-
Title
Deploying Change Auditor/Active Roles integration scripts -
Description
Change Auditor (CA) is not integrating with Active Roles operations and does not provide the correct Initiator name. Also: is it possible to integrate a single CA server with multiple Active Roles servers? -
Cause
In order for Active Roles to retrieve the name of the user who made changes using an Active Roles client and forward this information onto Change Auditor, you must first deploy the Change Auditor/Active Roles integration scripts to an Active Roles server. -
Resolution
You can integrate a single CA server with multiple Active Roles servers.
Requirements:
https://support.quest.com/technical-documents/change-auditor/release-notes/5#TOPIC-1885974
To Deploy the Integration Scripts:- In the CA Client, open the Deployment page.
- Select a server where Active Roles is installed.
- Expand Advanced Options and select one of the following options:
- ActiveRoles Integration | Deploy Scripts Only
- ActiveRoles Integration | Deploy Scripts and Excluded Account - If you select the Deploy Scripts Only option, Change Auditor copies and runs the Active Roles integration PowerShell script on the Active Roles server which triggers Active Roles to retrieve the initiator information for all users and pass this information onto Change Auditor.
- If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects dialog is displayed. Use either the Browse or Search page to locate and select a user or computer to exclude. Change Auditor then deploys the integration script that signals Active Roles to retrieve the initiator information for all accounts except for those specified for exclusion.
- Once successfully deployed, Success is displayed in the Deployment Results cell for the server. (If errors are encountered during the deployment process, corresponding error messages are displayed in the Deployment Results cell. Fix the errors reported and then redeploy the scripts).
The deployed integration script should appeared listed in the Active Roles Console:
Also, two Active Roles policies referencing the integration should appear listed under the Administration container:
Following the changes to the configuration reboot of the Active Roles server (not just the service) to clear the cache of all of the changes made may be required. Once the Change Auditor/Active Roles script is deployed, the initiator information retrieved from Active Roles can be viewed on the Search Results page in the Change Auditor client.
If the initiator is not appearing in the Searches (or still shows the Active Roles service account name), try restarting the coordinator service.
Note 1: You can alternatively deploy the script manually if remote deployment is restricted in your environment:
https://support.quest.com/kb/4256652Note 2: If the Active Roles scripting module has been deployed in a previous Change Auditor version, see the following knowledge base article as an additional source of information:
https://support.quest.com/kb/4237812
Note3: The DC where Active Roles sends the details must have a ChangeAuditor Agent running:
-
Additional Information
https://support.quest.com/technical-documents/change-auditor-for-active-directory/user-guide/11#TOPIC-1890966