User Manual Active Directory Change Tracker
Contents
1. IHow to copy license key E ICTAY JKw YBBAGCNIgDolICbBTCCAmkGCis GAQO Bajd Y Aw Gagg JZMIIC VOIDAgABA Bim EAILC AD AEERAAARAAAAAAAA cigs Sasiqygi9gzH G ngt9b Nn4383 PIB Drebhspa2 CA mes 6 OnwrOs H9 H2x GL vFi 4 juS6p ZaMKibs bn Exs5l29s Og DOazCgty KDwv NSZ24gLF QUI x2nrSkUUsi Rel Hgbul Image 2 How to copy license key screen 2 Getting Started Configure ADChangeTracker Configure Active Directory Auditing Chang Application Data Folder location How to get the change made by value successfully 2 1 Configure ADChangeTracker ADChangeTracker Startup wizard will help you configure the ADChangeTracker application to track changes in Active Directory domain The following wizard will appear when you run the application for the very first time ADChangeTracker Startup ADChangeTracker Startup Welcome to ADChangeTracker startup Wizard which will guide you through the process of configuring ADChangeTracker Back uetus Frish Click Next to Proceed CHAPTER 2 Getting Started Step 1 of 2 Domain Controller Connection Settings You can track changes to different domains by specifying the domain and domain controller for each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit Bb Add Edit Bb Delete fS Properties Domain Name Domain Controller Name Tracking 5cope User Name Password PATHFIND2. Advanced Filters 7 7 13 Event Viewer Reference Event ID 5136 Type Modified alue Added User RESEARCHLAP acmnuser3 Computer rd30 researchiab local Description A directory service object was modified 79 CHAPTER 3 ADChange Tracker Features 3 22 How to use Advanced Filter Advanced Filter tool in Events Reports allows you to filter report data based on complex filter conditions Unlike Quick Filter Advanced Filter gives the user the ability to create filter conditions that include one or more fields in the report and is also capable of reporting fields with empty values in the report The Advanced Filter tool is available below the report grid in the right pane as shown below To apply a filter to the current report select the filter from the Advanced Filters dropdown and click on gi button To remove a filter applied to the current report select No Filter Applied from the Advanced Filters drop down and click on gj button Create a new filter Click on Y to create a new advanced filter for the current report 80 CHAPTER 3 ADChange Tracker Features The Filter window will appear as shown below m Filter mm Specify a name For the Filter Click Select Fields button to select the Fields you want to appear in the report To filter by Field values vou may select a Field and then an operator and a value From the corresponding drop down lists and then click Add to Filter to add the Filter
3. RESEARCHLAB Anderson Filter Not Applied Object Path RESEARCHLAB Anderson Modilied V alue FATE LL Telephone Number New Value uu 5136 Old Value 455 454 96855 Change made by wets made RESEARCHLAB admin 10 28 20 36 41 Telephone Number 455 454 360956 5136 v FESEARCHLAD Vadrin 10 28 2013 641 RESEARCHLAB James Martin RESEARCHLAE James Martin CNsJames CNeSteven OUSAD contact es di np e Madified V alue Modilied V alue Nm P 1 Mocilied Value Display Name Display Name Last Name Martin 5136 Martin J 5136 Black 5136 RESEARCHLAB admin 10 28 20 3640 FESEARCHLAB admin 10 28 201 36 40 RESEARCHLAB admini 10 28 2013 6 39 RESEARCHLAB Steven RESFARCHLAR Steven L Black rr TCaen0ncc RESEARCHLAB Taylor Brown T CN Steven L contact Mi EL AAP C4 Deleted CN T aylor 8i ANT contact 5141 Quick Filler Any Field Advanced Filters Event Viewer Reference Date amp Time 10 28 2013 6 40 53 PM j Bi vivi Source Microsoft Mndovvs Security Auditing ategory Directory Service Changes vent ID 5136 tm mn Ro m ei mal om om m RESEARCHLAB adminy 10 28 2013 6 39 5137 RESEARCHLAB admin 10 28 2013 6 38 A 55 CHAPTER 3 ADChange Tracker Features 3 20 3 How to generate Domain Change Reports To generate the Domain Change Reports perform the following steps
4. 1 Configure settings for Object Change Reports as stated in Configure Events Reports 2 To launch Object Change Reports Domain window click Events Reports Object Change Reports gt Domain menu in the toolbar The Object Change Reports Domain window will appear as shown below Object Change Reports Domain Generate Active Directory Domain change reports by specifying suitable a criteria gt using date range domains filter query and change type Date range From 10 14 2013 To 10 29 2013 v Domains Domain Name V SS RESEARCHLAB S8 VSSLAB Quick Filter Any Field Change type V Added VY Modified 4 Deleted Reset i j Cancel 3 Specify the Date range Change type and a field based Filter criteria to find the Domain change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 56 CHAPTER 3 ADChange Tracker Features li Export 2 Refresh Sap E mail Report Name Object Change Reports Domain From 10 14 2013 To 10 29 20 Generated Orc 10 29 2013 2 57 41 PM Status Success Domain Object Object Change Name Name Object Path Type Type RESEARCHLAB researchlab DC researchlzbDC locel domainDNS Mosis dv aue RESEARCHLAB resea
5. Select suitable delivery option s Export E mail change reports Export Export Format HTML CSV 0 XLSX Export to time stamped sub folder E mail SMTP Server ROB To Address ladminuser2 spacenet ocal File Format HTML v V Compress the attachment Message Settings ETa 19 CHAPTER 3 ADChange Tracker Features Select Export or E mail options as necessary gt Use Browse button to change the export path The export path refers to the destination folder where the report output file generated should be stored By default for each task a sub folder with the task name will be created under the specified export path All selected reports will be exported to a time stamped folder in the format yyyy mm dd hh mm ss under the task name folder If you want to export to the task name sub folder in the specified folder without time stamp folder instead clear Export to timestamped sub folder option NOTE Clearing the Export to time stamped sub folder option will not create time stamp folder and overwrite existing files if any in the specified export path Click Message Settings button to specify optional e mail settings as shown below Additional E mail Settings mem Y ou can customize the SMTP server From amp To address Subject and body of the e mail message From Administrator spacenet local To ladminuser2 spacenet local Subject Report generated by Active Directory Chang
6. gt Group Policy Objects menu in the toolbar The Permissions Change Reports Group Policy Objects window will appear as shown below Permissions Change Reports Group Policy Objects ER Generate Active Directory Group Policy Objects Permissions change reports by X specifying a suitable criteria using date range domains and filter query Date range From 10 16 2013 To 10 31 2013 v Domains Domain Name M 34 RESEARCHLAB SS VSSLAB Quick Filter Any Field Generate Cancel Reset 3 Specify the Date range and a field based Filter criteria to find the Group Policy Objects Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 74 CHAPTER 3 ADChange Tracker Features ad Export A Refresh E E mail Report Name Permissions Change Repos Group Policy Objects From 10 167 Generated On 10 31 2013 2 46 21 PM Status Success Troubleshooting Tips Filler Not Applied Object Name Object Path Object Type A we Dent Old Value E x neh ana wa indi CREA TORO WNE al 10 2 Pak 5 06 A or e ect Sec ty Mem m Z Mr 2 CN 19 132D02 DA wc Qr oup olicyContainer E et dValue aeria cio a Allow L leat eL hild 31 3b RESEARCHLAB ad
7. gt The field Send Alerts for every events helps to reduce the number of alerts if there are too many events generated Event Flooding This also helps to receive a consolidated list of alerts instead of one alert for each event A sample Add Event information dialog filled with e mail alerts is shown below RD50 Add Event Information mm E vent ID 4720 4 22 4725 4725 Select V Send E mail Optional SMTP Server Name RD37 Sender markhenn adyventurelab com Recipients willsmith pathfinder com brucevullis treelab c om Send Alerts for every 1 events Description Optional User Management Cancel NOTE You can also select the events using the Event ID Selector with all security audit category events by clicking the Select button next to the Event ID field gt A sample Add Event Information dialog filled without e mail alerts is shown below 34 CHAPTER 3 ADChange Tracker Features E vent ID 4554 437 5451 Send E mail Optional SMTP Server Name Sender Recipients Send Alerts for every Description Optional gt Click OK in E mail alerts configuration settings window to complete the process 35 CHAPTER 3 ADChange Tracker Features 3 11 How to Manage Configured E mail Alerts The E mail alerts configuration settings window allows you to perform the following operations Add an new event ID for configuring an e mail al
8. Note requires enabling AD auditing Track Group Policy Object changes GPO Specify user name and the corresponding password to connect to the specified server In order to find who and a more accurate time of when a change happened ADChangeTracker will have to read the applicable change events logged through native AD auditing in the Windows Security Event Logs from all the domain controllers in the domain This is an optional setting that can be used if you need to find out who made a change You can select Use Security event log in DC to retrieve additional change data Who amp When option to collect information from Security logs applicable only if Active Directory Auditing was enabled Also you can track the change made to your Group Policy Objects GPOs by checking Track Group Policy Object changes GPO option You may select specific containers in the domain to restrict the tracking scope and collect data for objects in selected containers If no containers are selected data will be collected by searching the entire domain structure 96 CHAPTER 4 ADChange Tracker Settings In order to select specific containers Click Tracking Scope button Tracking Scope dialog will be displayed as shown below Select Entire Domain or desired containers for which you want to generate the audit reports Click Browse to browse for containers in the domain Tracking scope Entire Domain Selected containers in
9. 10 10 10 40 10 Remotelnteractive Logon 4624 11 20 2013 6 43 RESEARCHLAB RESEARCHLABVadminuser3 RD30 5 Service Logon 4624 11 20 2013645 RESEARCHLAB RESEARCHLABNadminuser3 RD30 10 101040 10 Remotelnteractive Logon 4624 11 20 2013 6 46 RESEARCHLAB RESEARCHLAB adminuser3 RD30 10 10 1040 10 Remotelnteractive Logon 4624 11 20 2013 6 46 RESEARCHLAB RESEARCHLAB adminuser3 10 Remotelnteractive Logoff 4634 11 20 2013 6 46 11 20 2013 6 49 11 20 2013 6 58 ES RESEARCHLAB RESE amp RCHLAB adminuser3 10 Remotelnteractive Logoff 4534 Quick Filter Any Field E Advanced Filters Event Viewer Reference Date amp Time 11 20 2013 6 43 43 PM Source Microsoft VVindows Security Auditing Category Logon Event ID 4624 Tren dO Dean me mmm uS 46 CHAPTER 3 ADChange Tracker Features 3 18 How to generate Password Change Reports To generate the Password Change Reports perform the following steps 1 Configure settings for Password Change Reports as stated in Configure Events Reports 2 TO launch Password Change Reports window click Events Reports 7 User Logon Logoff Reports Password Change Reports x Terminal Services Activity Reports Object Change Reports gt Permissions Ch Report Bj Permissions Change Reports menu in the toolbar The Password Change Reports window will appear as shown be
10. 2013 11 20 AM 12 2 2013 3 39 PM RESEARCHLAB 1d30 tesearchlab local RESEARCHLAB adminuser3 V5SWK519 RESEARCHLAB rd30 researchlab local RESE amp RCHLAB adminuser3 VSSWwKS19 10 10 10 40 AM HLAH rdall researchiah lacal P ABL Quick Filter Any Field Z v Advanced Filters AD c Event Viewer Reference Date amp Time 12 2 2013 3 40 07 PM Source Microsoft indows Security Auditing Category Other Logon Logoff Events Event ID 4778 Tima Cen mmmmmm RDP Tcp 2 Reconnect 12 2 2013 3 38 PM il mi Ui 50 CHAPTER 3 ADChange Tracker Features 3 20 Object Change Reports Object Change Reports in ADChangeTracker allows you to view events data for any change made to your Active Directory objects since the application is configured for event data collection By default ADChangeTracker collects and reports events data for the following objects only Builtin Domain Computer Contact Domain Domain DNS Group Group Policy Container Organizational Unit User 51 CHAPTER 3 ADChange Tracker Features 3 20 1 How to generate Computer Accounts Change Reports To generate the Computer Accounts Change Reports perform the following steps 1 Configure settings for Object Change Reports as stated in Configure Events Reports 2 To launch Object Change Reports Computer Accounts window click Events Reports gt Object Change Reports Computer Accoun
11. 4 24 n Property Name Ur IDtaotr Description Old Value New Value Test Workstation Event ID 136 91 36 Change made by Change made on RESEARCHLAB adminusers 1 RESEARCHLAB adminuser3 10 28 2013 3 05 Ph RESEARCHLAB RD56 CN RD56 DUsAust computer Modified alue C J Distinguished Rie ICN FID56 DU Aust CN RD56 0U Aust RESEARCHLAB qazxc CN qazxe OU ADC computer Madified V alue LP ate J Description 5 5139 RESEARCHLAB adminuser3 10 28 2013 3 06 PH OQU Australia_North DC researchlab DC local RESEARCHLAB qazxc n CN qazsc 0U ADC computer Modified alue 4 22 n Description Test Lab RESEARCHLABadminusers 10 28 2013 3 07 Ph RESEARCHLAB qazxc CN qazxc DU ADC computer Modified alue mete Display Name T ADC PC 001 RESEARCHLAB adminuser3 10 28 2013 3 08 Ph RESEARCHLAB qazxc CN2qazxc QU ADC computer Modified alue if Quick Fier Any Field S Advanced Filters Display Name HW Event Viewer Reference Date amp Time 10 28 2013 3 05 32 PM Source Microsoft VVindows Security Auditing Category Directory Service Changes Event ID 5136 Tm hAnclifind stalin DS ADC PC 01 RESEARCHLAB adminuser3 10 28 2013 3 08 Ph p 53 CHAPTER 3 ADChange Tracker Features 3 20 2 How to ge
12. 5138 V 4624 T 4634 Domains Domain Name V SS RESEARCHLAB 1S VOYAGER Reset 27 CHAPTER 3 ADChange Tracker Features If you want to use an already saved search select the name of saved search from the drop down list This will load the saved search s settings Once you load a saved search you may click Generate to perform a search After the data collection process is complete the report would be generated in a report window as shown below ix Export A Refresh Ij E mail Search Template Name DSC and Logon Logoff E vents Host Name Report E vent Change Generated ID SM Date FESESRCHLSB RD30 whe 1172072013 7 25 RESEARCHLAB RD30 H 1 720 201 37 25 11 20 2013 7 25 A Change made by Source Category HE SE AR E HLAB HD 304 Mic rasoft A r dow Lf ogott RESEARCHLAB RD 30 Microsoft Windows Se Logoft Computer rd30 researchlab rd30 researchlab RESEARCHLAB RD30 1 20 28 37 25 11 20 2013 7 25 4 Microsoft Windows S Logon RESEARCHLAB adminuser Microsoft Windows Se Directory Service RESEARCH LAB adminuser Microsoft Windows Se Directoy Service RESEARCHLAB RD30 Ta 2013 5 45 11 21 2013 5 45 RESEARCHLAB IRD30 TUE 2013546 21 2013 5 46 rd30 researchlab RESEARCHLAB Sadrin 130 researchlab RESEAR CH LAB admin 1030 researchlab RESEARCHLAB IRD30 11 21 2013 854 ea 11 21 2013 5 53 RESEARCHLAB RD30 1 21 201
13. Any Field Generate Cancel Specify the Date range and a field based Filter criteria to find the Users Permissions change events in the application s Events History database Select the desired Domains to generate your reports on Click Generate button to generate the report Once the data collection is complete the report will be generated in a report window as shown below 78 CHAPTER 3 ADChange Tracker Features S Export Refresh ER E mail Report Name Permissions Change Reports Users From 10 15 2013 To 10 30 Generated On 10 30 2013 2 59 29 PM Status Success ina Ti Filter Not Applied Domain Object Object Change Property Event Change i Name Name Object Path Type Type Te Old Value New Value iD Change made by eh a Alistan G CN Alis Modihied Value Object Securit Everyonel Deny ARCHLAB Lad m 2013 2 44 Norris Noris OUSADCT CI Added Permissions ExtendedH ight ON ah er tater T i Alistar G CN listair G Modified Value Object Secu E veryone Deny 10 29 25 3244 User Chanae Password Mark CN Matk Modified Value Object Security NT AUTHORITYSSELF 10 28 2013 2 45 PESEAACHAS Mr Mga pase Mi eaten te ps pesenna hy HESEAHUHLA Mark CN Matk Modified Value Object Securty Evetvonel Deny 10 28 2013 2 45 RESEARCHLAB ote weayncki MoroweaynekiOUn Deleted Permissions E xtendedRight ON 5136 RESEARCHLAB admin 544 User Chanae Password Quick Fiter Any Fed o
14. CHAPTER 4 ADChange Tracker Settings 4 1 2 Edit a Domain To Edit a domain in Domain Settings follow the steps given below 1 2 Launch Domain Settings window In the Domain Settings window select any row Domain Click Edit button to Edit an existing Domain in the list as shown below pene EE QUA JO You can track changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain EE ADChangeTracker Settings Add E Edit H Delete Properties il SQL Server Settings 5 Object Settings A tire si B admiri Property Settings RESEARCHLAB RD30 Specific QU s RESEARCHLAB adminuser2 77 3 4 5 6 7 p Domain Settings Domain Name Domain Controller N ame Tracking Scope User Name Pai The Domain Name cannot be modified during the edit operation Specify user name and the corresponding password to connect to the specified domain You can change the Event Log GPO settings and Tracking Scope settings Click OK to save and connect to the domain with the newly provided connection parameters and update the domain ADChangeTracker will connect to the domain with the newly provided connection parameters and modify it in the list upon successful connection to the domain 99 CHAPTER 4 ADChange Tracker Sett
15. CONTROLLERSS rani ADCT Chid2 0 Modified Value Object Security Everyone D ery 5136 RESEARCHLAB ad 10 28 2013 4 PM RESEARCHLAB ADCT_Child2 orgarizationalUnit 4 44 NT QU ADCT_Chid20 ModiiedlValue Object Security 10 28 2013 4 RESEARCHLAB ADCT Chid2 aih orgenizationalUnit n eere Permissions AL THORITYAENTERPRISE 5136 RESEARCHLAEVad pu 4 Quick Fiter r Y Advanced Filters 8 V Event Viewer Reference vent ID 5136 ype Modified Value Added er RESEARCHLAB adminuser3 omputer rd30 researchlab local scription A directory service object was modified 77 CHAPTER 3 ADChange Tracker Features 3 21 7 How to generate Users Permissions Change Reports To generate the Users Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports To launch Permissions Change Reports Users window click Events Reports gt Permissions Change Reports gt Users menu in the toolbar The Permissions Change Reports Users window will appear as shown below Permissions Change Reports Users criteria using date range domains and filter query 3 Generate Active Directory Users Permissions change reports by specifying a suitable Date range From 10 15 2013 To 10 30 2013 v Domains Domain Name M 34 RESEARCHLAB SS VSSLAB Juick Filter
16. D ate range From 10 15 2013 To 10 30 2013 Domains Domain Name V 34 RESEARCHLAB 1S VSSLAB Quick Filter W Field Operator Value ObiectName v o v williams Cancel 3 Specify the Date range and a field based Filter criteria to find the Contacts Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as Shown below 68 CHAPTER 3 ADChange Tracker Features 3 Export 2 Refresh Ga E mail Report Name Permissions Change Reports Contacts From 10 15 2013 To 10 Generated On 10 30 2013 6 52 19 PM Status Success Troubleshooting Tips Fiter Not Applied Event Change made Domain Object Object Change Property Name Name Obiect Path Type Type Name Old Value ID Change made by on NT AUTHORITY Authentic Ls RESEARCHLAB CN Steven DU AD contact Debe Pomimo User pop eee 5136 RESEARCHLAB admin 4 30 2013 ed Permissions obje i M NT RESEARCHLAB Steven ee a ipo So AUTHORITY Authenticated RESEARCHLAB adminy bay 90 2013 6 51 Users Allow GenericRead 10 30 2013 552 Modified Value Object Security NT AUTHORITY Authenticated PESEARCHLAG Andersot CN 4ndetson 0OU 4 contact Deleted act i et heel Allene Bereiche Tha 5136 RESEARCHLAB admi 10
17. Domain Browse X Remove Container Name Include Sub Containers 8 In order to select specific containers select selected containers in Domain option and then click Browse to select containers in the domain The container browser dialog will be displayed as shown below Fat Select an OU or a container H E Accent char OU H E Contacts s H E MEG MEU H E PublicFolders HE Special Char OU m3 BulkUsersOU H E Computers Ea Domain Controllers 9 Select the desired container and click OK Note that only one container may be selected at a time 10 Click OK to add the domain to the Domain Settings 11 ADChangeTracker will connect to the domain with the newly provided connection parameters and add it to the list upon successful connection to the domain 97 CHAPTER 4 ADChange Tracker Settings BH You can track changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain B ADChangeTracker Settings B Add P Edit Hi Delete ES Properties E Domain Settings a ji SQL Server Settings Domain Name Domain Controller Name Tracking Scope User Name Pa Object Settings VSSLAB a BIN Entire Domain VSSLAB adminuser E Property Settings RESEARCHLAB RD30 Specific OU s RESEARCHLABNadminuser2 98
18. Events History database gt Select the desired Domains to perform the cleanup gt Optionally you can cleanup the events by selecting a template from the saved templates gt Click on Cleanup button to delete all the events for the selected date range and domain Events History Manager This manager provides the option to clean up the Event IDs for the T selected date range in the associated database Template Mame Date range All dates in the application database From 03 31 2013 To 04 30 2013 Event IDs Event ID V 4662 4776 Domains Domain Name V GA TREELAB Sime iene Sie NOTE You can also delete the entire events history by selecting the All dates in the application database option 30 CHAPTER 3 ADChange Tracker Features Alerts 3 9 About Alerts Alerts feature enables the user to be notified of the occurrence of specific event ID s in security event log of a domain controller through e mail This feature is powered by a multitasking listener service called ADCT Listener Service Benefits gt ADCT Listener Service runs in background even after the ADChangeTracker application is closed Multiple domain controllers can be subscribed for multiple event IDs E mail alert notification can be limited to a threshold limit i e Say send an email when the event ID x occurs for y times Provision to add edit delete and view properties of specific eve
19. Old Value Member CN John Members Michael DUSADCT CN 4DCT_Distributi group RESEARCHLAB ADCT Distribution CN 4DCT_Distributi group RESEARCHLAB ADCT Secure grou CN ADCT Secure group BECEABCLI AB ADCT Cane armi CM ANCT Caco leen Modified Value nesarintion ul I Quick Fiter Modified V alue Added Members New Value ahr Micnae Event ID 5136 Change made by cnong made FEIN 11 1 MINE r hA m RESEARCHLAB admin 10 28 2013 3 04 CN Banner d Modified v alue Added Maodified v alue Deleted Members Bruce OU Australia Nort 5136 10 24 2013 11 53 AM CN Robert OU 4DCT_O 5136 10 28 2013 3 05 P Description Advanced Filters Event Viewer Reference Date amp Time 10 24 2013 11 51 54 4M Source Microsoft VVindows Security Auditing Category Directory Service Changes Event ID 5136 Keim eS fala aaa jg vivis 5136 R136 RESEARCHLAB admin E nA 2 16 BECEABCLI ADS admir 10 25 2013 2 16 59 CHAPTER 3 ADChange Tracker Features 3 20 5 How to generate Group Policy Objects Change Reports To generate the Group Policy Objects Change Reports perform the following steps 1 Configure settings for Object Change Reports as stated in Configure Events Reports 2 To launch Object Change Reports Group Policy Objects window click Events Reports Object
20. Settings By design ADChangeTracker tracks the list of AD objects and all of their properties except those configured in the application settings You can configure the list of objects that are to be tracked and the list of properties that are to be excluded for tracking in the application Refer the following links for detailed steps 4 2 1 How to Select an Object for Change Tracking ADChangeTracker tracks all changes to the AD objects in your Active Directory as configured in the application setting ADChangeTracker provides an option to include AD objects for tracking To include object for audit data collection and tracking by ADChangeTracker perform the steps stated below By default ADChangeTracker tracks changes made to the following objects only They are Built in Domain Computer Contact Domain Domain DNS Group Group Policy Container Organizational Unit User Steps 1 To launch Object Settings window click Tools gt Configuration Settings menu in the toolbar and select Object Settings node in the tree view The Object Settings window will appear as shown below The list of objects maintained by the application and the objects available in Active Directory schema will be displayed under General and From Schema tabs respectively as shown below You can add an object by selecting it from the common objects under General tab or all objects including custom objects under From Schema tab 103 CHAPTER 4 ADCha
21. Step 2 Set up auditing in object SACLs The following procedure presents an example of just one of many different types of SACLs that you can set in AD You can configure additional SACLs based on the operations that you want to audit To set up auditing in object SACLs 1 2 3 4 5 Click Start point to Administrative Tools and then click Active Directory Users and Computers Right click the organizational unit OU or any object for which you want to enable auditing and then click Properties Click the Security tab click Advanced and then click the Auditing tab Click Add and under Enter the object name to select type Authenticated Users or any other security principal and then click OK In Apply onto click This object and all descendant objects 11 CHAPTER 2 Getting Started 6 Under Access select the Successful check box for Write all properties If you want to audit creation and deletion of objects select the Successful check box for Delete Delete subtree and Create all child objects too 7 Click OK until you exit the property sheet for the OU or other object 12 CHAPTER 2 Getting Started 2 3 Change Application Data folder location ADChangeTracker enables you to change Application Data folder location where its application settings and error log are stored at any time after installing ADChangeTracker software To change the Application Data folder location perform the following s
22. USN uS NCreated ES Current USN uSNChanged EF when Changed whenChanged esi Object Class objectClass Example admincount o E dmin Description adminD escri Mi Admin Display N ame adminDisg 3 a Allowed Attributes allowedAttnb m Allowed Attributes Effective allo 9 Allowed Child Classes fallowedl T n H r OK Cancel 4 You can right click on the domain controller to connect to the domain controller again by using Connect or Refresh menu and retrieve the properties afresh 5 To select a property for exclusion click on the desired property in the list of gt gt Available Properties and then PES 6 To remove a property from Excluded Properties list click on the desired property lt lt in the Excluded Properties and then click button 7 You can also manually add the property by entering the LDAP display name of the property in the Property Name text box and then i Vi button as shown below 107 CHAPTER 4 ADChange Tracker Settings Active Director Change tracker Lontiquration Settings ALYE DATEL Jy TH Iac ths IL K ET OPEL ie Uli STEUN Property Settings Select the list of properties in Active Direckory For which you want to exclude audit data collection S ADChangeTracker Settings Available Properties Excluded Properties Domain Settings Object Name Property Name account xpired pil SQL Server Settings E le admi o xam
23. and analyzes all changes made to your Active Directory configuration The tool audits all changes made to your Active Directory by periodically collecting only the changed data reporting what exactly changed along with the new and old values when the change was made where the change happened in your Active Directory and the tool also determines who made the change by looking up the Security Event logs of your auditenabled Active Directory Active Directory Change tracker records and maintains the entire history all tracked changes along with the relevant Event log data in a SQL server database for future reference and analysis A powerful search tool helps you analyze all past changes on any predefined search criteria Changes can be selectively tracked such as only OUs and a powerful email notification mechanism lets you configure different types of changes such as Created Deleted and Modified and get them notified to different end users based on the OUs containers where the changes happened 1 2 System Requirements For the computer running ADChangeTracker Processor Disk Space amp Memory Operating System Database Software Intel Pentium Processor 512 MB RAM and minimum of 20 MB of free disk space Windows 8 1 Windows 8 Windows 7 Windows Vista Windows XP Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 with NET Framework 4 0 or higher with the
24. changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain B ADChangeTracker Settings E Add El Edit 4 Delete Si Properties Domain Settings gi SQL Server Settings Domain Name Domain Controller Name Tracking Scope User Name Pa Object Settings Property Settings RESEARCHLAB RD30 Specific OL s RESEARCHLAB adminuser2 7 The various operations that can be performed in the Domain Settings are given below To Add a Domain to the domain list Edit To Edit the properties of the Domain in the domain list Select a Domain and click Edit button Delete To Delete a Domain from the domain list Select a Domain and click Delete button 93 CHAPTER 4 ADChange Tracker Settings View Properties To view the properties of the Domain in the list Select a Domain and click Properties button 94 CHAPTER 4 ADChange Tracker Settings 4 1 1 Add a Domain You have to specify the domain information for adding a domain in ADChangerTracker Add a Domain to the List 1 Launch Domain Settings window 2 In the Domain Settings window click Add button to add a domain to the list 3 The New Domain window will be displayed as shown below E ld domain im f Specify a domain controller or select an Active Directory
25. domain controllers To view event ID information of all configured domain controllers select Domain Controllers Entire event ID information will be displayed as shown below ES Configure email alerts For the corresponding Domain Controllers by providing Event IDs SMTP server name sender recipients threshold e count For Frequency of emails Say For every 10 events and description Optional Provide description For an event ID so as to be reflected in alert email Select Domain Controllers to view the overall alerts settings Alerts settings 4 Domain Controllers Domain Controller Domain Name UserName EventID E mailAlert Recipients Ei RD50 Ei RD1I i RD20 4725 Yes jamescameron adve jamescameron adve jamescameron adve jamescameron adyve RESEARCHLAB RESEARCHLAB admin peter adventure co peter adventure co VSSLAB adminuser2 38 CHAPTER 3 ADChange Tracker Features Service Controller 3 12 About Service Controller Service Controller allows the user to view the subscription status of domain controllers It can also be used to manage ADCT Listener Service by using the provision to start stop restart and refresh the service 3 13 How to View the Subscription Status of Domain Controllers Service Controller window allows you to view the subscription status of domain controllers Real Time Events 7 To launch Service Controller window click menu in
26. iem Old Value New Value Change made by El Today Modified V alue 12 13 2013 12 25 07 PM ESEINBREISITET MEN ETT E TS TTE TE Members Banner Bruce RESEARCHLAB adminuser3 Removed uf Dy 12 2 29 2 a z ue z uA is Aison Thomas Thones QUaADCT S amp Chanmed Number 45056456456 4505640214 RESEARCHLADIadminuser Jor i ob eS e Daniel J Holder CN Daniel J user Modified Value E Mail Daniel rlab com RESE amp RCHLAB adminuser3 ge Older Holder OUsADCT_C Changed i 5 VOYAGER RD40 Micheal CN Micheal gt H SA Older Woloszynowicz Woloszynowicz 0U uae Added RESEARCHLAB adminuser CN Steve Modified Value Steve Jobs Jobs DU ADCT Ch user Changed P 0 Box 489556 RESEARCHLAB adminuser 4 nr p Event Viewer Reference e amp Time 12 13 2013 12 35 25 PM urce Microsoft indows Security Auditinc ategory Directory Service Access vent ID 4662 menu in the You can also click Show All Changes Only Added Only Modified Only Deleted tabs to view the list of all changes added edited and deleted changes 21 CHAPTER 3 ADChange Tracker Features 3 3 How to Generate GPO Change Reports The GPO Change Reports feature allows you to report all the changes made to your Group Policy Objects GPO since the last time a tracking was done by the application Tracking is a process where all changes made to your Group Policy Objects in Active Directory are detected and synchronized with
27. objects properties for the OU or domain in which you wish to track changes as shown below 15 CHAPTER 2 Getting Started E Active Directory Users and Computers File Action View Help zia t OIRO absum T C Active Directory Users and Comput Name rye Description 4 E m bo o AOcT Bulk Properties RT Al Advanced Security Settings for ADCT_Bulk General M Group or u Permissions Auditing Dwn P Auditing Entry for ADCT Bulk To view or edit details for an Object Properties eredaid Name Authenticated Users a Success Adminuser Apply onto This object and all descendant objects t and all des Success Everyone ant Organizat Success Everyone Access ant Organizat Success Everyone List contents L t and all des Permission Success Authentica Read all properties E L st and all des Full con Write all properties L1 Read Delete L1 write Delete subtree L1 Create Read permissions L1 Delete lt Modify permissions g L1 Modify owner g Webs Add All validated writes L CJ re defaults a All extended rights L CJ Leamabo V Include inheritable auditi Create all child objects I L1 Apply these auditing entries to abjects What are the requirements ft andjor containers within this container Gema puc only Managing auditing Apply C o 7 c d Ensure that there is no Event flooding which ma
28. option to specify altemate credentials to connect to the DC Q Specify Domain Controller DC Name Select Domain Controller main Name SELECT A DOMAIN Connect As User Name PATHFINDER administrator Password Additional change data Windows Server 2008 or later only F Use Security event log in DC to retrieve additional change data Who amp When E Note requires enabling AD auditing Track Group Policy Object changes GPO Tad Some gt Enter a valid domain controller credentials and settings and click OK Step 2 Add Event ID s for Domain Controller s Select a domain controller for which you wish to add an alert and click Add An add event information dialog will appear as shown below Event ID Send E mail Optional SMTP Server Name Sender Recipients Send Alerts for every events Description Optional gt Enter the list of Event IDs for collection from event logs 33 CHAPTER 3 ADChange Tracker Features Select the Send E mail option to receive E mail alerts for specific event IDs Email alerts will be sent only for those events for which this option has been set gt If you select the Send E mail you must specify the values for SMTP Server Name Sender Recipients and Send Alerts for every __ events Value of Description field can be provided optionally if you wish to append it to the subject of the E mail Click OK
29. the toolbar You can view the subscription status of domain controllers under Status column in the bottom pane of the service controller window as shown below o o lga Service Name ADCT Listener Service Parcin Listens to the security event logs of subscribed hosts defined in Active Directory Change Tracker Anii 4D ChangeT racker Status pas Host Name Domain Name Log Path Name 39 CHAPTER 3 ADChange Tracker Features 3 14 How to Manage ADCT Listener Service ADCT Listener Service can be started stopped restarted and refreshed using Service Controller window Real Time Events To launch Service controller window clic menu in the toolbar The Service Controller window will appear as shown below e6 0 I Service Name ADCT Listener Service Status pas Host Name Domain Name Status Log Path Name Here you can Start Stop Restart and Refresh the service by clicking the corresponding buttons located near the top left corner of the window 40 CHAPTER 3 ADChange Tracker Features 41 CHAPTER 3 ADChange Tracker Features Events Reports 3 15 About Events Reports Events Reports in ADChangeTracker is a powerful feature that enables the user to report the events data for AD object changes User logon logoff activities Password change activities and Terminal Services activities based on specific event ID s in the security event log of domain controller This feature is po
30. 3 2 18 11 PM Source Microsoft indows Security Auditing Category Directory Service amp ccess Event ID 4662 CHAPTER 3 ADChange Tracker Features 3 25 How to Export data The Export feature helps the user to export report data generated by ADChangeTracker to a file using various formats namely HTML CSV XLSX Jp Export Click on button in the report window or select Export option under File menu to export report data to a file in the desired format Select the export path format file name and table name for the report to be exported Export Path C Users Public Documents ADChange Tracker Ex _ File Format HTML v File Name Today Show All Changes V Export to time stamped subfolder ox Ces JJ Specify a file name to export report data to or accept the default file name Specify the export path and select a desired file format The path refers to the destination location where the output file generated should be stored It can be given using the Browse button By default the report will be exported to a time stamped sub folder in the format YYYYMM DD HH MM SS under the specified export path This will be useful to avoid overwriting of existing files if any in the specified export path In CSV file format the information is stored as comma separated values For each report a CSV file will be generated The name of the CSV file will be the name of the report In HTML and XLSX
31. 3 634 14172172013 6 34 RESEARCHLAB RD30 11 21 2013 634 e444 11421 2013 6 34 mroranmu an 3 nanan i 11 m I uEI E 41 201720012 els RESEARCH LAB adminuser Hitosi e 5 Directory Service RESEARCH LAB adminuser Hirosi Afindows se Directory Service RESEARCH LAB adminuser Microsoft Windows se Director Service mreramci ami d c lea EL iiw a RESEARCH LAB admin rd30 researchlab RESEARCH LAB admin 1430 researchlab RESEARCHLAB admin 130 researchlab mreranciianm rg c R nn m Event Viewer Reference Date amp Time 11 20 2013 7 25 15 PM Source Microsoft Vvindows Security Auditing Category Logoff Event ID 4634 Temm D bled simul 28 CHAPTER 3 ADChange Tracker Features History Manager 3 7 How to cleanup Change History The Change History Manager allows you to cleanup any unwanted past changes and their related data from the Change History database The Change History database contains all changes from the time you started using the application Please be careful while you perform cleanups of changes as this will permanently delete the selected changes from your database It is highly recommended that you maintain a full backup of the application s database at regular intervals to recover any accidental loss of change data History Manager 7 Change History Ctrl Alt H Events History Ctrl Alt V To launch Change History M
32. 30 2013 6 52 FIESEARCHLAB Anderso CN Anderson 0U4 contact egeo ve DR Secun AUTHORITY authenticated 5136 RESEARCHLAB admin D 4 Quick Fiter NS Advanced Fillers Event Viewer Reference Date amp Time 10 30 2013 6 51 50 PM Source Microsott VVindows Securty Auditing Category Directory Service Changes 69 CHAPTER 3 ADChange Tracker Features 3 21 3 How to generate Domain Permissions Change Reports To generate the Domain Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports 2 To launch Permissions Change Reports Domain window click Events Reports gt Permissions Change Reports Domain menu in the toolbar The Permissions Change Reports Domain window will appear as shown below Permissions Change Reports Domain 3 Generate Active Directory Domain Permissions change reports by specifying a suitable criteria using date range domains and filter query Date range From 10 16 2013 To 10 31 2013 Domains Domain Name J RESEARCHLAB E VSSLAB Quick Filter Any Field i Cancel 3 Specify the Date range and a field based Filter criteria to find the Domain Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the
33. 6 bit encrypted format in Windows Stored User Names and Passwords applet The stored user profile corresponding to the SQL user account will be used by ADChangeTracker application in order to connect to the SQL Server if SQL authentication is enabled in ADChangeTracker SQL settings Using the User Profiles dialog shown below Tools User Profiles new profile can be created and available profiles can be removed from the profiles list 111 CHAPTER 4 ADChange Tracker Settings ADChange Tracker can store your logon information for Active Directory Domains using Windows Stored User Names and Passwords applet To add a user profile click Add els Add x Remove Profile Name sallogin3 7 PATHFINDER administrator Create a new user profile and store it in Windows stored usernames and passwords applet e g username domain domain username Description For collecting AD datal mandatory fields Click Remove button in the User Profiles dialog to remove available profiles 112 CHAPTER 4 ADChange Tracker Settings 113 5 References Frequently asked questions How to uninstall ADChangeTracker Technical Support 5 1 How to Uninstall ADChange Tracker When you uninstall ADChangeTracker through Control Panel Add Remove Programs applet Windows Installer program will remove only the application files from your computer But the application related files created by ADChangeTracker remain in the
34. Change Reports Group Policy Objects menu in the toolbar The Object Change Reports Group Policy Objects window will appear as shown below Object Change Reports Group Policy Objects Generate Active Directory Group Policy Objects change reports by specifying suitable X a criteria using date range domains filter query and change type Date range From 10 11 2013 To 10 30 2013 v Domains l Domain Name S3 RESEARCHLAB 38 VSSLAB Quick Fite W Field Operator Value Change made by Y adminuser Change type V Modified Cancel 3 Specify the Date range Change type and a field based Filter criteria to find the Group Policy Objects change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 60 CHAPTER 3 ADChange Tracker Features xb Export Refresh oy E mail Report Name Object Change Reports Group Policy Objects From 10 11 2013 Generated Ore 10 30 2013 5 55 40 PM Status Success Troubleshooting Tips Filter Applied Domain Change Properly Old Object N ame Object Path Object Type Type Murat Value Name RESEARCHLAB Test GPO CN 94192D02 082 groupPolicyContainer en o 5 RESEARCHLAB Test GPO CN 94192D02 042 groupPolicyConta
35. Data Folder is as follows a Windows XP Windows 2003 C Documents and Settings All Users Documents b Windows 8 1 Windows 8 Windows 7 Windows Vista Windows 2008 Windows 2008 R2 Windows 2012 Windows 2012 R2 C Users Public Documents 118 6 Index Active Directory Auditing 8 79 Active Directory Change Tracker 1 97 ADChangeTracker 1 2 3 5 7 76 77 79 80 92 93 94 97 99 alert message 84 browse option 97 Change History Manager 25 Cleanup 25 93 cleanup options 97 98 Database 2 93 Delete a Domain 77 84 Delete button 77 84 Disk Space amp Memory 2 DocKIT 5 domain controller 78 Domain Controller Name 78 Domain Name 19 78 Domain Settings 76 77 80 84 85 History 25 Intel Pentium Processor 2 List contents 97 100 Migrate 97 100 Migrate SharePoint 97 100 Operating System 2 Search Change History 21 SharePoint 5 Software 2 specific containers 79 80 SQL Server 7 92 93 94 System Administrators 3 Task Manager 77 uninstall process 98 99 User Authentication 92 User Profiles 94 95 View Properties 77 85 Windows Stored User Names and Passwords 94 119
36. E To launch Search Change History window click EU Lis menu in the toolbar The Search Change History dialog will appear as shown below Specify the Date range Object type Change type and a field based Filter criteria to find specific changes in the application s Change History database Select the desired Domains to perform your search on gt Optionally you can save this search by specifying a name for your search and clicking on the Save button This will save the search for a future use You can thus maintain a list of your saved searches for repeated use in the future Click on Generate button to begin search search Change History Search for amp D change by specifying a suitable criteria using date range change type filter or query and domains Template Name User Object Changes M E Date range From 11 16 2013 To 12 16 2013 v Show only Users Change type v Added V Modified V Deleted Quick Filter Any Field Domains Domain Name 7 4 RESEARCHLAB M S VOYAGER j Cancel 25 CHAPTER 3 ADChange Tracker Features If you want to use or edit an already saved search select the name of saved search from the drop down list This will load the saved search s settings You may also edit this and click on Save again to save the modified search Once you load a saved search you may click Generate to perform a search After the data collection process is complete
37. ER rd45 Specific OLI s PATHFINDER administrator You can add one or more domains in order to track changes by clicking on Add button Changes are tracked for each domain separately You may add as many domains as you would like to track changes on Enter a SQL server running SQL Server 2012 2008 2005 Enterprise Standard Express edition and the user credential having sufficient privileges to connect create and delete database SQL Server RD26 e g MSSQLSRV1 Note ADChange Tracker will create a database named ADChange Tracker zCurrent Computer Name ADChange Tracker VSSWKS45 in the given SOL server Authentication Mode Windows Authentication uses currently logged on user sgllogin2 CHAPTER 2 Getting Started ADChangeTracker uses SQL Server database for its data storage to generate auditing reports ADChangeTracker requires an SQL Server running SQL Server 2012 2008 2005 Enterprise Standard Express editions to connect and create a database ADChangeTracker will connect to the specified SQL Server based on the authentication mode and user credentials to create manage its own application databases A new database will be created in your SQL server by the name ADChangeTracker COMPUTER where COMPUTER stands for the computer name that is running ADChangeTracker application Thus each installation of ADChangeTracker will deploy its own database based on the computer where ADChangeTracker i
38. Es Managed Objects managedO bjects EF Ish emher F1E DI fmemher fl 4 t p OK Cancel Object Name builtinD omain Property Name Example admincount 2 Select an object from the list of objects in the Object Name drop down You will be able to select properties of the selected object which are to be excluded from audit data collection and tracking 106 CHAPTER 4 ADChange Tracker Settings 3 Select any domain controller from the list of available domain controllers under From Schema tab The list of properties pertaining to the selected object as available in AD schema will be displayed as shown below Active Directory Change Tracker Configuration Settings Property Settings Yow Select the list of properties in Active Directory For which you want to exclude audit data collection e ADChangeTracker Settings Available Properties Excluded Properties EL DOITONT UNES Object Name Property Name rra gd SQL Server Settings Object Settings From Schema fF Property Settings RD40 VOYAGER E Managed Objects managedObjects i m Instance Type instanceType 57 ls Member OF DL member l i 5 NT Security Descriptor nT Secu EF Madified Count modified ount a Object Category objectCategor EF ms Exch AL Object Version msE xch4LOb Object Class objectClass ET SAM Account Type sAMAccount ype E User Parameters user Parameters 7 Original
39. L1 Click to clear all the filter conditions in the list AND to Filter OR to Filter Use anc enhanced filter condition as shown below l to build Change Type 2 Modified Value Added AND Property Name Telephone Number OR Object Name Alex AND Property Name E mail t E Use to remove the parenthesis Use to delete a condition from the list of filter conditions This will remove the currently selected filter condition from the list Edit an existing filter To edit an existing saved filter select the filter from the advanced filters drop down and 82 CHAPTER 3 ADChange Tracker Features then click the Y button The filter window will appear on the screen You may edit the fields list and filter conditions Also you can choose to save the filter in a different name retaining the original filter or overwrite the existing filter with the new filter conditions and fields list Delete an existing filter To delete an existing filter select the filter from the advanced filters drop down list and click the button However if the filter is already applied to a report ADChangeTracker clears the filter in the report and deletes the selected filter 83 CHAPTER 3 ADChange Tracker Features 3 23 How to use Quick Filter The Quick Filter in Events Reports allows you to view a narrow subset of data by specifying a filter condition that could either be applied to
40. PM CREATOR OWNER RESEARCHLAS CN 9A192D02 044 groupPolicyContaine pya A aue Allow CreateChid RESEARCHLAB ad 5375 2013 3 08 DeleleChid Self Modified Value Object Security CREATOR OWNEAL 10 28 2013 5 06 L 4 Forwarded E vents ESEARCHLAB Group Policy Object CN E71A00B8C 4D groupPolicyContainer Deleted Permissions Allow CreateChid RESEARCHLAB adi PM CREATOR OwNER An 5 06 4 Forwarded E vents CN E71A008C 4D groupPolicyContainer Modiied alue Object Secunty Allow CreateChild RESEARCHLAB Sadi pi AESEARCHLAB Group Policy Object Added Permissions DeleteChild Quick Fiter Any Field rer Advanced Filters Event Viewer Reference Event ID 5136 Type hModitfied Value Deleted User RESEARCHLAEB adminuser3 Computer rd30 researchiab local Description A directory service object was modified CHAPTER 3 ADChange Tracker Features 3 21 6 How to generate Organizational Units Permissions change Reports To generate the Organizational Units Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports 2 To launch Permissions Change Reports Organizational Units window click Events Reports gt Permissions Change Reports gt Organizational Units menu in the toolbar The Permissions Change Reports Organizational Units window will appear as shown below Permissions Cha
41. PTER 3 ADChange Tracker Features Sample Reports Added Object Object Change Property Old New Changemade Change Doman Name Name Object Path Cass Tye Name Value Value by made on CH Devebpers OLE ARKAD CHANDRAYAAN 1292011 CHANDRAYAAN Dewelpers group Added 1205104 Sample OU DC administrator PM Chandrayaan DC local End of report Mod ified Object Object Change Property Change made Change Name Object Path lass Tye aate OdValue New Value by wiesen CN Paul T Scholes Paul PauT Modfied CHANDRAYAAN 109 011 me DU De Chad taa user Value E Mal chandrayaan chandrayaan 120437 Changed administrator PM DC bcal local local End Of report Deleted Object Change Property New Change made Object Name Object Path Class Type Tuve Old Value Uds Change made by ze CN Aec E Frings Alec E Frin 0 ADEL c U e450 1 0dc 433e DELx67e4501 Ddco CHANDRAY ARN 375353d1510526c3 user Deeted Rea 4a3e 3753 admiristrator b3d1510526c3 CN Deleted Objects DC Chandrayaan DC local End of report 24 CHAPTER 3 ADChange Tracker Features Search Reports 3 5 How to Search Change History The Search Change History is a powerful feature that allows you to locate specific changes from the past such as all newly created user accounts between a time periods You can specify a search criteria based on the different search options available 4 jet Search 7 Change History Ctrl Alt C Events Ctrl Alt
42. SACL auditing for directory objects perform the following steps 1 Click Start point to Administrative Tools and then click Active Directory Users and Computers 2 Right click the organizational unit or any object for which you want to enable auditing and then click Properties 3 Click the Security tab click Advanced and then click the Auditing tab 4 Click Add and under Enter the object name to select type Authenticated Users or any other security principal and then click OK 5 In Apply onto click This object and all descendant objects 6 For Object Change Reports Under Access select the Successful check box for Write all properties If you want to report events data for creation and deletion of objects select the Successful check box for Delete Delete subtree and Create all child objects too 7 For Permission Change Reports Under Access select the Successful check box for Modify Permissions 8 Click OK until you exit the property sheet of the organizational unit or other object 44 CHAPTER 3 ADChange Tracker Features 3 17 How to generate User Logon Logoff Reports To generate the User Logon Logoff Reports perform the following steps 1 Configure settings for User Logon Logoff Reports as stated in Configure Events Reports 2 TO launch User Logon Logoff Reports window Click Events Reports 7 wi LserlLogon Logqoff Reports g g p amp Password Change Reports Terminal
43. Security Auditing Category Directory Service Access Event ID 4662 Tem 26 CHAPTER 3 ADChange Tracker Features 3 6 How to Search Events The Search Events is a powerful feature that allows you to locate specific events that occurred over a time period and stored in the application s Events History database La Search Change History Ctrl Alt C Events Ctrl Alt E To launch Search Events window click eism CRIME ey in the toolbar The Search Events dialog will appear as shown below gt Specify the Date range and Event IDs to find in the application s Events History database You can also select multiple events for search gt You can also perform the events search for the entire database by selecting the All dates in the application database option Select the desired Domains to perform your search on gt Optionally you can save this search by specifying a name for your search and clicking on the Save button This will save the search for a future use You can thus maintain a list of your saved searches for repeated use in the future gt Click Generate button to begin search Search Events Imm Search for Event ID details by specifying a suitable criteria using date wre range and domains Template Name DSC and Logon Logoff Events me Date range All dates in the application database From 11 16 2013 To 12 16 2013 Event IDs Event ID E
44. Services Activity Reports a Object Change Reports gt Permissions Ch Report elaine ead at menu in the toolbar The User Logon Logoff Reports window will appear as shown below User Logon Logoff Reports x Generate User Logon Logoff reports by specifying a suitable criteria using date range gt domains filter query and category Date range From 10 04 2013 To 11 05 2013 v Domains Domain Name v S RESEARCHLAB 7 SA VSSLAB Quick Filter Field Operator Value Category J Logon Logoff Generate Cancel 45 CHAPTER 3 ADChange Tracker Features 3 Specify the Date range Category and a field based Filter criteria to find the User logon logoff events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below User Logon Logoff Repor xb Export A Refresh EF E mail Report Name User Logon Logoff Reports From 11 10 2013 To 12 10 2013 Generated On 12 13 2013 6 04 32 PM Status Success Troubleshooting Tips Filter Not Applied Domain Workstation Client Logon Logoff Mos User Name euim rerum Logon Type Category Event ID Time RESEARCHLAB RESEARCHLAB adminuser3 RD30 10 10 10 40 10 Remotelnteractive Logon 4624 11 20 2013 6 43 RESEARCHLAB RESEARCHLABNadminuser3 RD3O
45. TER 3 ADChange Tracker Features 3 24 How to find data in a report You can use the find feature in ADChangeTracker to search for specific data in a report To search for data in a report just type the characters or words you want to find in the Find Telephone Numb Bs find edit box available in the report window and click on 1 ADChangeTracker performs a case insensitive search of the specified search criteria in the report 2 The search criteria should not be enclosed within quotation marks 3 You can use the wildcard character in the search criteria The wildcard character act as a place holder for zero or more characters However note that you cannot use the wildcard character in the search criteria For instance if you want to search for Domain in a report Type Domain without quotations in the edit box and then click on Find Button By default ADChangeTracker adds an asterisk as a suffix to the specified search criteria if no wildcard character is present in it In this case ADChangeTracker finds a match in the report for all fields that have the text Domain followed by zero or more characters that is Domain Domain Controllers Domain Admins etc For all the matches found ADChangeTracker highlights the corresponding columns in the grid and scrolls the grid automatically to the first occurrence 4 ADChangeTracker finds additional occurrences of the specified search criteria instantaneously
46. THORITYSSELF Obiect Allow CreateChild Security DeleteChid This objects ise RESEARCHLAB adminuser3 10 31 2013 only 2 42 PM Fe missions NT AUTHORITY Authenticated RESEARCHLAB RD56 CN RD56 0UsAust computer ode Walie NT AUTHORITYSSELF Allow CreateChild DeleteChild This objects only 10 31 2013 AUTHORITY Authenticated 5135 RESEARCHLAB adminuser3 2 42 PM RESEARCHLAB RD56 CN RD56 0UsAust computer ord by INT Users Allow GenencRead m b R 4 Quick Filter Arv Field z lent De Advanced Filters Event Viewer Reference Date amp Time 10 31 2013 2 42 17 PM Source Microsott VVindows Securty Auditing ategory Directory Service Changes ID 5136 Timas P mei m Fm m A nnm eS 67 CHAPTER 3 ADChange Tracker Features 3 21 2 How to generate Contacts Permissions Change Reports To generate the Contacts Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports 2 To launch Permissions Change Reports Contacts window click Events Reports gt Permissions Change Reports gt Contacts menu in the toolbar The Permissions Change Reports Contacts window will appear as shown below Permissions Change Reports Contacts suitable criteria using date range domains and filter query 3 Generate Active Directory Contacts Permissions change reports by specifying a
47. To locate other occurrences of the same search criteria in a report you need to scroll the report grid downwards 85 CHAPTER 3 ADChange Tracker Features 3 Export Ey Refresh E E mail 3 Show Event Viewer fields Find Telephone Numb 2 Change History Show All Changes All Changes Only Added Only Modified X Only Deleted i E RESEARCHLAB RD 30 Object Change Property Old E Today Object Name Object Path Class Tops Kane Value New Value Change made by D 1276 203 203 15 pm Daniel CN DarieLOU ADCuser Modified Value Telephone Number 55 7878902 VOYAGER adminuser3 d CN James Modified Value COPAON E Last Week James cameron e eren OU l Changed d BR CO eese annie aie Older James cameron user Modified Value Country region Brazil Colombia VO YAGER adminuser3 wane eee MII ADCT SE ORG James cameron MAN Modified Value Numeric County 76 170 VOYAGER adminuser3 B tie Today a c a STON Martin Luther CN Martin vane Modified Modified Value Modified Value E Mail martinL voyager loi VOYAGER adminuser3 QD 12716 2013 21245 pu Micheal Thomas CN MichealJ contact Modied Value e e 544578148 VOYAGER adminuser3 Stuart L CNS tuart user Modified Value PO Box 48750 46895 VO YAGER adminuser3 T Zo 12 16 2013 2 16 06 PM 4L Mt B 12 16 2013 2 21 07 PM EA Older Event Viewer Reference Date amp Time 12 15 201
48. Track at scheduled intervals B SQL Authentication 109 CHAPTER 4 ADChange Tracker Settings In this method ADChangeTracker uses the specified SQL user account and password while tracking changes ADChangeTracker stores the SQL user name and password as a user profile in Stored User Names and Passwords applet for its usage Note ADChangeTracker expects the user account to have sufficient privileges to create add to and delete database in the SQL server Database Creation ADChangeTracker creates databases in SQL Server as per the information outlined below ADChangeTracker creates a single application database in the default data storage location used by the SQL Server during application launch ADChangeTracker uses the following naming convention ADChangeTracker COMPUTERNAME where COMPUTERNAME is the name of the computer running ADChangeTracker For example if the computer running the ADChangeTracker is CLIENTO1 ADChangeTracker creates ADChangeTracker CLIENTO1 with data ADChangeTracker CLIENTO1 mdf and log ADChangeTracker CLIENTO1 log LDF files stored in the default SQL data folder in the SQL server for example C Program Files Microsoft SQL Server MSSQL 1 MSSQL Data Database Cleanup ADChangeTracker will delete the application database while uninstalling the ADChangeTracker application from the computer 110 CHAPTER 4 ADChange Tracker Settings 4 4 User Profiles ADChangeTra
49. User Manual Active Directory Change Tracker Q0 VYAPIN Active Directory Change Tracker Change Auditing Tracking and Analysis for Active Directory Copyright 2011 2014 Vyapin Software Systems Private Limited All rights reserved Last Updated January 2015 Copyright 2015 Vyapin Software Systems Private Ltd All rights reserved This document is being furnished by Vyapin Software Systems Private Ltd for information purposes only to licensed users of the Active Directory Change Tracker software product and is furnished on an AS IS basis that is without any warranties whatsoever express or implied Active Directory Change Tracker is a trademark of Vyapin Software Systems Private Ltd Information in this document is subject to change without notice and does not represent any commitment on the part of Vyapin Software Systems Private Ltd The software described in this document is furnished under a license agreement The software may be used only in accordance with the terms of that license agreement It is against the law to copy or use the software except as specifically allowed in that license No part of this document may be reproduced or retransmitted in any form or by any means whether electronically or mechanically including but not limited to the way of photocopying recording or information recording and retrieval systems without the express written permission of Vyapin Software Systems Private Ltd ZVYAPIN Vyapin S
50. Users 3 Generate Active Directory Users change reports by specifying suitable a criteria using date range domains filter query and change type Date range From 10 01 2013 To 10 28 2013 v Domains Domain Name V 4 RESEARCHLAB 7 RS VSSLAB Quick Filter v Field Operator Value Property Name Y lt gt telephoneN umber Change type Added J Modified Deleted 3 Specify the Date range Change type and a field based Filter criteria to find the Users change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 64 CHAPTER 3 ADChange Tracker Features 9 Export Refresh ji E mail Report Name Object Change Reports Users From 10 1 2073 To 10 28 2013 Generated On 10 28 2013 2 56 55 PM Status Success Troubleshooting Tips Fiter Not Applied Change made Domain Object Object Change Property Event i Name TES Object Path Type Type wm Old Value New Value ID Changs made by a RESEARCHLAB Rober CN Fobert ILI SADE ee nodi TO Bic 48562 5136 RESEARCHLAB adminuser3 o a De eted RESEARCHLAB Robet CN Robert OU AD a pae TE 5136 RESEARCHLAB adminuser3 10 28 2013 1210 RESEARCHLAB Robe CN Robert OU AD user Mosel robert researchiab 5136 RESEARCHLAB admi
51. VVoDP rco Me DURUM D 42 5 16 Conlgure Events Reports qussxeite utes RC RPERT RAR e e Svr UO eR URS E Dee Va ho dr ER d 43 3 17 How to generate User Logon Logoff Reports ccce mmm 45 3 18 How to generate Password Change Reports ccssssseeeeeee enne nnns 47 3 19 How to generate Terminal Services Activity Reports cerne 49 3 20 9DbJecr Change REDOMS pay dedi AR Ne A EAA A ena AR UL ERE Ra addu rt 51 3 21 Permissions Change RebDbOFtsS 2425 ERE RERREYNEPIPEERENS RREETE VOLERAN V ERETEIS PEREAT 66 4 ADChange Tracker Settings e T E E E E A T T E T A TT E T E A TT T E 92 4 1 Configure Domain Settings ssssssssssrrsrrsrrrrrrnrsnrrnrrnrsnrrnrrnrenrrnrenrrnrrnrrnnre 93 4 2 Configure Change Tracking Settings eeeseeeesee nennen 103 223 Congre SOL SOLVE auuteiab etii diria EEEa E MERGE MEAE I DIESES ri UP 109 sr UE E e E 111 EUER TTE TETTE 114 5 1 How to Uninstall ADChange Tracker ssssseeeeeeee nennen nn 115 5s Technical SUDDOPonsscurissscE NUNT RM NENNT REEMUUDIp NI KIND DEM RD NEUE 118 sMiysr qt 119 1 General About ADChangeTracker System Requirements Who can use ADChangeTracker How to purchase How to activate the software 1 1 About Vyapin Active Directory Change Tracker ADChangeTracker Vyapin Active Directory Change Tracker ADChangeTracker audits tracks
52. ame Pa rire 3 aiir 3 An alert message asking for confirmation to delete the domain will be displayed as shown below o Do you want to delete rd45 from the list Le n 4 Click Yes to delete the selected domain 101 CHAPTER 4 ADChange Tracker Settings 4 1 4 View Properties of Domain Perform the following steps to view properties of domain 1 Launch Domain Settings window 2 In the Domain Settings window select any domain click Properties button to view the properties of the selected domain VIVAS a eee mal ETTINGS a JIC Za You can track changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain B4 ADChangeTracker Settings 4 Add E Edit 4 Delete Properties 4 Domain Settings 13d SOL Server Settings Object Settings Property Settings RESEARCHLAB RD30 Specific OLl s RESEARCHLAB adminuser2 Domain Name Domain Controller Name Tracking Scope User Name 3 The Properties window with the selected domain information will be displayed as shown below Domain Name VSSLAB 8 27 2013 10 03 54 AM Modified Date 8 27 2013 10 03 54 AM User Name VSSLAB adminuser3 GPO Tracking GMdm We 102 CHAPTER 4 ADChange Tracker Settings 4 2 Configure Change Tracking
53. anager window click the toolbar The Change History Manager dialog will appear as shown below menu in Click on desired history instances and click on Cleanup button to delete all changes for the selected timestamps This manager provides the option to clean up the change history instances their related files in the associated database Yesterday 4 8 Last Month H PATHFINDER d45 Select the parent node and click Cleanup in order to delete all of its child timestamp nodes 29 CHAPTER 3 ADChange Tracker Features 3 8 How to Cleanup Events History The Events History Manager allows you to clean up any unwanted events and their related data from the Events History database The Events History database contains all events from the time you configured the specified event ID in the application Please be careful while you perform cleanups of events as this will permanently delete the selected events from your database It is highly recommended that you maintain a full backup of the application s database at regular intervals to recover any accidental loss of events data History Manager 7 Change History Ctrl e Alt H l l Events History Ctrl Alt V To launch Events History Manager window click toolbar The Events History Manager dialog will appear as shown below menu in the gt Specify the Date range and Event IDs to cleanup specific event ID in the application s
54. any of the fields or to a specific field in the current report The Quick Filter tool is available below the report grid in the right pane as shown below Apply Filter To filter report data perform the following steps 1 Select a field from the fields drop down If you want to apply the filter condition to any of the fields in the current report select Any Field from the fields dropdown 2 Select an operator from the operators drop down next to fields drop down 3 Type in a filter condition in the edit box Note You can use wildcard characters such as and in the filter condition The filter condition can include regular characters as well as wildcard characters as given below Character starting with a Object Name a finds object name beginning with a for example Adminuser Administrator Character starting with a and Object Name a finds object name maximum of two characters that has only two characters starting including a with a for example AD Minimum of three characters the Object Name a d finds object first character being a middle name beginning with a that has any character may be any single single character in the middle and character and the last character ending with d followed by zero or more being d characters Click on i to apply the filter condition Remove Filter To remove the quick filter that has been applied to the current report click the P button 84 CHAP
55. ation database You can launch SQL Server settings to use by clicking Tools gt Options menu in the ADChangeTracker main application window as shown below ADChangeTracker wizard will prompt for the SQL settings Server name authentication mode user name and password when the application is launched for the very first time This setting can be accessed again from the Tools gt Configuration Settings menu Active Directory Change Tracker Configuration Settings SQL Server Settings Enter a SQL server running SQL Server 2012 2008 2005 Enterprise Standard Express edition and the user credential having sufficient privileges to connect create and delete database E ADChangeTracker Settings Domain Settings SQL Server RD26 T SOL Server Settings eg MSSQLSRV1 a oe Note ADChange Tracker will create a database named ADChange Tracker lt Curment_Computer_Name gt perm Property Settings ADChange Tracker V55WK545 in the given SQL server e Authentication Mode Windows Authentication uses currently logged on user SOL Server Authentication User Name sgllogin2 Password esesesess User Authentication To connect to SQL Server ADChangeTracker uses the relevant user accounts based on the authentication mode as listed below A Windows Authentication In this method ADChangeTracker uses the currently logged on user account while tracking changes using Track Now or the Run as account while using
56. ccccccccceeeeeeeee seen eens eeeeeeeeeeeeeneenennees 21 3 3 How to Generate GPO Change Reports cccecccccceeee sees ee eee eee eeeeeeeeeeeeeeeeennees 22 3 4 Understanding the Change Reports cccccccccccccceeeeeeeeee seen nennen nnn nnn 23 SEEM REDO Sourin eu Sra UTI UII MIT 25 3 9 HOW to Search Change HISEO V sina avid ka e ERE PR HE mani Ea ed ai Ec P ead 25 3 6 HOW XO Search EVENTS iuis dob dum So rM ER dM IS vM dU Sd eM od dU Ed dud 27 PUISLOFY Manager RETE T T TUI mU EMT 29 3 7 How to cleanup Change History eeserstepere ttr ero eor eid veoreppi pP erbi ure urit pod 29 5 6 HOW to Cleanup EVents HISEOLV vissuto ER b E Pr Ee rcv c ora eara d ERR 30 PCTS aoe E E EE T M LR 31 S 9 ADOUU AIGEUS iaar Sod tee ex RD det a a donate deer SP Ia Mod pU d Not mM OE 31 3 10 How to Add an Event ID for Configuring an E mail Alert sees 32 3 11 How to Manage Configured E mail Alerts ssssseeeeeeen nnnm 36 er iule mesdreg mr 39 23 12 ADOUut Service CONTONE sete xui th hari tu oou eaten rat oot etes UEM a 39 3 13 How to View the Subscription Status of Domain Controllers 39 3 14 How to Manage ADCT Listener Service ssessssssssseeee eene nnns 40 Events ReDODUSnuccducstiosefessuseluMs subs dh itasu iei M E qd ord reu doi in R eda eeu Scis e iaurd 42 9515 OU EV ellos CD Ol ts 5 uodip Exi vtero Puno sid urMerO eS obf ucnseeD eon
57. cker creates a user profile in Windows Stored User Names and Passwords applet in order to store the SQL and Directory Server user context for report generation The stored user profile will be useful for generating reports using ADChangeTracker under the following scenarios a Using an SQL Server having a dedicated SQL user account for report generation using ADChangeTracker highly recommended b Using an SQL Server where SQL authentication mode is enabled C Using an alternate user account to connect to the Directory Server to retrieve AD information The stored user profile persists for all subsequent logon sessions on the same computer where ADChangeTracker is installed The stored user profiles are visible to the application under other logon sessions on the same computer The stored user profile created by ADChangeTracker is restricted to the Windows User Profile context If the Windows User Profile is maintained locally ADChangeTracker stored user profile is accessible only by the same user in the same computer If the user who creates ADChangeTracker stored user profile has a Roaming user account in the enterprise the ADChangeTracker stored user profile can be accessed by the same user in any computer in the Windows enterprise The stored user profile is a generic credential of Windows Stored User Names and Passwords applet and can be used by ADChangeTracker application only The credential information is stored securely in a 25
58. computer In order to remove ADChangeTracker worker files completely the uninstall wizard provides a set of cleanup options to perform the cleanup operation based upon your selection Use this wizard to cleanup the files that are created by ADChangeTracker application selectively and uninstall ADChangeTracker completely from the computer 1 Launch the Uninstall wizard by clicking Start gt Programs gt Active Directory Change Tracker gt Uninstall ADChangeTracker 2 The ADChangeTracker Uninstall Wizard dialog will be shown as below ADChangeTracker Uninstall Wiz Welcome to ADChangeTracker Uninstall Wizard This wizard helps you to deanup and uninstall ADChangeTracker completely This wizard will guide you through the steps to deanup the files that are created by ADChangeTracker application Using this wizard you can Cleanup export tasks and task history Cleanup scheduled tasks Cleanup ADChangeTracker application settings Cleanup log files Uninstall ADChangeTracker application CHAPTER 5 References Click Next to Proceed 3 Select required cleanup options as shown below Step 1 of 2 Cleanup Options Cleaning up the information based on your selection Uninstall ADChangeTracker application Remove all application files and uninstall ADChangeTracker application from the machine 9 Uninstall ADChangeTracker application and cleanup application settings This will deleted all application
59. condition Filter Name Field Operator Values E HC NE Add to Filter see To set a filter condition perform the following steps 7 Specify a name for the filter 8 Choose a field name an operator and a possible value from the respective dropdowns Add to Filter 9 Click the button to add the filter condition 10 The Add to Filter button will change to AND to Filter OR to Filter button will be enabled The selected condition will be added as shown below 81 CHAPTER 3 ADChange Tracker Features Nr Filter imm Specify a name For the Filter Click Select Fields button to select the Fields you want to appear in the report To filter by Field values vou may select a Field and then an operator and a value From the corresponding drop down lists and then click Add to Filter to add the Filter condition Filter Name Deleted Objects Field Operator Values Change Type Y v Deleted AND to Filter OF to Filter li 1 Lx 13 Lg Change Type Deleted Save Cancel 11 Click Save to apply the filter to the current report Also the filter will be saved to the filter database for future use The report status label above the grid shows the filter status Filter followed by its current status Filter Nat amp pplied Filter amp pplied For a normal view the filter status will appear as For a filtered view the filter status will appear as Note
60. d2 OU s4DCT_Child2 0 organizational nit Modified Value Added Managed By CN dlison J Thomas 0U ADcT_ 5138 RESEARCHLAB admin 10 29 2013 2 31 PM RESEARCHLAB ADCT_Child_OU DU ADCT Child Ol organizationalUnit Modified Value Deleted ZIP Postal Code 5484526 5136 RESEARCHLAB admin 10 29 2013 2 31 PM RESEARCHLAB ADCT Child QU QU ADCT Child Ol organizationalUnit Modified alue Added ZIP Postal Code 5136 RESEARCHLAB admin 10 29 2013 2 31 PM RESEARCHLAB ADCT_Buk OU A4DCT_Bulk OU organizationalUnit Modified alue nr zl t J Quick Filter Any Field ET C gt Advanced Filters Event Viewer Reference Date amp Time 10 29 2013 2 30 12 PM Source Microsoft indows Security Auditing Category Directory Service Changes Event ID 5136 Ut eui Alm A HS gPLink LDAP on 94192 5136 RESEARCHLAB admi 10 23 2013 2 37 PM 63 CHAPTER 3 ADChange Tracker Features 3 20 7 How to generate Users Change Reports To generate the Users Change Reports perform the following steps 1 Configure settings Object Change Reports as stated in Configure Events Reports 2 To launch Object Change Reports Users window click Events Reports Object Change Reports gt Users menu in the toolbar The Object Change Reports Users window will appear as shown below Object Change Reports
61. data collection is complete the report will be generated in a report window as shown below 70 CHAPTER 3 ADChange Tracker Features sd Export A Refresh Ey E mail Report Name Permissions Change Reports Domain From 10 16 2013 To 10 2 Generated On 10 31 2013 2 26 11 PM Status Success Troubleshooting Tips Filter Not Applied f Domain Object Object Path Object Change Property Old Value i Rag Pi Name Name Type Type Name Evervonel Deny inn DeleteChild Thi a Litiect exp x Modified al 0 EE IESEARCHLAB researchlab DC researchlab DC domainD NS A dedi UON security Nis i VANUS x Permission E veryone Allow Everyone Deny DeleteChild This objects only Modified Value Object Everyone Allow ReadProperty RESEARCHLAB researchlab DC researchlab DC domainDNS Deleted Security This objects only Permissions NT AUTHORITYSENTERPRISE DOMAIN CONTROLLERS Allaw Quick Fiter Ary Fi m 7 Advanced Filters 5 Event Viewer Reference Date amp Time 10 29 2013 2 55 29 PM Source Microsoft indows Security Auditing Category Directory Service Changes Event ID 5136 Te Ami LH tahan Hee zs ent Change made by object 3 10 23 SEARCHLAB admini Oe ReadProperty This object 5136 RESEARCHLAB admint p 71 CHAPTER 3 ADChange Tracker Features 3 21 4 How to generate Groups Permissions Change Reports To generate the Groups Permissions Change Reports perfo
62. data incliding the change history Ensure that you have backup or exported reports of all changes for your reference Delete Change History database Fini sh Click Next to Proceed 4 Confirm the cleanup and or uninstall process Step 2 of 2 Cleanup Process Cleaning up the information based on your selection Click Finish button to proceed with the deanup process or dick Cancel button to terminate the uninstall wizard CHAPTER 5 References Click Finish to run cleanup and or uninstall process Click Cancel to close the wizard 116 Step 2 of 2 Cleanup Process Cleaning up the information based on your selection Deleting Report settings information diiil i8 M 1 Once the file cleanup process is complete the uninstall wizard will automatically run Windows Installer program to remove ADChangeTracker application from the computer 5 2 Technical Support If and when a problem arises please forward the following information to Support vyapin com to revert back to you with a solution Error log file e g Application Data Folder gt ADChangeTracker ADChangeTrackerErrorLog log The Application Data Folder is the common location where ADChangeTracker settings will be stored in the computer running ADChangeTracker application The Application Data Folder can be found from the Help gt About screen The default path of Application
63. dminuser3 11 25 2013 4 07 PM RESEARCHLAB RESEARCHLAB admin 1 4724 RESEARCHLAB adminuser2 11 26 2013 11 41 AM Quick Fiter Amie lies Bo Advanced Filters oY Y Event Viewer Reference Date amp Time 11 20 2013 5 19 19 PM Source Microsoft WWindows Security Auditing Category User Account Management Event ID 4724 Tem 48 CHAPTER 3 ADChange Tracker Features 3 19 How to generate Terminal Services Activity Reports To generate the Terminal Services Activity Reports perform the following steps 1 Configure settings for Terminal Services Activity Reports as stated in Configure Events Reports 2 TO launch Terminal Services Activity Reports window Click Events Reports 7 User Logon Logoff Reports Ep Password Change Reports Terminal Services Activity Reports Object Change Reports gt il Permissions Change Reports menu in the toolbar The Terminal Services Activity Reports window will appear as shown below Terminal Services Activity Reports Generate the Terminal Services Activity reports by specifying a suitable criteria using date range domains Filter query and change type D ate range From 10 15 2013 To 10 30 2013 Domains Domain Name v 33 RESEARCHLAB 7 EC vOvAGER Quick Filter pig Operator Value Workstation Name v RD84 Change type Reconnect Disconnect 3 Specify the Date range Cha
64. domain from the drop down list and then select a domain controller Check Connect As 3 option to specify altemate credentials to connect to the DC Specify Domain Controller DC Name Select Domain Controller SELECT A DOMAIN User Name PATHFINDER administrator Password Additional change data Windows Server 2008 or later only F Use Securty event log in DC to retrieve additional change data Who amp When m Note requires enabling AD auditing Track Group Policy Object changes GPO a The ist of domains available in the network will be loaded in the Domain Name dropdown b Select a domain from the Domain Name dropdown C The list of domain controllers for the selected domain will be loaded in the Domain Controller Name dropdown d Select a domain controller from the Domain Controller Name dropdown 95 CHAPTER 4 ADChange Tracker Settings 4 5 6 7 drop down list and then select a domain controller Check Connect As Specify a domain controller or select an Active Directory domain from the 2 option to specify altemate credentials to connect to the DC Specify Domain Controller DC Name RD20 Select Domain Controller RE SELECT A DOMAIN Connect As User Name V SSLAB adminuser2 Password eeeeesesees Additional change data Windows Server 2008 or later only Use Security event log in DC to retrieve additional change data Who amp When
65. e Reports Groups window click Events Reports gt Object Change Reports gt Groups menu in the toolbar The Object Change Reports Groups window will appear as shown below Object Change Reports Groups using date range domains filter query and change type 3 Generate Active Directory Groups change reports by specifying suitable a criteria Date range From 10 13 2013 To 10 28 2013 Domains Domain Name J 35 RESEARCHLAB G amp VSSLAB Quick Filter Any Field Change type V Added J Modified 4 Deleted 3 Specify the Date range Change type and a field based Filter criteria to find the Groups change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 58 CHAPTER 3 ADChange Tracker Features sp Export Ei Refresh Ea E mail Report Name Object Change Reports Groups From 10 13 2013 To 10 28 20 Troubleshooting Tips Generated On 10 28 2013 3 11 45 PM Status Success Filter Not Applied Object Name Object Path RESEARCHLAB ADCT Security RESEARCHLAB ADCT_Distribution Object Type N Al ecu CN ADCT_ Security OU apcT SOUP Change Type ModiliedlVv alue aAcdgdaed Madified V alue Deleted Property Name
66. e Tracl Please Find the attached report generated by ADChangeTracker Click Finish to save the task details Once data collection is complete you can view the changes made to your Active Directory domain with the help of Change Reports feature 20 CHAPTER 3 ADChange Tracker Features Change Reports 3 2 How to Generate ADChange Reports The AD Change Reports feature allows you to report all the changes made to your Active Directory since the last time a tracking was done by the application Tracking is a process where all changes made to your Active Directory are detected and synchronized with the application database ADChangeTracker will maintain all the timestamps corresponding to the changes detected during tracking Based on the timestamps listed in the left treeview of Change History report window you can view the changes for a specific date and time Change Reports 7 AD Reports Ctrl Alt A GPO Reports Ctrl Alt G To launch AD Change Reports window click toolbar The AD Change Reports window will appear as shown below Select and expand the root node in the left pane of the newly launched report window 2 Change Reports AD Reports amp fim 39 Export 8 Refresh ER E mail Show Event iewer fields Find Change History Z Show AllChanges alls Ony Added Only Modified X Only Deleted 2 1 c 4 ipi CHLABIID 30 Object Name Object Path Tees memes
67. ert Edit an existing event ID information Delete an existing event ID information View properties of specific event ID information Y Y VV WV View every event ID information of all domain controllers E mail alerts configuration settings window click Real Time Events Service Controller amp lt E Alerts Alt A menu in the toolbar The E mail alerts configuration settings will appear as shown below mail alerts configuration settings count For Frequency of emails Say For every 10 events and description Optional Provide description For an event ID so as to be Configure email alerts For the corresponding Domain Controllers by providing Event IDs SMTP server name sender recipients threshold gt reflected in alert email Select Domain Controllers to view the overall alerts settings amp 4rq Domain Controllers No alerts settings defined Add a new event ID for configuring an e mail alert To add a new event ID for configuring an e mail alert Please follow the steps as outlined in the previous topic How to add an event ID for configuring an E mail alert 36 CHAPTER 3 ADChange Tracker Features Edit existing event ID information gt To edit an existing event ID information that corresponds to a domain controller select the desired domain controller by expanding Domain Controllers in E mail alerts configuration settings window The entire even
68. es from being tracked To exclude properties from audit data collection by ADChangeTracker perform the steps stated below By default the application does not track the following property changes owing to the repetitive nature of data Admin Count Bad Pwd Time Bad Password Count Current USN Direct Reports Last Logon Last Logoff Last Logon Timestamp Logon Count Managed Objects Member Of Modified Count Modified Date msExchAuthOrigBL msExchALObjectVersion Original USN sAMAccountType User Parameters Steps 1 To launch Property Settings window click on Tools gt Configuration Settings menu in the toolbar and select Property Settings node in the tree view The Property Settings window will appear as shown below Active Directory Change Tracker Configuration Settings Select the list of properties in Active Directory For which you want to exclude audit data collection Se Property Settings G ADChangeTracker Settings Available Properties Excluded Properties 1 xm Domain Settings jl SQL Server Settings i Object Settings From Schema E sl Property Settings a RD40 VOYAGER 5 Admin Count adminCount G RD30 RESEARCHLAB ES ms Exch Auth Orig BL authOrgBL j ES Bad Password T ime badPasswordT ime EF Bad Pwd Count badPwdCount E Reports directheports ES Last Logoff lastLogoff tesi Last Logon lastLogon tesi Last Logon Timestamp lastLogonT imestar fea Logon Count logonCount
69. file formats the information is stored in html and xlsx files respectively For each report a file corresponding to the selected file format will be generated The name of the file will be the name of the report 87 CHAPTER 3 ADChange Tracker Features 3 26 How to E mail data ADChangeTracker provides the option to e mail a change report to different users The change reports generated after tracking will be e mailed to the specified recipients Click button in the toolbar toe mail the report toe mail recipients E mail dialog will be displayed as shown below Specify SMTP Server name From Address To address Subject Body of the e mail message attachment format and option to attach the report as zip file format SMTP Server RD45 From Administrator chandrayaan locall AD Administrator chandrayaan local amp Check Subject Today Show All Changes Attachment Format V Compress the attachment Please find the attcahed report genarated by Active Directory Change Tracker Regards Chandrayaan Admin For e mailing reports ADChangeTracker requires the SMTP Server name From E mail Address To E mail Addresses recipients separated by semicolon and the report attachment format Specify SMTP server name from Address To address mail subject mail content attachment format and option to compress the attachment Click button to send the report by e mail to the selected recipients Check names ADChangeTracker
70. h ange d General Details GPO Status Enabled settings disabled VOYAGER adminuser3 CountriesGPO cn 81E68594 B4F E pcp Value General Detals Modtied lly dn VOYAGER adminuser3 4 n p Event Viewer Reference x Date amp Time 12 16 2013 3 01 22 PM Source Microsoft vvindows Security Auditing Category Directory Service Access Event ID 4662 Type You can also click Show All Changes Only Added Only Modified Only Deleted tabs to view the list of all GPO changes added edited and deleted changes 22 CHAPTER 3 ADChange Tracker Features 3 4 Understanding the Change Reports The Change Reports contains the following information Field Names Description Object Name Administrator Active Directory object name of Added modified deleted objects Object Path Domain Name of AD Gh Administrator J CN Users DC Domain DC Com Object Class AD Object Type User Group Computer etc Change Type EIN Added Modified Deleted Type of modification made on AD object Property Name w Attribute Property name of AD E mail Description object Member Of Old Value Value defined for the property E mail before change alec pathfinder com New Value l Value defined for the property E mail after change alecFrings pathfinder com Change made by PATHFINDER Traineel The account who made the change Change made on l 1 29 2011 3 46 PM The actual date and time of the change 23 CHA
71. iner Made acid New Value CREATOR CwNERI Allow CreateChild _DeleteChild Self Event ID 5136 5136 Change made by RESEARCHLAB adminuser RESEARCHLAB adminuser Change made on 10 26 2013 5 06 PM 10 28 2013 5 06 PM RESEARCHLAB ADCT Test GPO CN 94192D02 042 groupPolicyContainer ee a DisplayName Test GPO RESEARCHLAB ADCT Test GPO CN 94192D02 042 groupPolicyContainer Acier Display Name ADCT_Test_GPO 5136 5136 RESEARCHLAB adminuser RESEARCHLAB adminuser 10 29 2013 2 38 PM 10 29 2013 2 38 Ser TIL Forwarded Events cw E 71A00BC 40 groupPolicyContainer ModifiediValue fag 4 5136 RESEARCHLAB admmnuser 10 29 2013 2 43 PM r TO Y w Event Viewer Reference Date amp Time 10 25 2013 7 24 18 PM Source Microsoft Indows Securtty Auditing Category Directory Service Changes Event ID 5136 Tomine than mI mm PR Rm 61 CHAPTER 3 ADChange Tracker Features 3 20 6 How to generate Organizational Units Change Reports To generate the Organizational Units Change Reports perform the following steps 1 Configure settings Object Change Reports as stated in Configure Events Reports To launch Object Change Reports Organizational Units window click Events Reports gt Object Change Reports gt Organizational Units menu in the toolbar The Object Change Reports Organizational Units window will appear as show
72. ings BH You can track changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain B ADChangeTracker Settings B Add P Edit Hi Delete ES Properties E Domain Settings a ji SQL Server Settings Domain Name Domain Controller Name Tracking Scope User Name Pa Object Settings VSSLAB a BIN Entire Domain VSSLAB adminuser E Property Settings RESEARCHLAB RD30 Specific OU s RESEARCHLABNadminuser2 100 CHAPTER 4 ADChange Tracker Settings 4 1 3 Delete a Domain Perform the following steps to delete a domain 1 Launch Domain Settings window 2 In the Domain Settings window se ect any domain click Delete button to delete the domain from the Domain Settings list You can track changes to different domains by specifying the domain and domain controller For each domain Click Add to add a new domain Select a domain in the list to Edit Delete Properties to edit connection parameters delete the domain and view properties of the domain B ADChangeTracker Settings 4 Add E Edit 4 Delete ESI Properties a Domain Settings yl SOL Server Settings Object Settings Property Settings RESEARCHLAB RD30 Specific OL s RESEARCHLAB adminuser2 7777 Domain Name Domain Controller N ame Tracking Scope User N
73. ity Added Permissions RESEARCHLAB ADCT_Secure_group CNs4DCT_Secure_ group RESEARCHLAB Test Security Group Bee DU ADET 49er Modified alue Object Security CN Test Security Deleted Permissions RESEARCHLAB Test Security Group Group OU ADCT group Old Value NT AUTHORITYSSELF Allow GenerncRead Thi dg Event Change made Change made New Value ID by ori eer 10 30 2013 4 4 RESEARCHLAB Sad Phd NT AUTHORITYNSELF Allow GenericRead This 5136 RESEARCHLAB ad 10 90 2013 4 4 obiects only NT AUTHORITYSSELF 10 30 2013 4 4 Allow GenericRead This 5136 RESEARCHLAB ad py NT AUTHORITY SELF Allow GenericRead This obiects only 1 4 QickFier AmFild le Advanced Filters 5 Iviv isl Event Viewer Reference Date amp Time 10 30 2013 4 42 40 PM Source Microsoft indows Security Auditind Category Directory Service Changes Event ID 5136 Trans KA Hi HUS laha Maleate 5136 em oe 44 ka 73 CHAPTER 3 ADChange Tracker Features 3 21 5 How to generate Group Policy Objects Permissions change Reports To generate the Group Policy Objects Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports 2 To launch Permissions Change Reports Group Policy Objects window click Events Reports gt Permissions Change Reports
74. latest service packs Microsoft SQL Server 2012 Enterprise Standard Developer Express edition or Microsoft SQL Server 2008 Enterprise Standard Developer Express edition or Microsoft SQL Server 2005 Enterprise Standard Developer Express edition running in local remote computer with latest Service Pack MDAC v2 5 2 6 2 8 For the computers reported by ADChangeTracker Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 SP2 running Active Directory 1 3 Who can Use ADChangeTracker Organizations running Microsoft Active Directory can greatly benefit from ADChangeTracker It is a powerful Change auditing tool for Active Directory Administrators System Administrators can monitor changes to Active Directory Servers across the enterprise network in any location Users that would benefit from ADChangeTracker Systems management personnel CIOs and CSOs Security and Systems Audit personnel Vv Y V WV System Administrators Organizations that would benefit from ADChangeTracker gt Companies having enterprise network based on Active Directory gt Any company having Windows 2012 R2 2012 2008 R2 2008 2003 Active Directory servers 1 4 How to Activate the Software Once you purchase the software online or through any one of our resellers you will receive a sale notification through e mail from our sales department We will send you a
75. llect the changed data and store it in the application s change history database You will have to view the changes by clicking on the Change Reports button in the toolbar Track Changes Step 1 of 2 Track option Select a suitable track option to find changes in Active Directory You can track the changes immediately or at scheduled intervals Track now Track at scheduled intervals Track for changes to Active Directory at scheduled intervals and deliver Change Reports automatically Recommended for regular automatic tracking and reporting of changes to AD for example once a day twice a day or on a weekly basis Change the task schedule settings as required and set the password for the specified Run As user 18 CHAPTER 3 ADChange Tracker Features Step 2 of 3 Scheduled Task Settings Specify how often the scheduled task runs Click Advanced button to configure additional schedule options For the task Specify an user account that runs the scheduled task One example of a user account is domain name username If the scheduled task requires administrator permissions to run then this account must be a member of the Administrators group Run As ayes TR ee ae Set Password Schedule Task Ratte 12 47PM 08 Schedule T ask Daily Every 1 H day s E Hg At 12 47 PM every day starting 12 13 2013 LI LJ aad Click Next to proceed to the next step Step 2 of 2 Delivery Options optional
76. low Password Change Reports Generate Password change reports by specifying a suitable criteria using date range gt domains and filter query Date range From 10 01 2013 To 10 24 2013 Domains Domain Name VE RESEARCHLAB 7 S VSSLAB Quick Filter Any Field Cancel 3 Specify the Date range and a field based Filter criteria to find the Password change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 47 CHAPTER 3 ADChange Tracker Features i3 Export Refresh Egi E mail Find port Report Name Password Change Reports From 11 1 2013 To 12 1 2013 Generated On 12 13 2013 6 07 49 PM Status Success Troubleshooting Tips Filter Not Applied l Domain N ame Target Account Event ID Change made by rdc made on RESEARCHLAB RESEARCHLAB Alison RESEARCHLAB adminuser3 117 2013 5 19 PM RESEARCHLAB RESEARCHLAB E dward 4724 RESEARCHLAB adminuser3 11 25 2013 12 10 PM RESEARCHLAB RESEARCHLAB stephen 4724 RESEARCHLAB adminuser3 11 25 2013 4 00 PM RESEARCHLAB RESEARCHLAB Andrews RESEARCHLAB adminuser3 11 25 2013 4 01 PM m RESEARCHLAB RESEARCHLAB William RESEARCHLAB adminuser3 11 25 2013 4 02 PM RESEARCHLAB RESEARCHLABAU ser64 RESEARCHLAB a
77. n below Object Change Reports Organizational Units Generate Active Directory Organizational Units change reports by specifying suitable gt a criteria using date range domains filter query and change type Date range From 10 14 2013 To 10 29 2013 Domains Domain Name V SS RESEARCHLAB SSVSSLAB Quick Filter m Field Operator Value Object Name ADC Change type V Added W Modified 4 Deleted Beset Specify the Date range Change type and a field based Filter criteria to find the Organizational Units change events in the application s Events History database Select the desired Domains to generate your reports on Click Generate button to generate the report Once the data collection is complete the report will be generated in a report window as Shown below 62 CHAPTER 3 ADChange Tracker Features ga l Export Refresh sj E mail Report Name Object Change Reports Organizational Units From 10 14 2013 1 Generated On 10 29 2013 2 40 06 PM Status Success Troubleshooting Tips Filter Not Applied Object Name RESEARCHLAB ADCT workshopl Object Path Object Type OU s4DCT_workshe organizationalUnit Change Type Modified alue Deleted Property Name Name Old Value ADCT sub ou Event New Value ID Change made by Change made RESEARCHLAB admin 10 29 2013 2 30 PM RESEARCHLAB ADCT_Chil
78. n e mail with the necessary instructions to activate the software In case you do not receive an e mail from our sales team after you purchase the software please send the following information to our sales department at sales vyapin com with the sales order number gt Company Name End user Company Name gt Location City amp Country for the Company Name given above Please allow 12 to 24 hours from the time of purchase for our sales department to process your orders OR Sa ies QR mM E 1 Activate Active Directory Change Tracker License Type 15 day Evaluation Copy To activate the software copy and paste the license key in the textbox below License Key Cien Image 1 Activate screen Perform the following steps to activate the software 1 Download evaluation trial copy of software from the respective product page available in our website at http www vyapin com 2 Install the software on the desired computer 3 You will receive a icense key through e mail as soon as the purchase process is complete 4 Click Activate in Help gt About gt Activate menu to see the Activate dialog as shown in Image 1 5 Copy the license key sent to you through email and pastes it in the License Key textbox For help on how to copy the license key click Click here to see how to copy and paste the license key link in the Activate dialog as shown in Image 2 CHAPTER 1 Active Directory Change Tracker
79. nerate Contacts Change Reports To generate the Contacts Change Reports perform the following the steps 1 Configure settings for Object Change Reports as stated in Configure Events Reports 2 To launch Object Change Reports Contacts window click Events Reports gt Object Change Reports gt Contacts menu in the toolbar The Object Change Reports Contacts window will appear as shown below Object Change Reports Contacts mm Generate Active Directory Contacts change reports by specifying suitable a criteria gt using date range domains filter query and change type Date range From 10 13 2013 To 10 28 2013 v Domains Domain Name M 43 RESEARCHLAB S3VSSLAB Juick Filter Any Field Change type V Added V Modified VY Deleted Reset E Cancel 3 Specify the Date range Change type and a field based Filter criteria to find the Contacts change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 54 CHAPTER 3 ADChange Tracker Features 39 Export R Refresh Fill E mail Report Name Object Change Reports Contacts From 10 13 2013 To 10 28 2 1 sali Generated On 10 28 2013 6 42 02 PM Status Success Object Name
80. nge Reports Organizational Units m m specifying a suitable criteria using date range domains and filter query 3 Generate Active Directory Organizational Units Permissions change reports by Date range From 10 01 2013 To 10 30 2013 Domains Domain Name v 3 RESEARCHLAB VSSLAB Quick Filter V pug Operator Value Object Name abcr Cancel 3 Specify the Date range and a field based Filter criteria to find the Organizational Units Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 76 CHAPTER 3 ADChange Tracker Features i39 Export lA Refresh ER E mail Report Name Permissions Change Reports Organizational Units From 1071 720 Generated On 10 30 2013 3 03 23 PM Status Success Troubleshocling Tips Filler Not Applied l i z Domi Obet OtjectPah ObjeciType Change Property New Value ia zum made Charge made n Everyone Deny EARNED RESEARCHLAB ADCT Test DU OUSADCT Test DL organizational Init Pere piens m DeleteTree Delete 36 RESEARCHLAE wad 10 ebd gem z This objec ts onk NT RESEARCHLAB ADCT_Test_OU OU ADCT_Test_0l orgerizationalnt Modhiedlvalue Obiect Securty al THOFITY ENTERPRISE ge eee MAIN
81. nge Tracker Settings Object Settings Select the list of objects in Active Directory for which you want to track the changes ADChangeTracker Settings Available Objects eem I Domain Settings STI SQL Server Settings Object Settings General From Schema Object Name he account account Example domainDNS l A ACS Policy aCSPolicy S Property Settings 5 ACS Resource Limits aCSResourceLim Builtin Domain builtinD omain Computer computer Contact contact Domain domain Domain DNS domainDNs Group group Group Policy Container aroupPolicyContainer Orgsnizational Unit organizational nit 4 User JUR ACS Subnet aCSSubnet Address Book Container addressBookC Address T emplate addressT emplate Application Entity applicationE ntity 3 Application Process applicationProcess A Application S ettings applicationSetting Application Site 5 ettings applicationSite A Application Version application ersion E Attihute Schema attihuteSchemal 4 m p 2 Select any domain controller from the list of available domain controllers under From Schema tab The list of objects as available in AD schema will be displayed as shown below D ST RM T vm uw E anh aE ree ere e Adis ed us I a The an C 7 4 ack eer V on Auraton senings MVE ONETO CRIN JE ETRCEET SOTVIGUESHOTCSEENPSS A Xx P rem Settings Select the list of objects in Active Directory For which yo
82. nge type and a field based Filter criteria to find the Terminal Services activity events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 49 CHAPTER 3 ADChange Tracker Features 6 Once the data collection is complete the report will be generated in a report window as shown below 3 Export 2 Refresh ER E mail Report Name Terminal Services Activity Reports From 11 11 2013 To 12 13 20 Generated On 12 13 2013 6 11 50 PM Status Success Troubleshooting Tips il Filter Not Applied Workstation Client Name Address RESEA amp RCHLAB rd30 researchlab local RESEARCHL amp B adminuser3 9 Sw KS10 10 10 10 82 RESEARCHLAB rd30 researchlab local RESEARCHLABNadminuser3 VSSWKS10 1010 10 82 RESEARCHLAB rd30 researchlab local RESEARCHLABNadminuser2 VSSWKS14 1010 10 41 RESEARCHLAB rd30 researchlab local RESEARCHLABadminuser2 VSSWKS14 10 10 10 41 Target Computer Connected User Name Session Name RDP Tcp 1 RDP TcpH1 RDP Tepttl RDP Tcptt1 Change Type Reconnect Disconnect Disconnect Reconnect EventID Change made on 12 2 2013 3 40 PM 12 2 2013 3 38 PM 11 26 2013 3 07 PM 11 26 2013 3 06 PM RESEARCHLAB rd30 researchlab local RESE amp RCHLAB adminuser1 V5SwK5S18 10 10 10 33 10 10 10 40 RDP TcpHO RDP TcpH2 Reconnect Disconnect 42 3
83. nt ID information Attempts to reconnect for every one minute if a DC is not reachable 31 CHAPTER 3 ADChange Tracker Features 3 10 How to Add an Event ID for Configuring an E mail Alert The E mail alerts configuration settings window allows you to create a new alert edit delete or view properties of existing alerts Configured To launch E mail alerts configuration settings window click is Real Time Events Service Controller Alt E Alerts A t A settings dialog will appear as shown below menu in the toolbar The E mail alerts configuration rcm mail alerts configuration setting Configure email alerts For the corresponding Domain Controllers by providing Event IDs SMTP server name sender recipients threshold count For Frequency of emails Say For every 10 events and description Optional Provide description For an event ID so as to be reflected in alert email Select Domain Controllers to view the overall alerts settings Alerts settings 44 Domain Controllers No alerts settings defined Step 1 Domain controller Selection gt Right click on Domain controllers and click Add Domain Controller menu Add domain dialog will appear as shown below 32 CHAPTER 3 ADChange Tracker Features drop down list and then select a domain controller Check Connect As y Specify a domain controller or select an Active Directory domain from the FE
84. nuser3 pi 2012 243 RESEARCHLAB John Michael CN Modified Value 5136 RESEARCHLAB adminuser3 10 28 2013 2 43 RESEARCHLAB User15 CN Userl5 0U Bul user ModfiedValue web Page www ADworld com 5136 RESEARCHLAB adminuser3 10 28 2003 244 eee RESEARCHLAB Userl5 CN User15 0U Bul user Modiied Value web Page www ADUnivcom 5136 RESEARCHLAB adminuser3 10 28 2013 244 A44 di Quick Filter Any Field Lr Da Advanced Fikers No Filter Applied 7 7 Event Viewer Reference Date amp Time 10 28 2013 12 10 01 PM Source Microsoft VVindows Security Auditing Category Directory Service Changes Event ID 5135 T mm mem RI Pu om Malaia 65 CHAPTER 3 ADChange Tracker Features 3 21 Permissions Change Reports Permissions Change Reports in ADChangeTracker allows you to view events data for Permissions changes made to your Active Directory objects since the application is configured for event data collection By default ADChangeTracker collects and reports events data for the following objects only Builtin Domain Computer Contact Domain Domain DNS Group Group Policy Container Organizational Unit User 3 21 1 How to generate Computer Accounts Permissions Change Reports To generate the Computer Accounts Permissions Change Reports perform the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Repo
85. oftware Systems Private Limited Website http www vyapin com Sales Contact sales vyapin com Technical Support support vyapin com Table of Contents Active Directory GhanGe Tracker apasetoserads tiered eor QOrwrsSe a eade eir paeem opes i 1 General sijnde ee e e e a ek ee 1 1 1 About Vyapin Active Directory Change Tracker ADChangeTracker 2 1 2 System Requirement S scat teas scio ta an senes sad toos tat inat doi Loa see tout sane Leod Soa CO ND tages 3 1 3 Who can Use ADChangeTracker eeeeeeeeseee nennen nnn nnn nnn 4 1 4 OW to ACTIV ALG the SOTEWAN Ce uiaisige ue dedu ade so sage ee aeg u e des or age eaae zoe sese rage eset ues 5 Z GEO StEG eee a Ren M 7 2 1 Contgure ADChangeTracker minice A A PENDIENTE 8 2 2 Configure Active Directory Auditing ssssssssssssssnssssnsssssnssnsnrsnssesnssrenesenne 11 2 3 Change Application Data folder location ssssesssrsrssrsrenrsrrnrerenrsrennsnrnrerennr 13 2 4 How to Get the Change Made by Value Successfully eere 15 3 ADChangertraeker Features c icuseus diet pA E Pop a Fs dx UE ru M D ae SA Mr UR pd E 17 S EHOW tO Track Changes wai eap rA ee ERO SERM Y C pbRPELDEFEM rid pained neia pbSARSrM p ELM EVE 18 Change ReDo Sarnia iaaa vd eode DRE eda ra arua v dm etu uv Bie ste dela dene Sou 21 3 2 How to Generate ADChange Reports 2 c
86. on davor discovery local Select Delete option in the above dialog to remove the recipient name from To address text box Click Cancel button to close this dialog and the unresolved recipient s will appear in red color Address Book ADChangeTracker provides Address Book feature to search for any mail enabled recipient object say person distribution list contact public folder you want to send a message to Click button and then use the Find Names dialog box to search for the recipient object you want to send a message to Note that you can t use the Find Names dialog box to search for distribution lists in your Contacts folder Select the object s name in the list and then click Add recipient to To 90 CHAPTER 3 ADChange Tracker Features Find Names in All Global Address List Display Name da Last Name First name Title Alias Company Department Office Name Phone Alias j Job Title a3 Daren R 58045747 DarnenR Hi ManagerO Vilent Tec 2 David S R 804 22567 david Editor Olivic Tech miii A rroiong 20 91 4 ADChange Tracker Settings Configure Domain Settings Configure Change Tracking Settings 92 4 1 Configure Domain Settings Domain Settings You can launch ADChangeTracker Domain Settings by clicking Tools gt Configuration Settings menu in the ADChangeTracker main application window as shown below LL F Pe ee en r E Jo 1 a You can track
87. or log to the new location once you change the Application Data Folder Once you specify the new Application Data folder location ADChangeTracker will prompt you to copy or move existing ADChangeTracker application settings to the new location as shown below Do you want to Copy or Move all application settings and data from the old folder location to the new folder location Click the appropriate button below 6 Click the desired action Copy Move Close to proceed ADChangeTracker will use the new Application Data folder location henceforth 14 CHAPTER 2 Getting Started 2 4 How to Get the Change Made by Value Successfully ADChangeTracker reports the Change made by value for all AD objects changes in the Active Directory The Change made by is retrieved from the event log of the domain controller in which the change is made This feature is applicable for Windows Server 2008 or later operating systems only The Change made by field in the report may sometimes not get reflected immediately after a change is observed in AD will be empty blank in the report window This may be due to a delay failure in receiving the Event subscription notification by the ADCT Service application Click Refresh button in the report window to refresh the Change made by field If the Change made by value continues to remain unavailable please ensure the following points in order to retrieve Change made by value succe
88. ouble click the name of the forest double click Domains double click the name of your domain double click Domain Controllers rightclick Default Domain Controllers Policy and then click Edit Under Computer Configuration double click Policies double click Windows Settings double click Security Settings double click Local Policies and then click Audit Policy In the details pane right click the Policy pertaining to the report as shown in the following table and then click Properties User Logon Logoff Reports Audit logon events Password Change Reports Audit account management Terminal Services Activity Reports Audit logon events Object Change Reports Audit directory service access Permissions Change Reports Audit directory service access 5 6 Select the Define these policy settings check box Under Audit these attempts select the Success check box and then click OK Configure event ID s in application for security event log data collection For security event log data collection configure event ID s corresponding to each report in Real Time Events gt Alerts as stated in the following table Report Name Event ID s User Logon Logoff Reports 4624 4634 43 CHAPTER 3 ADChange Tracker Features Password Change Reports 4724 Terminal Services Activity Reports 4778 4779 Object Change Reports 5136 5137 5139 5141 Permissions Change Reports 81808 Set up auditing in object s SACL To set up
89. ple admincount Object Settings uw 2 Property Settings RD40 VOYAGER eal Managed Objects managedObjects R9 Common M ame cn esl Is Member Of DL memberOf 9 Instance T ype instanceT ype he Modified Count modifiedCount 9 NT Security Descriptor nT Secu CE 5 ms Exch 4L Object Version msE xch4LOby nf Object Category objectCategory an T SAM Account Typ e sAMAccount ype I Object Class objectClass User Parameters userParameters ee Original USN uSNCreated fT Object Sid objectSid E ol in BRIE EF Current USN uS NChanged EM Account Name E7 when Changed whenChanged Account E pires accountE spire Eg Object Class objectClass 9 Account Name History faccountl n b 8 Click OK button to save the property settings NOTE To know more about LDAP display name of properties in Active Directory please visit this following link http msdn microsoft com en us library windows desktop ms677286 v vs 85 aspx 108 CHAPTER 4 ADChange Tracker Settings 4 3 Configure SQL Server ADChangeTracker uses SQL Server database for its internal data storage including storage of Change History ADChangeTracker requires an SQL Server running SQL Server 2012 2008 2005 Enterprise Standard Express editions to connect and create a new application database ADChangeTracker will connect to the specified SQL Server based on authentication mode and user credentials to manage its own applic
90. provides check name feature to check the existence of corresponding 88 CHAPTER 3 ADChange Tracker Features S mail enabled recipient object in Active Directory To check name click button If the entered name matches with a mail object in the Active directory its trusted domain name entered in From address textbox will be replaced by the corresponding active directory recipient object If there is more than one match a dialog which contains matching Active Directory recipients will appear as shown below You can select one or more recipients and click OK Active Directory Change Tracker found more than one da Do you want to Delete this Recipients from the list 9 Change to LA David S Robinson david amp discovery local Davor J Robinson davor discovery local To get more information about the listed recipients under Change to select the name and then click Davor Robinson Davor J Robinson Business Architect Department Management Prolong Solutions davor Mobile number 251 3464574890 davor discovery local davorlong com 89 CHAPTER 3 ADChange Tracker Features If there is no match for the name entered by the user in Active Directory a dialog will appear as shown below Active Directory Change Tracker found more than one da Do you want to Delete this Recipients from the list Change to LA David S Robinson david amp discovery local 3 Davor J Robins
91. rchlab DC reseaichleb DC local domanDNS a Moditied V alue RESEARCHLAB researchlab DC researchlab DC local domainDNS Added Modified alue Deleted M odine AILE Deleted RESEARCHLAB researchlab DCsresearchlab DC local domanD NS RESEARCHLAB researchlab DC researchlab DC local domanDNS ina Ti Filter Not Applied a Properly Old Value Name Description Object Security Permissions Managed By Object Security E veryone Deny Permissions DeleteChild This Managed By CN Administrator Ch Quick Fiter Ayee 0 T 7 Advanced Filters BiviY Event Viewer Reference Date amp Time 10 29 2013 2 55 59 PM Source lVicrosoftindows Security Auditing Category Directory Service Changes Event ID 5136 Tamas Bom niim n fakin Dom mt mn New Value ID Researchlab domain 3136 Everyone Deny DeleteChild This 5136 CN Administrator 5136 Event Change made by RESEARCHLAB adminuser3 RESEARCHLAB adminuser3 Change made on 10 29 2013 2 54 PM 10 29 2013 2 55 PM 10 29 2013 2 55 RESEARCHLAB adminuser3 PM RESEARCHLABNadminuser3 10 29 2013 2 55 PM RESEARCHLAB adminuser3 p 57 CHAPTER 3 ADChange Tracker Features 3 20 4 How to generate Groups Change Reports To generate the Groups Change Reports perform the following steps 1 Configure settings for Object Change Reports as stated in Configure Events Reports 2 To launch Object Chang
92. re C E Ne 1 tr ory Unange I Object Settings Select the list of objects in Active Directory for which you want to track the changes S ADChangeTracker Settings Available Objects Selected Objects E Domain Settings pm Ficin Cishems Object Name organizatiorl jp SQL Server Settings Object Settings fF Property Settings S RD30 RESEARCHLAB Example domainDNS 1 Organization organization Computer computer 1 NTDS DSA nTDSDSA DMD dMD SubSchema subSchema Contact contact Domain domain Domain DNS domainDNs M 7 Attribute Schema attributeS ch gt Group group account account Group Policy Container groupPolicyContai Class Schema classSchema a Organizational Unit organizational nit ACS Policy aCSPolicy User user ACS Resource Limits aCSRes A account account ACS Subnet aCSSubnet ACS Subnet aCSSubnet 4 m e E 7 Click OK button to save the object settings NOTE To know more about LDAP display name of objects in Active Directory visit this link http msdn microsoft com enus library windows desktop ms680938 v vs 85 aspx 105 CHAPTER 4 ADChange Tracker Settings 4 2 2 How to Exclude a Property from Change Tracking ADChangeTracker tracks changes to all properties of AD objects in your Active Directory unless the property is excluded in the application setting ADChangeTracker provides an option to exclude AD properti
93. rm the following steps 1 Configure settings for Permissions Change Reports as stated in Configure Events Reports 2 To launch Permissions Change Reports Groups window click Events Reports gt Permissions Change Reports gt Groups menu in the toolbar The Permissions Change Reports Groups window will appear as shown below Permissions Change Reports Groups Generate Active Directory Groups Permissions change reports by specifying a suitable Z gt criteria using date range domains and filter query Date range From 10 15 2013 To 10 30 2013 v Domains l Domain Name J S RESEARCHLAB SS VSSLAB Quick Filter V pug Operator Value DbiectName o ADCT_Distribution Cm Casa Gio 3 Specify the Date range and a field based Filter criteria to find the Groups Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report would be generated in a report window as Shown below 72 CHAPTER 3 ADChange Tracker Features Object Change Property Domain Type Type Name ieu Object Path Object Name Modifie J sue Liber ecuritt CT Secure group CN 4DCT Secure grour Bea aes a a T criti Lif eletedi Modified alue Object Security Added Permissions Madified v alue Object Secur
94. rts 2 To launch Permissions Change Reports Computer Accounts window click Events Reports gt Permissions Change Reports gt Computer Accounts menu in the toolbar The Permissions Change Reports Computer Accounts window will appear as shown below F Permissions Change Reports Computer Accounts specifying a suitable criteria using date range domains and filter query 3 Generate Active Directory Computer amp ccounts Permissions change reports by D ate range From 10 16 2013 To 10 31 2013 Domains Domain Name J E RESEARCHLAB S VSSLAB Quick Filter IV Field Operator Value Object Name Cancel 3 Specify the Date range and a field based Filter criteria to find the Computer Accounts Permissions change events in the application s Events History database 4 Select the desired Domains to generate your reports on 66 CHAPTER 3 ADChange Tracker Features 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 3 Export Refresh sj E mail Report Name Permissions Change Reports Computer Accounts From 10 16 21 Generated On 10 31 72013 2 42 53 PM Stalus Success Troubleshooting Tip Filter Not Applied Change Object m Object Change Property Event Name Object Path Type Type Name Old Value New Value ID Change made by made on NT AU
95. s installed For example if you install the software on 3 different machines 3 different databases will be created and each installed application will track changes separately independent of each other Specify the SQL Server name authentication mode user name and password in the above screen Click Finish to save configuration settings 10 CHAPTER 2 Getting Started 2 2 Configure Active Directory Auditing This section provides step by step procedures for enabling auditing of changes to objects in AD DS This process consists of two primary steps Step 1 1 2 3 4 5 6 Step 1 Enable audit policy Step 2 Set up auditing in object SACLs by using Active Directory Users and Computers console Enable audit policy Click Start point to Administrative Tools and then Group Policy Management In the console tree double click the name of the forest double click Domains double click the name of your domain double click Domain Controllers rightclick Default Domain Controllers Policy and then click Edit Under Computer Configuration double click Policies double click Windows Settings double click Security Settings double click Local Policies and then click Audit Policy In the details pane right click Audit directory service access and then click Properties Select the Define these policy settings check box Under Audit these attempts select the Success check box and then click OK
96. ssfully a Select the Use Security event log in DC to retrieve additional Change data Who amp When checkbox in the Add domain or Edit domain dialog b Enable the Audit directory service access Policy and set to success in Default Domain Controllers Policy as shown below a Group Policy Management Editor File Action View Help A GE 4 Default Domain ControllersPolicv Rb30 RES e Policy I iiss Setting E ge Computer Configuration t Audit account logon events Not Defined 1 Policies 7 R1 Software Settings Windows Settings Name Resolution Policy oo Audit directory service access Success AUG JJO EYe JOL Ve a ud Ed Audit object access Not Defined m uns Seius utdown Audit policy change Not Defined Iie cout e Audit privilege use Not Defined Polici oe Audit process tracking Not Defined Ej gj Local Policies Audit system events Not Defined H Audit Policy os User Rights Assignme Security Options di Event Log CA Restricted Groups a System Services Ea Registry A File System o Wired Network IEEE 802 Windows Firewall with Ac m Network List Manager Po za Wireless Network IEEE C Public Key Policies C Software Restriction Poli C Network Access Protectic C Application Control Policie 3 IP Security Policies on Ac HH Advanced Audit Policy Cis i M a A fi c Select Write all properties Delete Delete subtree and Create all child
97. t IDs corresponding to the domain controller will be listed gt Select the event ID information that needs to be edited and click Edit gt During the edit operation you can modify the list of fields that make up the specific event ID information Delete an existing event ID Information gt To delete an existing event ID information which corresponds to a domain controller select the desired domain controller by expanding Domain Controllers in E mail alerts configuration settings window The entire event IDs corresponding to the domain controller will be listed gt Select the event ID information that needs to be deleted and click Delete gt The application will prompt you for your confirmation to delete the selected event ID information as shown below Click Yes to delete Active Directory Change Tracker ES Are you sure you want to remove the event information with respect to Ty EventID 3137 View properties of specific event ID information gt To view properties of a specific event ID information which corresponds to a domain controller select the desired domain controller by expanding Domain Controllers in E mail alerts configuration settings window The entire event IDs corresponding to the domain controller will be listed Select the event ID information that needs to be viewed and click Properties 37 CHAPTER 3 ADChange Tracker Features View event ID information of all
98. teps given below 1 Select About ADChangeTracker from Help menu Contents Tips About ADChangeTracker 2 The About ADChangeTracker dialog appears as shown below About ADChangeTracker Active Directory Change Tracker Program Folder C Program Files ADChangeTracker Application Data C Users Public Documents ADChangeTracker Copyright 2011 2014 Vyapin Software Systems Private Limited All rights Y reserved ZU You are on day 1 of your 15 day evaluation period License Type 15 day Evaluation Copy This software is meant solely for evaluation purposes only This evaluation version exports and e mails only the first 100 records and retain only the last 15 sets of changes in its change history database 3 Click Change button to change Application Data folder location of ADChangeTracker application 13 CHAPTER 2 Getting Started The Browse for Folder location dialog will appear as shown below 4 Computer gt eld Floppy Disk Drive A 4 E Local Disk C gt amp inetpub J OEMSettings gt J PerfLogs gt 4 Program Files gt ProgramData gt J Users gt 4 Windows gt Local Disk D gt cx New Volume E p ti Network p E Control Panel 4 Select a desired folder location and Click OK The folder location can be local drives or mapped network drives 5 ADChangeTracker provides an option to copy or move the existing ADChangeTracker application settings and err
99. the application database ADChangeTracker will maintain all the timestamps corresponding to the changes detected during tracking Based on the timestamps listed in the left treeview of Change History report window you can view the changes for a specific date and time Change Reports AD Reports Ctrl Alt 4 GPO Reports Ctrl Alt G To launch GPO Change Reports window click toolbar The GPO Change Reports window will appear as shown below menu in the Select and expand the root node in the left pane of the newly launched report window o Change Reports GPO Reports Colo Jom 3 Export 2 Refresh S E mail d Show Event Viewer fields Find 9 Change History Z Show l Changes sja Ony Added Only Modified X Only Deleted CANT Re Dueiran Pa a Campo ate MeeYe Change made s Today P 12 16 2013 2 38 14 PM Modified Value Computer Policy AZ S I CountiesGPO cnz181EB8584 BAFF T Configuration Maximum Setting 42 days YO VAGERadminuser3 12 16 2013 2 47 33 PM Surety Disabled Policie password age P OAA Ph Modified Value Computer Policy Mini E D 12 16 2013 3 03 40 PM CountiesGPO cn 81E68584 6AF 4 dded dad Configuration dico dage Setting 30 days VOYAGER adminuser3 Fs p TestGPO en 6B527D9C 644 Dpi General Details Modified 200a UM VOYAGERNadminuseid Modified Value 4 Computer I Test GPO cn 6B527D9C 644 C
100. the report would be generated in a report window as shown below F4 Search Report 39 Export Search Template Name User Object Changes 2 Refresh E E mail Show Event Viewer fields Find Domain Name RHESEARCHLAB stephen walther Micheal RESEARCHLAB Woloszynowicz RESEARCHLAB Steve Jobs RESEARLHLAB Daniel J Holder Object Path CNsstephen walther OU ADCT_ CN Micheal Woloszynowicz Us CN Steve Jobs OUs4DCT_Ch CN Daniel J Holder OUsADCT C Object lass ASer user user user Change Type Modified Value Changed Added Modified Value Changed Modified Value Changed Property Name P D Box E Mail Old Value New Value f 489556 Daniel rlab com RESEARCHLAB adminuser3 Change made by RESEARCHLAB adminuser3 LS 12 13 2013 12 35 PM 12 13 2013 12 33 RESEARCHLAB adminuser3 pp 12 13 2013 12 33 RESEARCHLAB adminuser3 PM RESEARCHLAB Alison J Thomas RESEARCHLAB william clark Thomas DU ADCT_ CN Alison J CN2Will am clark QU ADCT Te USBI user Modified Value Changed Modified Value Changed Telephone Number P 0 Box 45856456456 4585540214 480248 485963 RESEARCHLAB adminuser3 12 13 2013 12 32 PM 12 13 2013 12 28 RESEARCHLAB adminuser3 PM Event Viewer Reference Date amp Time 12 3 2013 12 54 06 PM Source Microsoft VVindows
101. ts menu in the toolbar The Object Change Reports Computer Accounts window will appear as shown below Object Change Reports Computer Accounts 4 criteria using date range domains filter query and change type 3 Generate Active Directory Computer amp ccounts change reports by specifying suitable D ate range From 10 13 2013 To 10 28 2013 v Domains Domain Name V RESEARCHLAB 13 VSSLAB Quick Filter I Field Operator Value Change made by researchlab adminusers Change type 7 Added Modified 7 Deleted Cancel 3 Specify the Date range Change type and a field based Filter criteria to find the Computer Accounts change events in the application s Events History database 4 Select the desired Domains to generate your reports on 5 Click Generate button to generate the report 6 Once the data collection is complete the report will be generated in a report window as shown below 52 CHAPTER 3 ADChange Tracker Features ject Char ACC z oan TT t 3 Export Report Name Object Change Reports Computer Accounts From 10 13 2013 T Generated On 10 28 2013 3 09 27 PM Status Success Troubleshooting Tips Filter Not Applied Domain Name RESEARCHLAE RESEARCHLAB Object Name ita Rb43 Object Path CN RD43 DU Aust Object Type impute computer Change Type Modine alue ModifiedlValue
102. u want to track the changes E ADChangeTracker Settings Available Objects Selected Objects Zr Domain Settings General Eri Schema Object Name gl SQL Server Settings l P Object Settings S RD30 RESEARCHLAB Example domainDNS Organization organization Property Settings Computer computer E NTDS DSA nTDSDS Contact contact DMD dMD m Domain domain SubSchema subSchema a Domain DNS domainDNS Attribute Schema attributeSch Group group account account Group Policy Container groupPolicyContai Class Schema classSchema 5 Organizational Unit organizational nit ACS Policy aCSPolicy A User user ACS Resource Limits aCSRes h account account P ACS Subnet aCSSubnet 5 ACS Subnet aCS Subnet 3 You can right click on the domain controller to connect to the domain controller again by using Connect or Refresh menu and retrieve the objects afresh 4 To include an object for tracking click on the desired object in the list of Available gt gt Objects and then m button 104 CHAPTER 4 ADChange Tracker Settings 5 To remove an object from Selected Objects list click on the desired object in the lt lt Selected Objects and then r3 button 6 You can also manually add the object by entering the LDAP display name of the object in the Object Name text box and then HJ button as shown below ge ESET EDUC a T O INSCKUE rio Sly espera LL SUE IEEE cto
103. wered by a listener Service called ADCT Listener Service ADCT Listener Service collects the events data and stores in the application s Events History database You can view events data by specifying the timestamp domain change type category and field based filter query that occurred over a time period Benefits e Reports User Logon Logoff activities in a domain with valuable information like Client Name Logon Type and Workstation Name Reports events data with When and Who made the changes for Password change activities in Active Directory e Reports Terminal Services Activities of roaming users in a domain with valuable information like Connected User Name Workstation Name and Session Type e Reports What exactly changed along with Old Value and New Value When the change was made Where the change was made in Active Directory and Who made the changes in Active Directory objects 42 CHAPTER 3 ADChange Tracker Features 3 16 Configure Events Reports This section provides step by step procedure for configuring Events Reports This process consists of three primary steps Enable audit policy Configure event ID s in application for security event log data collection Set up auditing in object s SACL This step is applicable for Object Change Reports and Permissions Change Reports only Enable audit policy Click Start point to Administrative Tools and then Group Policy Management In the console tree d
104. y sometimes prevent the ADCT Service application from receiving the subscribed events For example ensure that Read All Properties is not selected in object s Auditing Selecting this setting will create a flurry of events in DC and will cause Event flooding e Disable firewall protection to read event logs Ensure that the target Domain Controller is not protected by Windows firewall to read event logs by remote clients f Ensure that the ADCT Listener Service is running in the computer where AD Change Tracker application is installed can be verified in How to view the subscription status of domain controllers 16 3 ADChangeTracker Features Track Changes Change Reports Search Reports History Manager Alerts Service Controller Events Reports 17 3 1 How to Track Changes The Track Changes feature allows you to track the list of all the changes made in Active Directory You can check for various changes in Active Directory like addition or deletion of objects modification of properties d Track Changes Select button in the toolbar The Track Changes window will be launched Select Track now option to track changes made to Active Directory domain immediately upon clicking the Finish button or select Track at scheduled intervals option to track changes made to Active Directory domain at scheduled intervals Changes will be tracked since the last time a tracking was performed The tracking process will only co
Download Pdf Manuals
Related Search