Return
-
Title
Deploying Change Auditor/ARS integration scripts -
Description
Change Auditor is not integrating with ARS logs, and providing the Initiator name. Also is it possible to integrate single CA server with multiple ARS servers? -
Cause
In order for ARS to retrieve the name of the user that was logged into the ARS console and forward thisinformation onto Change Auditor, you must first deploy the Change Auditor/ARS integration scripts to an ARSserver. -
Resolution
We can integrate single CA server with multiple ARS servers.
Requirements:
Change Auditor
- Change Auditor for Active Directory 5.6 (or higher)
Note: To capture the additional events and initiator account information available with the latest integration scripts, you must be running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher). To deploy Active Roles 7.0, you must have installed at a minimum, ChangeAuditor 6.7.1539, Change Auditor 6.8.1474, or Change Auditor 6.9. - The integration scripts must be deployed to a server running Active Roles.
Note: If Active Roles replication is configured correctly, you only need to deploy the integration script to one Active Roles server. - The Change Auditor agents must be installed on all domain controllers in the environment to ensure that the Active Directory changes are picked up.
Active Roles Server
- Active Roles 6.9 through 7.3.
Note: To capture the additional events and initiator account information available with the latest integration scripts, you must be running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.0 (or higher).
Note: To work with Active Roles 7.0, you must have installed: hotfix 7.0.2 SOL188024 for Active Roles and at a minimum Change Auditor 6.7.1539, Change Auditor 6.8.1474, or Change Auditor 6.9.
Note: If both Active Roles versions 6.x and 7.0.2 SOL188024 are installed on the same server as a side-by-side deployment, Change Auditor installs integration scripts to both. - Microsoft .NET Framework 4.5 (or higher) must be installed and enabled on the target Active Roles server
- PowerShell 2.0 must be installed on the target Active Roles server
- PowerShell Execution policy must be set to ‘AllSigned’, ‘RemoteSigned’ or ‘Unrestricted’ on the target Active Roles server. (For more information, see https://technet.microsoft.com/enus/library/ee176961.aspx.)
- Active Roles administrator right is required to deploy the integration scripts and permissions to the Active Roles database is also required.
- The Active Roles service account (or the override account) must be authorized to access the Change Auditor SDK. That is, add the Active Roles server service account to the ChangeAuditor Administrators security group.
Note: If you use a role with the minimum permissions, use the Application User Interface page on the Administration Tasks tab to define a role that contains the ‘Add Sdk’ and ‘View Sdk’ operations. For more information about using the Application User Interface page to define a new role, see the Change Auditor User Guide.
To Deploy the Integration Scripts:
Note: If the Active Roles scripting module has been deployed in a previous Change Auditor version, see the following knowledge base article which details the process to move to the updated version of these scripting modules that are available in Change Auditor 6.x: https://support.quest.com/change-auditor/kb?k=119136
- In the CA Client, open the Deployment page
- Select a server where Active Roles is installed
- Expand Advanced Options and select one of the following options:
- ActiveRoles Integration | Deploy Scripts Only
- ActiveRoles Integration | Deploy Scripts and Excluded Account - If you select the Deploy Scripts Only option, Change Auditor copies and runs the Active Roles integration PowerShell script on the Active Roles server which triggers Active Roles to retrieve the initiator information for all users and pass this information onto Change Auditor
- If you select the Deploy Scripts and Excluded Accounts option, the Select Active Directory Objects dialog is displayed. Use either the Browse or Search page to locate and select a user or computer to exclude. Change Auditor then deploys the integration script that signals Active Roles to retrieve the initiator information for all accounts except for those specified for exclusion
- Once successfully deployed, Success is displayed in the Deployment Results cell for the server
Note: If errors are encountered during the deployment process, corresponding error messages are displayed in the Deployment Results cell. Fix the errors reported and then redeploy the scripts
Following the changes to the configuration reboot of the ActiveRoles Server server (not just the service) to clear the cache of all of the changes made may be required. Once the Change Auditor/ARS script is deployed, the initiator information retrieved from ARS can be viewed on the Search Results page in the Change Auditor client.
If the initiator is not appearing in the Searches (still shows the ARS service account name), try restarting the coordinator service.
- Change Auditor for Active Directory 5.6 (or higher)