChangeAuditor Administrators security group. Set to "1" to add the user to this security group. Use this option to specify whether to override event log block detection. Set to "1" to enable this override NOTE: When this setting is set to "0" (default), the event log detection is active which detects whether or not the system EventLog service is holding one of Change Auditor s event log message DLLs open. If one of these DLLs are open, the Windows Installer Restart Manager can cause unpredictable restarts of dependent services. NOTE: This applies to coordinators running Windows Server 2008 (or later). 81

82 H Data Migration During the coordinator install, if you create a new Change Auditor 6.x database you can use the Data Migration tool to move events from your legacy (5.8 or higher) databases into this new database. In addition, you can use this tool to move events from your 6.x database to an archive database. This appendix covers the following topics: Before you begin Data Migration tool Before you begin Please read the following information that should be taken into consideration before you begin the data migration process. Upgrade best practice Ensure you have a good backup of SQL databases and Change Auditor configuration prior to beginning any upgrade/data migration. In-place upgrade vs. offline data migration Using this method to move your operational 5.x database is NOT recommended. If you use the Data Migration tool to move data into the new database, you will lose any custom alerts and agent configurations. In addition, in order to retain your custom searches and auditing/protection templates, they must first be exported before you migrate the data and then imported after the migration is completed. It is highly recommended that you use the in-place upgrade procedure to upgrade your current operational 5.x database. See Upgrade Change Auditor for more information on upgrading Change Auditor. IMPORTANT: Creating a new Change Auditor database in an existing installation requires careful planning to ensure that the agents and configurations can be properly migrated to the new database. See the Dell Change Auditor Data Migration Guide for more information about using the data migration process verses the in-place upgrade process. Change Auditor 6.x database and SQL Server autogrow feature It is highly recommended that the Change Auditor 6.x database be setup using a pre-allocated disk space configuration greater than the expected size when migrating data to the Change Auditor 6.x database from another source. This is not an issue with Change Auditor 6.x itself, but when a SQL Server database is set to autogrow, the high rate of insertions done by Change Auditor 6.x could cause the autogrow feature to get into a state of constant growth, thus blocking inserts and possibly degrading SQL Server performance overall. In testing, this appears to happen when the Data Migration tool is inserting records at a high rate of speed while the Change Auditor 6.x coordinator is also processing high volumes of new events in an environment. 82

83 Estimate Change Auditor 6.x record size at around 8,000 bytes per event Example 1: 1,000 events = 8MB estimated disk size required Example 2: 30,000 events = 240MB estimated disk size required Workaround: To avoid the database autogrow issues during high-volume insertions, follow this article which explains how to pre-allocate a database's size: Data Migration tool The Data Migration tool is installed with the Change Auditor client and can be launched using the right-click menu command available from the coordinator system tray. Use this migration tool to move events from legacy or archived Change Auditor 5.x (version 5.8 or higher) databases into a new or upgraded 6.x database or to move events from your operational 6.x database to an archive database. The Data Migration tool consists of the following tabbed pages: Source Database page Destination Database page Options page Migration Progress page Source Database page Use the Source Database page to specify the Change Auditor database that is to be migrated and the credentials to be used for access. Enter the requested information as described below: 83

84 Table 8. Data Migration tool: Source Database page Field/Control SQL Server Instance Connect Using Login ID Password Domain Database Name Description Enter the server name (member server running the SQL instance) and the SQL instance name of the 5.x or 6.x database to be migrated. Format: <FQDN of SQL Server>\<Instance Name> Select one of the following options to define the authentication method to be used to access the existing Change Auditor database: Windows Authentication (default) SQL Authentication Enter the user name of the account to be used to access the designated SQL server instance. Enter the password associated with the user account entered above. Enter the domain for the Windows account to be used to access the designated SQL server instance. NOTE: Only valid for Windows Authentication. Enter the name assigned to the Change Auditor database to be migrated. Destination Database page Use the Destination Database page to specify the new Change Auditor 6.x database and the credentials to be used for access. Enter the requested information as described below: Table 9. Data Migration tool: Destination Database page Field/Control SQL Server Instance Connect Using Login ID Password Description Enter the server name (member server running the SQL server instance) and the SQL instance name of the 6.x database where events are to be moved. Format: <FQDN of SQL Server>\<Instance Name> Select one of the following options to define the authentication method to be used to access the SQL server instance: Windows Authentication SQL Authentication Enter the user name of the account to be used to access the designated SQL server instance. Enter the password associated with the user account entered above. 84

85 Table 9. Data Migration tool: Destination Database page Field/Control Domain Database Name Description Enter the domain for the Windows account to be used to access the designated SQL server instance. NOTE: Only valid for Windows Authentication. Enter the name assigned to the Change Auditor 6.x database where events are being moved. Options page Use the Options page to define how to process existing database records after they have been migrated, as well as the migration mode to be used. Use the following options, as described below, to define how to process existing records and the migration mode to be used: Table 10. Data Migration tool: Options page Field/Control Existing Records Remove old data during migration Migrate only events in the following date range Description Select this check box if you want to remove the events from the database after they have been moved to the new 6.x database. NOTE: Removing old data from your 5.x database during migration could severely impact SQL Server s performance. Select this check box if you want to only migrate events that occurred during a defined date range. Once selected, use the From and Through controls to specify the date range. Treat date/time selections as UTC: This check box is selected by default and bases your date range on UTC time. However, you can clear this check box if you want to base your date range on local machine time for your 6.x coordinator. 85

86 Table 10. Data Migration tool: Options page Field/Control Migration Mode Using one method over the other is a matter of speed; neither option will cause database corruption. Fast Copy, no source data is present in target database Checked Merge, some data has already been migrated Description This option is selected by default and indicates that there is no Change Auditor 5.x records in the target database. Use this option if you have created a new Change Auditor 6.x database and this is the first time you are migrating data from this legacy database. Select this option, if you have already migrated some of your Change Auditor 5.x records to the target database. Use this option if you are migrating events, some of which might already be in the target database. For example, when re-running the migration after canceling it before it had finished. Migration Progress page The Migration Progress page appears once a data migration has been started and displays the progress of the different processes taking place. The valid states for these processes include: Starting Running Completing Complete Waiting Working Exited Reading Writing Cooldown (indicates that the tool senses a SQL timeout and puts the data updaters into a sleep state for a minute) In addition, this page provides some migration statistics, such as the number of events being copied per second and an estimate of the time it will take to complete the migration. 86