You are on page 1of 39

Dell™ Change Auditor 6.

7
Release Notes
September 2015
These release notes provide information about the Dell™ Change Auditor release.

About Dell Change Auditor 6.7

New features

Important information

Resolved issues

Known issues

System requirements

Product licensing

Getting started with Change Auditor 6.7

About Dell

About Dell Change Auditor 6.7
Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor
audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information
about vital changes and activities as they occur. Instantly know who made the change including the IP address of
the originating workstation, where and when it occurred along with before and after values. Then automatically
turn that information into intelligent, in-depth forensics for auditors and management -- and reduce the risks
associated with day-to-day modifications.

Audit all critical changes across your enterprise including Active Directory®, Exchange, Windows® File
Servers, NetApp®, EMC®, SQL Server®, VMware® vCenter™, SharePoint®, and Microsoft® Lync®.

Track cloud storage and data consumption activity by auditing the use of Dropbox™, Dropbox™ for
Business, Box®, and OneDrive®.

Collect user logon and logoff activity for regulatory compliance and user activity tracking.

Automate ongoing compliance with tracking and reporting for compliance initiatives like SOX, PCI-DSS,
HIPAA, FISMA, GLBA and more.

Speed troubleshooting through real-time insight into changes with a comprehensive audit library
including built-in audit alerts, reports and powerful searches.

Proactively protect (lock down) critical Active Directory objects, Exchange mailboxes and Windows files
and folders from harmful changes that could open security holes or cause resources to become
unavailable.

Modular approach allows separate product deployment and management for key environments including
Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Queries,
SharePoint, Logon Activity, and Lync.

Integrate with other Dell™ products to track, audit, report and alert on critical changes made using Dell™
One Identity Authentication Services, Dell™ One Identity Defender, and Dell™ SonicWALL™.
Dell Change Auditor 6.7
Release Notes

1

Change Auditor 6.7 is a minor release, with enhanced features and functionality. See New features.

New features
New features in Change Auditor 6.7:
Start page: When you open Change Auditor, you are presented with a page where you can view and access
relevant information regarding Change Auditor including news and updates, support and knowledge base
content, online documentation (release notes and guide), links to the latest releases, and essential contact
links.
System requirements evaluation utility: A requirements evaluation tool is available from the autorun. Running
this tools allows you to ensure that your system meets the minimum coordinator requirements before beginning
the installation. A green check denotes that your system meets the requirements and a red “X” means that it
does not meet the minimum and should be addressed before continuing with the installation.
Upgrade and migration updates: In previous versions of Change Auditor, the Data Migration Tool was used to
migrate events from a legacy 5.9 to 6.x database. You no longer need the Data Migration Tool for this. Change
Auditor 6.7 introduces an enhanced in-place migration option so you can perform a direct upgrades from version
5.9, without losing any configuration data.
The following migration paths are supported through an in place migration during upgrade:

5.9 to 6.7 – migrate events from 5.9 to a new or existing 6.7 database. If you have Change Auditor 5.8 or
below you must upgrade to 5.9 first.

6.x to 6.7 – migrate events from 6.x database to a new or existing 6.7 database.

You can, however, still use the Data Migration Tool for the following situations:

To consolidate multiple Change Auditor databases.

To move legacy archived databases.

If you plan to redesign your Change Auditor deployment by installing a new database and moving existing
audited events into it.

SQL Data Level auditing and reports: SQL auditing has been augmented to include data level changes. SQL
Data Level auditing allows you to audit changes to databases and tables. A separate SQL Data Level auditing
templates must be defined for each target database to be audited by Change Auditor.
You can audit the following events:

Check constraint added to
a table

Function removed

Function altered

Check constraint removed
from a table

Rule added

Trigger added

Rule removed

Trigger removed

Object renamed

Trigger altered

Primary key added to a
table

Foreign key added to a
table

Primary key removed from
a table

Foreign key removed from
a table

Default object added

Index added to a table

Type added

Default object removed

Index removed from a
table

Type removed

Default constraint added
to a table

View added

Statistics added to a table

View removed

Statistics removed from a
table

Default constraint
removed from a table

View altered

User added

Function added

User removed

Row added to a table

Row updated in a table

Row removed from a table

Procedure added

Procedure removed

Procedure altered

Table added

Table removed

Table altered

Table truncated

Dell Change Auditor 6.7
Release Notes

2

The following built-in reports are available:

SQL Data Level Events in the last 24 hours

SQL Data Level Row Change Events in the last 24 hours

SQL Data Level Structure Change Events in the last 7 days

The following internal events have also been added:

SQL Data Level Auditing Template Added

SQL Data Level Auditing Template Deleted

SQL Data Level Auditing Template Enabled

SQL Data Level Auditing Template Disabled

SQL Data Level Auditing Template Modified

Archiving capabilities: You can now schedule both the purging of events from your database and archiving older
data to an archive database. Automating database cleanup allows you to keep critical and relevant data online
and current while eliminating or archiving events that are no longer required. This not only prevents your
database from growing in size, but it increases overall operational efficiency by speeding up searches and data
retrieval from the database.
Using the archive options, you can select to create a yearly archive database for older events that are no longer
required to be represented in your reports.
The following internal events have been added to this release:

Purge and Archive Job Added

Purge and Archive Job Changed

Purge and Archive Job Disabled

Purge and Archive Job Enabled

Purge and Archive Job Removed

Protection updates: Active Directory and File System protection has been updated to allow you to:

Schedule when the protection will be enforced. You can either select to have the protection always run
or have it run only during specific times.

Control when the protection is enabled based on the location.

Protect access from all locations: Protection is always enabled regardless of the client location.

Protect access only from select locations: Protection is only enabled for the specified locations.

Disable protection only for select locations: Protection is disabled for the selected locations.
Enabled everywhere else.

Protect access from all unknown locations: All Active Directory requests from locations that
cannot be determined by the Change Auditor agent will be protected.

Import a list of Active Directory objects into a protection template.

Ability to ignore file open actions: Because not all actions/events provide beneficial auditing data, you can
select to filter out non-essential information. Specifically, you have the option to ignore events generated when
browsing files and folders locally:

Folder open events that are generated by tooltips (folder content information that is displayed when you
hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the subfolders when you hover over the parent folder to see the tooltip.

File open events that are generated by file scans because Windows Explorer opens and reads the header
of all files contained in an opened folder for information to display in the window.

Dell Change Auditor 6.7
Release Notes

3

NOTE: Windows PowerShell version 3. You can then publish any report to SRS using these settings. • Exchange folder delete events. task and object moved and copied events. task and object modified events. • Exchange message. contact. • Exchange message. Find the Change Auditor installations and coordinators available in your Active Directory environment. Connect to and disconnecting from Change Auditor installations and coordinators.. The following internal events have been added: • SRS URL added to reporting services template • SRS URL attribute changed PowerShell commands: Change Auditor comes with a PowerShell module for you to use to manage your environment. appointment. • Find-CAInstallations • Find-CACoordinators • Find-CASuitableCoordinator • Connect-CAClient • Disconnect-CAClient • Get-CACoordinator • Get-CACoordinators • Get-CAInstallation • Get-CAAgents • Install-CAAgent Manage your agent deployments. When you want to. appointment. • Exchange message marked unread events. appointment. • Exchange folder renamed. Gather Change Auditor system information to help you to manage your installation components. appointment. Available commands Use these commands. You can create SRS templates that define all the necessary Report Server information (URL and credentials) and Change Auditor data source information for publishing reports. • Exchange message. task and object delete events. contact. Table 1. Dell Change Auditor 6.0 or higher is required. • Exchange folder permission changed events..7 Release Notes 4 . task and object read events. contact.Support for MAPI over HTTP protocol: MAPI over HTTP protocol starting from Exchange 2013 CU8 servers is now supported for the following: • Exchange mailbox protection from unauthorized access. appointment. task and object created events. Any changes affecting configuration are audited with internal events.. contact. • Exchange message. • Exchange folder created and folder and mailbox open events. SRS reporting: Change Auditor supports Microsoft's Microsoft SQL Server Reporting Services (SRS). moved and copied events. contact. • Install-CACoordinator • Install-CAWebClient Install Change Auditor components. • Uninstall-CAAgent • Update-CAAgent You must be a member of Administrators role to use these commands.. • Exchange message. It is installed when you install the Change Auditor client. This allows you to interact with a web-based reporting portal and simply subscribe to the reports you want to see.

Dell Change Auditor 6. • Change Auditor 6. PCI. PCI. After selecting a specific event from the results of a search.Change Auditor logon internal events: Change Auditor logon events are now available for the various client platforms so that access to Change Auditor data can be audited.2 and later).7 Release Notes 5 . customers have access to larger volumes of data online without the need to archive data regularly. • A dedicated Change Auditor for Cloud Storage User guide and cloud storage events added to SCOM pack.0) in relation to the latest HIPAA.x high performance database: With Change Auditor 6. the Event Details pane will allow you to further refine your search criteria. the following new internal event with a high severity will be generated: • Agent is unable to connect to the Dell Data Protection service Updated compliance reports .0 / SOX . • While Change Auditor 6. SOX regulations. This will ensure high performance when accessing large amounts of data in the Change Auditor client. • File and folder auditing support for NetApp cluster mode (as of version 8. The built-in searches have been updated to ensure they are up-to-date (as of the date of release . it is highly recommended that customers still maintain “focused” auditing in their environments. SOX: The IT compliance regulatory landscape is constantly evolving.March 2015 / PCI . Here are a few pointers on auditing and accessing “big data”: • When building custom searches.x's new database structure. The following internal events have been added: • Change Auditor PowerShell Client Logon • Change Auditor SDK Client Logon • Change Auditor Unknown Client Logon • Change Auditor Web Client Logon • Change Auditor Windows Client Logon Dell Data Protection internal event: Change Auditor integrates with Dell Data Protection|Cloud Edition (DDP|CE) to audit activity performed in sync folders of cloud storage providers. keep in mind that the new schema organizes its event indexes in “hourly blocks”.HIPAA. removed. The smaller the window of time in the WHEN criteria. or modified. See also: • Important information • Resolved issues Important information The following is a list of important information for this release of Change Auditor.version 5. Change Auditor client performance may decrease dramatically depending on the criteria selected. the better performance in the Change Auditor client for returning a result set. Additional updates • A new dashboard that displays file system objects with the most permission changes.   When the workstation agent is unable to connect to the Dell Data Protection service.version 3. These options are produced from the details of the selected event and may differ between event types. Expand the Add to Search tool bar button to display the available options for refining your current search.HIPAA . the name of the host or server) is now displayed in the event details when DNS records are added. • Increased search abilities. Warning: If excessive audits are received within the same hour.x offers much more efficient event auditing with our agents. • Meaningful information (specifically.

By default. server_2 is the Data Mover in slot 2. • General EMC® concepts: Control Stations: The Control Station is a dedicated management computer that monitors and controls cabinet components and allows access to the full functionality of the Celerra® or VNX® Network Server software. where n is the slot number of the Data Mover. enable the File and Printer Sharing (SMB-in) Inbound rule in the Windows® Firewall (Port 445) on the target host machine. etc If the CEPP service is OFFLINE. Data Movers are managed through the use of a Control Station. unwanted RpcClientAccess service restart. Data Movers are named server_n. If that does not work. The File and Printer Sharing for Microsoft® Networks service on the network adapter is also required to be enabled for remote deployment. maintaining the system. you can fix this by first restarting the EMC CAVA service on the Windows Server.. or unscheduled Exchange cluster node failover. Dell Change Auditor 6. unwanted RpcClientAccess service restart.• SMTP alert notifications on owner mailbox “event storm”: It is highly recommended that mailboxes configured to receive SMTP alerts from Change Auditor are excluded from auditing “by Owner” events. • Troubleshooting EMC events: If EMC events are not being audited by the Change Auditor agent. 2010 or 2013 client access role: unwanted IIS Exchange application pool restarts To eliminate the possibility of unscheduled Exchange Server downtime. In order to remotely install agents to Windows Server 2008/2012 (Full UI and Server Core). Attempting to upgrade the agent on a very busy Exchange Server may result in: • Exchange 2007 mailbox role: failed agent upgrade. state = ONLINE. and monitoring system performance.7 Release Notes 6 . The Control Station runs a set of programs that are collectively referred to as the Control Station software. • Upgrading Change Auditor agents on high volume Exchange Servers: It is critical that Change Auditor for Exchange agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. required MSExchangeIS service restart. thus generating a never-ending cycle of “Inbox opened by owner” and “Message read by owner” events. For example. Secondly. It contains utilities for installing and configuring the Celerra or VNX Network Server. An “event storm” could occur when a new SMTP alert is received on an audited mailbox by owner. by using the command: server_cepp {mover_name} -p -i Resulting output of this command should be similar to the following: IP = {mover IP}. first check to see if the EMC CAVA agent service is running on your Windows Server® where the EMC events are being collected. • Change Auditor agent requires File and Printer Sharing on Windows Server 2008/2012: By default. The Control Station itself uses an EMCcustomized version of Linux® as its operating system. or unscheduled Exchange cluster node failover. restart the EMC CEPP services on the Data Mover by using the following command: server_cepp {mover_name} -service -start • Change Auditor support for SQL database mirroring: Change Auditor does not support SQL High Availability technology other than clusters. please perform agent upgrades to Exchange Servers during periods of low or no mailbox activity. or unscheduled Exchange cluster node failover. • Exchange 2013 mailbox role: failed agent upgrade. check to see if the CEPP service on the EMC Data Mover is running or if the state is offline. • Exchange 2007. File and Printer sharing is not enabled on Windows Server 2008/2012 installations. Change Auditor for Exchange agent upgrades should NOT be attempted on an active Exchange Server cluster node in any case. Data Movers: Data Movers are the Celerra or VNX components that transfer data between the storage system and the network client. • Exchange 2010 client access role: failed agent upgrade..

The new mail alert window opens each new email message as it arrives in order to build the alert. an Active Directory® domain controller that holds the primary domain controller (PDC) operations master role runs a thread every hour to check the access control lists of members of several built-in administrative groups. If these explicit rights are granted to user accounts. can produce large numbers of non-owner events. those accounts will also be excluded from mailbox auditing. • Microsoft Office files: Since the Change Auditor for Windows File Servers. See http://support. NOTE: The “Message Read by Owner” event is disabled by default in Audit Event configuration. • Recompiling the Change Auditor MOF file: Change Auditor no longer ships with a MOF file as part of the coordinator installer. While we make every effort to ensure proper functionality and performance. Success in this configuration is dependent on many factors and is not guaranteed.• File System auditing for NAS and mapped network drives: Change Auditor does not support File System auditing on NAS devices or mapped network drives other than EMC Celerra/VNX/Isilon or NetApp® Data ONTAP® filers. • Exclude Change Auditor components and monitored processes from antivirus software: Dell recommends excluding the following Change Auditor components and monitored processes from any Dell Change Auditor 6. and EMC drivers capture events related to file activity. If necessary. • Changes to domain administration level security objects may generate subsequent DACL changes reported with Changed By information as “NT AUTHORITY\ANONYMOUS LOGON” up to an hour after the original change. These accounts have both ‘Receive All’ and ‘Administer Information Setup’ rights on the mailbox database. Select owner auditing for at most only a small number of critical mailboxes. the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry Enterprise Server (BES) or similar service accounts. • Microsoft Outlook/Exchange add-Ins: Change Auditor may be incompatible with Microsoft Outlook or Exchange “add-ins” (commercial or custom) that interact with Exchange Servers. If these mailboxes need to be audited. Should the CA WMI namespace become corrupt. add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance. PowerPoint®.) will generate unexpected results. etc.DC=<domain> object.CN=System. it is possible that a folder containing files being opened/edited by Microsoft Office products (Word. • File System auditing: Files with a size of zero (0) bytes are not audited by Change Auditor. Understanding how MS Office products interact with the file system might help explain some of the audit events captured. In this configuration the SAN will generally behave as an additional disk drive on the server which can be audited by a Change Auditor agent on that server.com/kb/232199. Outlook connections may be slowed or dropped. • Auditing mailboxes with many delegates.7 Release Notes 7 . NetApp. If a user account is a member of one of these administrative groups. • Blackberry® Enterprise Server (or similar) services: To eliminate auditing of automated tasks. the file can be re-compiled using the following command-line: ChangeAuditor. According to Microsoft article http://support.microsoft. the user account's ACL is checked when the thread is run and may be reset to the ACL of the CN=AdminSDHolder. Auditing normal mailboxes where access permission is granted to many delegates (more than 10). we are unable to validate against the many addins available for Microsoft Outlook or Exchange Server.microsoft. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. • File System Auditing for SAN: Change Auditor does not officially support SAN auditing. Change Auditor will capture a Message Read by Owner event when this occurs. or should there be an installation failure. even if only because of its membership with a distribution group. new email that arrives flashes a semi-transparent “alert” near the desktop system tray. this automated exclusion can be disabled on a server-by-server basis. support and engineering will attempt to troubleshoot and resolve issues to the best of their ability when the SAN is attached to a Windows-based file server such that it appears as a local drive on that host.com/kb/211632 for more details. which may not be desired. • “By Owner” auditing feature: Selecting ‘By Owner’ auditing for many mailboxes can produce a very large number of events.exe --install • Outlook® “Show New Mail Desktop Alert” triggers the “Message Read by Owner” event: When this option is enabled. However. the performance of the Exchange Server itself.Service. In extreme cases. Excel®. This will adversely affect Change Auditor auditing and in severe cases.

Exchange.Service. selecting more than a few dozen mailboxes will significantly increase Change Auditor event latency times. General resolved issues Resolved issue Issue ID Memory leak in the file system driver component of the Change Auditor agent which exhausted non-paged pool memory. 451076 Dell Change Auditor 6. 471724 The group policy linked and unlinked events are not captured when a GPO is linked at the domain level. • The user must enter the coordinator’s IP address instead of its DNS name in the connection settings in: The web. Resolved issues The following is a list of issues addressed in this release. This will update the SPN with the correct information.exe • Lsass.exe • Services. 453860 Incorrect origin might be displayed for some file system events.exe (Exchange 2010/2013 only) • NPSRVhost. 466048 Disabling protection on individual GPOs does not take effect until the agent is restarted.exe (Exchange 2007 only) Change Auditor coordinator service running under a service account (instead of Local System): If the coordinator service is running under a service account (instead of Local System): • The user must re-save existing Forest or GC profiles using the Change Auditor client's connection wizard.7 Release Notes 8 . 464882 Unable to create a SharePoint auditing template if the SharePoint account has a long password. Table 2. 462987 NetApp and EMC events in Windows Event Log may not report all changes.RpcClientAccess. Because of the high overhead of Change Auditor for Exchange’s use of remote PowerShell® to configure and fetch audit logs from Exchange Online backend servers. enabling Exchange audit logging on large numbers of Exchange Online mailboxes can also affect back-end server performance.EXE • Microsoft. 459090 Agent cannot be installed due to a failure of Advanced Installer's custom action.sys driver which results in the server becoming unresponsive. 441842 GPO protection templates cannot be disabled when the protection configuration is stored in Active Directory. 470295 Support for Microsoft Exchange Server 2013 CU8.exe • ‘Server’ service • Store. In addition. 458212 Change Auditor agent cannot be upgraded if the Change Auditor event message file is in use by EventLog or any other application.antivirus software that utilizes technology similar to “Buffer Overrun Protection” or “On Access Scanner”: • • DSAMain.config for the Change Auditor web client The manual option in the Change Auditor client's connection wizard • Office 365™ Exchange Online auditing: Office 365 Exchange Online auditing is intended for monitoring small numbers of high-value Exchange Online mailboxes. 446964 Change Auditor file system driver may cause a deadlock in mountmgr.

Table 2.x events in the database results in 6. General resolved issues Resolved issue Issue ID SharePoint auditing might fail if the query to retrieve the audit data from the SharePoint database takes longer than 30 seconds. Topology scan takes a long time when the environment contains a large number of workstations. 424824 Web client user password cannot contain the '<' symbol. 448347 Messages that have large attachments and are being monitored by Change Auditor agent may cause ActiveSync performance issues. LSASS process becomes unresponsive on Windows 2012 R2 (x64) domain controllers when the Change Auditor agent service is stopped.x 432653 events which cannot be accessed or upgraded afterwards. 407094 Dell Change Auditor 6. 440084 Outlook performance issues when a Change Auditor agent is deployed on the Exchange 2013 SP1 436032 mailbox role servers. 451138 Change Auditor deployment tab shows old version and status as uninstalled for agent after a successful upgrade. 436017 AD LDS auditing templates are not displayed if IPv4 address of the AD LDS server could not be resolved by the Coordinator. 443978 Unable to install Coordinator when logged in user does not have permissions to SQL. 437566 When the Outlook connection type is set to “Anonymous Authentication" or "NTLM (Anonymous NTLM)" events were not audited or protection not enforced. 452454 Change Auditor agent running on Exchange 2013 mailbox servers causes frequent Outlook disconnects. 449526 ActiveSync may slow down or stop when being monitored by a Change Auditor agent. Upgrading from 6.7 Release Notes 9 . 448383 Events from Exchange Online are not being captured.6 database with 5.0 or 6.5 to 6. 445845 Support for OneDrive® 17. 431535 Active Directory search does not return correct results if there is underscore "_" symbol in the Active Directory like filter. RpcClientAccess service may become unresponsive on Exchange servers with Change Auditor agents preventing the shutdown and subsequent restart of the service. 447287 Changes made by ADManager Plus do not get audited by Change Auditor. 423674 Searching with a user and a group in the "who" tab only returns results for the user. 436125 Change Auditor prevents Outlook clients from connecting to Exchange 2013 servers.3. 445146 Topology scan causes performance issues when it's run on multiple coordinators at the same time.6 with 5. the event class is ignored producing incorrect results. 462232 Support for Microsoft Exchange Server 2013 CU7. 428820 Windows 2012 (non-R2) domain controllers become unresponsive after enabling Active Directory 426282 Query auditing. 431493 Selecting “SELF” as an override account within computer protection templates is not functioning 432118 properly. 436840 Unable to turn on BitLocker drive encryption on a workstation that has Active Directory protection templates applied for all attributes. When an Active Directory event class and a runtime prompt are added to the ‘what’ tab on a Search in the web client. 454741 Logon Activity reports do not display the values in the Duration and Type columns in proper format. 428144 File system auditing templates with more than one 'Inclusions' causes an issue where the FSDriver 384030 does not load properly and the events are not audited.

390029 Mailbox names containing parentheses are not audited due to LDAP search failures. Addressed the MS Vulnerability discussed in KB2993937. 426415 Upgrading Change Auditor agent from Active Roles Server breaks Active Roles integration in Change Auditor.5. 397674 SQL auditing filters are not behaving as expected.5. 414925 Unable to apply a large file system monitoring template. General resolved issues Resolved issue Issue ID After in-place upgrade or migration from 5.9 to version 6. 393365 Multiple Coordinators can generate events with the same IDs if the Coordinator services are started simultaneously. auditing of logon attributes causes an excessive amount of events. 393355 Dell Change Auditor 6. Change Auditor does not send alerts for events generated by ActiveRoles Server when the user selected in the ‘who’ tab of the search is the same user that generated events in Active Roles Server. 396081 Search does not function properly when a group is added on the 'who' tab with a subsystem in conjunction with an event class exclusion added on the 'what' tab. 414915 Unable to group file system folder paths in a case insensitive manner in the web client. 398216 "User Authenticated through Kerberos" event will not generate when using a Windows 2012 R2 domain controller. 388293 ActiveRole Server Initiator UserName values are not imported when you upgrade from Change Auditor version 5. 389112 Agent service becomes unresponsive when an LDAP search operation fails to execute. 414545 You can choose to ignore the folder opened events generated by this action.x. 415771 "Exclude the above selection" in the Exchange subsystem does not function properly. 388292 Change Auditor agent may cause port exhaustion on the DC. by selecting the Discard Windows Explorer tooltip events option when creating your auditing template. 414273 Exclamation symbols (!) in exclusions for File System templates are not displaying properly. 418617 Auditing of Active Directory modifications does not work if Microsoft KB3000850 has been applied on Windows 2012 R2 domain controller. 415773 Support for Microsoft Exchange Server 2013 CU6. Selecting the “Save” option in a generated report will show an error when done in the web client. 390913 Change Auditor dlls cannot be loaded if assembly verification skipping is enabled on the mailbox 418274 role server. 397066 Grouping by more than one column in a search causes an exception when a report is generated for that search. 419790 Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the subfolders when you hover over the parent folder to see the tooltip. 420242 After upgrading to Change Auditor 6. 395588 Coordinator encounters login failure and shuts down when a large SQL server (that contains the ChangeAuditor database) comes online after a restart. 411514 Filtering by Item URL in a SharePoint search does not return results.com) does not display the username in Who for the logon event. Logging in with UPN (user@domain.7 Release Notes 10 . 411310 Cloud Storage User Guide is now available with the product as well as from Dell’s online documentation. 393951 Password changes made through Active Directory Users and Computers on a computer contacting 393948 a Windows 2012 (R2) Domain Controller shows incorrect Origin information in the event.Table 2.

General resolved issues Resolved issue Issue ID Selecting the “Print with preview” option in a generated report will show an error when done in 395356 the web client. 393839 Dell Change Auditor 6. 377997 Improved logging for CryptEncrypt error when trying to deploy ActiveRoles Server scripts or agent. 388011 The Object Name field is empty in SNMP alerts for folder move events. 389788 Error during scanning SharePoint topology when the SharePoint server has a non-English system locale and a site or site collection with international characters in the title or URL. grouping by folder name is case insensitive. 412518 Different capitalization in folder names causes multiple entries when grouping by Folder Path in 406725 the Windows client.Table 2. 389052 Modifications in Microsoft Office files are not being captured properly. In some cases. 381163 Removed the following incorrect note from documentation. 390092 ADAM (AD LDS) protection templates disappear from the client when AD LDS instance is replicated between multiple computers. 392324 Unable to deploy agents if password for the domain is longer than 58 characters. 396994 Compliance reports are not properly displayed when exported to Dell Knowledge Portal (SRS). 393397 Permission changes are not reported if the Isilon ifs shared folder is hidden (admin share). Change Auditor agent may fail to initialize properly if Active Directory filtering configuration is set before the LSASS module is initialized. 388015 Agent cannot connect to Dell Data Protection service the internal cloud events were disabled prior to agent deployment. 391725 Unable to save reports in the web client. 371278 Change Auditor agent uses all available memory when large group membership is updated. 370987 The Migration Tool fails to migrate 5. the server may need to be restarted. 390038 ADAM (AD LDS) protection templates disappear from client if you have two AD LDS instances on the same computer. With this hotfix. 413949 Error received when using Exchange internet calendar sharing. 387594 Restore for Active Directory groups is not functioning properly. 411367 File system auditing templates with more than one Inclusion specified causes an issue where file 384030 system events are not audited. “Exchange mailbox auditing is NOT supported on Outlook® clients running Exchange Server 2013 SP1 (or higher).x databases with large amounts of events. 392109 Related searches for Active Directory events is displaying incorrect subsystem options.7 Release Notes 11 . 412340 Web client unable to connect to Global Catalog when "Domain controller: LDAP server signing requirements" is set to "Require signing". 392579 Events might get lost during migration with the Migration Tool if there is an inconsistency in the target database. you can changed it back to be case sensitive. 386273 Renaming an EMC file in folder with '&' in the name fails to show TO value 391072 Isilon auditing is not functioning properly. SharePoint events are not being audited. After upgrading agent. If required. Unable to distinguish between legitimate and false positive events for "Failed file access (NTFS permissions)".” 397690 Client fast transfer requests are failing.

some templates may not be displayed. Dell Change Auditor 6.0 HIPS causes a hang with the ServicesHook. Running the Change Auditor agent on Windows Server 2008 R2 or 2012 causes the system to 371273 become unresponsive if the Change Auditor Registry driver (CARegSys. alerts will not be sent because of issues with the event query. The Change Auditor client sets the incorrect time when the Active Directory subsystem is added 420042 with a prompt. The Coordinator prerequisite checking utility cannot be run from a remote UNC path. If the agent time is ahead of the Coordinator time. The Coordinator prerequisite checking utility will not run on Windows 2003 SP2 or Windows 2003 449838 R2. Dell recommends following Microsoft best practices regarding tempdb management. including allocating the tempdb and transaction logs on a separate drive from user database files.Known issues The following is a list of issues. When a folder is protected via location protection. 437386 When the Coordinator server runs a command to insert an event. Because of this. General known issues Known issue Issue ID Upgrade will fail if your previous version installation name was longer than 22 characters.exe) is located in the install directory under the PrerequisiteChecker folder. The utility application (Dell.exe from HIPS protection. known to exist at the time of release.dll which caused the server to reboot every time the Change Auditor agent started. Office Web Apps Server for SharePoint is not supported. SQL Server® tempdb. scheduled reports and purge jobs. it looks for the event that 422986 matches a certain criteria and has a timedetected that occurred before the current time on the Change Auditor database server. Workaround: Update time on the servers. Ideally the screen resolution should be 1024 x 768 with at least 256 colors. Conflict with McAfee® HIPS and Change Auditor agent causing server reboots: McAfee 8.sys) is added to the Driver Verifier.7 Release Notes 12 .Prerequisites. access is incorrectly granted after the agent 418022 is restarted (if that folder was being accessed from a computer in the deny access list).exe and lsass. 442437 Workaround: Increase the screen resolution until everything is viewable and accessible. NOTE: The minimum tempdb drive space for Change Auditor is 100 GB. 226903 Workaround: Exclude the services. 422945 A scroll bar is not available for auditing templates in the Administration Page. The SQL Server tempdb will grow to accommodate Change Auditor queries. x86 or x64 platforms. including those attributed to third-party products. 449844 Workaround: Copy the utility directory to a local drive and run it from there.Launcher. Table 3. Access will be correctly denied when the user logs off the remote computer.

x Database and SQL Server® autogrow feature: It is highly recommended that the Change Auditor 6.x. be aware that while Alert History stored in the archive will also be migrated. follow this article which explains how to pre-allocate a database's size: http://technet. Change Auditor 6.microsoft.000 bytes per event Example 1: 1.com/en-us/library/ms175890. using the Data Migration Tool's option to “Remove old data during migration” may severely affect the Data Migration Tool's performance.x operational database.x schema.x itself. select Tools | Compatibility View Settings and clear the Display intranet sites in Compatibility View option. Data Migration Tool and orphaned alert histories: When using the Data Migration Tool to copy 297768 ChangeAuditor 5. This is because Alert Histories are bound by the unique QueryID (the custom Search as Alert) and these queries are not migrated in order to preserve the new query formats in 6.000 events = 240MB estimated disk size required Workaround: To avoid the database autogrow issues during high-volume insertions.x database be setup using a pre-allocated disk space configuration greater than the expected size when migrating data to the Change Auditor 6. 296409 A warning message appears when migration performance can be severely impacted. Workaround: It is recommended to use an older Change Auditor client that can DB Direct connect to the 5. do not use the “Remove old data during migration” option.aspx Change Auditor for VMware not auditing VMware® Local User and Group Account events: When connecting directly to the ESXi® host from a vSphere® client bypassing vCenter™. This is not an issue with Change Auditor 6.x archive to review (or delete) the archived Alert Histories as needed.x record size at around 8. AD Protection wizard in the web client: The Web Client does not provide the right-click option 342993 from the Forest level to display Peer Domains within the AD Protection wizard. The DELETE process can take longer than expected on large source databases.000 events = 8MB estimated disk size required Example 2: 30. General known issues Known issue Issue ID Data Migration Tool and removing old data from a ChangeAuditor 5.x. this appears to happen when the Data Migration Tool is inserting records at a high rate of speed while the Change Auditor 6.x database schema.Table 3. This may be addressed in a future release of Change Auditor. 299282 In testing. This is a common issue with Internet Explorer 9 because it starts up in Compatibility View mode initially for intranet sites and must be manually disabled by the user individually. VMware Local User and Group Account events will not be audited by Change Auditor agent. it will be inaccessible in the new database.x database: Due to the complexities of the ChangeAuditor 5.x archive data to the new Change Auditor 6. but when a SQL Server database is set to “autogrow”. thus blocking inserts and possibly degrading SQL Server performance overall. Dell Change Auditor 6. NOTE: Alerts generated based on built-in queries should not be affected.x data into a new 6.x could cause the autogrow feature to get into a state of constant growth.7 Release Notes 13 . Change Auditor web client and Internet Explorer® 9 (or higher) compatibility view: The Change Auditor Web Client does NOT support Compatibility View in Internet Explorer 9 (or higher). Workaround: When migrating 5. This only occurs for custom queries configured as alerts in ChangeAuditor 5.x coordinator is also processing high volumes of new events in an environment. causing the migration tool to re-process the delete requests repeatedly. the high rate of insertions done by Change Auditor 6.x database from another source. Estimate Change Auditor 6. To disable Compatibility View mode in Internet Explorer 9.

However. or you run the Active Directory® Installation Wizard (Dcpromo. Please increase the value of this parameter.0. you must move the ServicePrincipalName role holder in order for Kerberos authentication to function correctly. Workaround: See Microsoft® KB Article 917463. Contact Dell Technical Support for detailed instructions. • You run the Sysprep. Dell Change Auditor 6. Junction point monitoring: Junction point creation may hang on a server with both the Symantec™ Backup Exec™ CPS Agent version 12. General known issues Known issue Issue ID IRPStackSize issues: After an agent is upgraded on a domain controller. WMI and System Event log: Change Auditor will not audit Service events on Win2003-based computers when the following conditions are true: • You apply Windows Server® 2003 Service Pack 1 or Service Pack 2 on this computer. This is to prevent the domain controller from becoming inaccessible. upgrade CPS Agent to 12. This will remove an old ITAD driver from memory. Central Access Policy in protected GPO: Due the way Microsoft is storing the configuration settings for a Central Access Policy (Windows Server 2012).7 Release Notes 14 . agents cannot be upgraded after two (2) upgrades have occurred without a reboot on domain controllers.5 or later. As of Change Auditor 6. You will NOT get an ‘Access is denied’ warning message explaining the change was not saved similar to what you get when attempting to access other group policy objects within the protected Group Policy container. it will appear that an unauthorized account can add or remove a Central Access Policy that is in a protected Group Policy container. you must consider the time it takes for AD replication to occur as well as the time the Change Auditor coordinator needs to add that configuration to the coordinator. Client CPU usage: Client CPU usage on Windows Server 2008 is dramatically increased when grouping columns by Agent Status on the Deployment tab during agent deployment operations. Workaround: To resolve the problem.exe command on this computer. WHO by Group Membership: When setting up a search based on WHO is in a particular group. unauthorized changes to the configuration settings for a Central Access Policy are NOT saved and will generate a ‘Failed Group Policy Container Access (Change Auditor Protection)’ event within Change Auditor. Running coordinator service with a service account: If you are running the coordinator service under a service account. it is recommended to reboot the domain controller before doing another upgrade.Table 3.exe) on this computer. To identify this condition.0 and the Change Auditor agent. the DC's system log will show EventID 2011: The server's configuration parameter “irpstacksize” is too small for the server to use a local device.

Change Auditor for EMC is not compatible with EMC® “CQM”: The Change Auditor for EMC agent does not support running concurrently with EMC Content Quota Management. and existing agents connect to the new coordinator prior to the completion of the topology scan. Change Auditor for EMC known issues Known issue Issue ID Change Auditor for EMC supports single CIFS servers per data mover: The Change Auditor agent will not audit events from another CIFS server that is under the same data mover and has the same shares as the CIFS server used in the CA for EMC policy. and a new Change Auditor database is created during installation or upgrade with the same installation name. data storage anomalies may occur.” Do the following if this error appears: Run the SQL query: USE Master. Refer to the Upgrade and installation instructions for more information. To ensure the EMC auditing is successful. One of the users will be displayed with a Change Auditor dialog message along with an “exception” notification stating “Error: 297. 377907 Web Client: Repeatedly switching back and forth between the grid and timeline view will keep increasing the timeline counts by the factor of the original displayed amount. General known issues Known issue Issue ID Multi-forest coordinator configuration with limited SQL account: The Change Auditor coordinator SQL account needs to have access to the sys.7 Release Notes 15 . Table 4. Refer to the Upgrade and installation instructions for more information. GO Software incompatibilities: The Change Auditor agent is incompatible with the following applications: • NetVision™ Agent (now StealthBits Technology) • CommVault® • Blackbird™ Group Management Suite (now BeyondTrust® PowerBroker® Auditor) Existing installation name with new database: If a new Change Auditor database is created during installation or upgrade with the same installation name. Change Auditor for Active Directory known issues Known issue Issue ID Custom Active Directory attribute auditing: If audit configurations where custom Active Directory attribute auditing are utilized. In a multi-forest coordinator configuration where each coordinator uses the same Change Auditor database using a SQL account with limited permissions for the database connection. 386038 Report Alerts: Report Alerting cannot be enabled through the web client. data storage anomalies may occur. Dell Change Auditor 6.dm_tran_locks view in order to resolve host names when in a Multi-Forest setup and when using a SQL account with minimal permissions. GO GRANT VIEW SERVER STATE TO {your limited SQL account}.Table 3. Procedure: usp_SQL_Lock_Read. Table 5. If two users from two different clients select the same item in the client. Message: The user does not have permission to perform this action. 386918 Workaround: Enable this feature within the Windows client. disable EMC CQM.

Use a double asterisk (**) to specify a recursive match (find match in folder and all subfolders in audit path. Exchange internal requests are automatically excluded from monitoring. matches slash characters (\) and directory names in paths).dell.Table 5. Table 6. Client unable to connect to EMC devices after Putty default settings changed: The Change 159492 Auditor client uses SSH APIs to connect to EMC devices. SP1 and SP2: When trying to create multiple mailboxes in the Exchange Management Console. Changing the “Default Settings” saved session in the Putty client will prevent the Change Auditor client from connecting to the correct server.NullReferenceException: Object reference not set to an instance of an object is reported in the Exchange console when the Change Auditor for Exchange agent is running.7 Release Notes 16 . edit any existing EMC auditing templates that include exclusions and apply the new rules for non-recursive and recursive matches. Workaround: Remove any host name or IP address saved in the stored session named “Default Settings” in the Putty client. Change Auditor for EMC known issues Known issue Issue ID Change Auditor for EMC exclusions and new syntax need to be applied after upgrading from ChangeAuditor versions 5. with the entire Exchange Mailbox facility selected. 157819 Error creating multiple mailboxes with Exchange 2010 RTM.7 or prior: Auditing templates added in 5. System. Workaround: After the upgrade. does not match any slash characters (\)). Change Auditor for Exchange known issues Known issue Issue ID Service Accounts generating excessive Exchange Mailbox events: Bulk operations generated by third-party products that use MAPI transports to scan or modify Exchange mailboxes can cause system slowdowns if not excluded from auditing. commands issued in the form of a “ForEach” loop could result in an error. Dell recommends adding service accounts of third-party MAPI services to the Account Exclusion list. which included exclusions using a single asterisk (*) or (*\) in front of file names or shared folders to exclude folders and files recursively will not function after upgrading to version 5. as are Blackberry® Enterprise Server and similar MAPI synchronization services. The new syntax is to use a single asterisk (*) to specify a non-recursive match (find match in folder only.com/kb/SOL88987. Workaround: Disable the Change Auditor agent on the Exchange 2010 Client Access Server while performing multiple operations at once or install Exchange 2010 SP2 Update Rollup 1 which resolves the issue. Due to a bug in the Microsoft PowerShell® implementation. see the Dell Solution at: https://support.8 (or higher). For information related to a fix for this problem. or with no event classes or facilities selected (indicating all events are excluded for the account). Refer to the “File/Folder Inclusion and Exclusion Examples Appendix” in the Dell™ Change Auditor for EMC User Guide or online help for valid exclusion examples. Dell Change Auditor 6.7 or prior.software.

The following are the events that would not be audited for users connecting through an OWA server without an agent: • Appointment Read by Non-Owner • Appointment Read by Owner • Calendar Opened by Non-Owner • Calendar Opened by Owner • Contact Read by Non-Owner • Contact Read by Owner • Contacts Opened by Non-Owner • Contacts Opened by Owner • Inbox Opened by Non-Owner • Inbox Opened by Owner • Mailbox Opened by Non-Owner • Mailbox Opened by Owner • Message Read by Non-Owner • Message Read by Owner • Task Read by Non-Owner • Task Read by Owner • Tasks Opened by Non-Owner • Tasks Opened by Owner Exchange 2007 and 2010 .aspx Dell Change Auditor 6.microsoft.7 Release Notes 17 . Exchange 2010/2013 scripting extensions: When a Change Auditor 5. This extension requires that the ScriptingAgentConfig. OWA Mailbox events are generated through the IIS service and therefore an agent is needed for their collection. it automatically enables the scripting extension in Active Directory. it is highly recommended that a Change Auditor agent be installed on ALL Exchange servers to ensure all servers are using the same scripting agent. Missing Exchange event detail: Some Exchange Active Directory changes that are detected on domain controllers may be reported with missing information.xml file in the Exchange Server folder if one is not already present.6 (or higher) agent automatically creates the required ScriptingAgentConfig.Missing Exchange events from OWA (Outlook Web Access): If the OWA functionality is being hosted from a server different than an Exchange Server that has an agent installed. This is a domain-wide setting and applies to ALL Exchange 2010/2013 servers. The events are otherwise accurate.6 (or higher) agent is 168683 deployed on Exchange Server 2010/2013. To capture this detail.Table 6. otherwise.microsoft. Therefore. protection will not prevent the user from deleting the items in the active folder.aspx • http://technet. Change Auditor for Exchange known issues Known issue Issue ID Exchange 2007 and 2010 . the server running OWA needs an agent to be installed as well.com/en-us/library/dd297951. Exchange management tools will display error messages each time the Scripting Agent cmdlet runs.com/en-us/library/dd298167. New OWA sessions established after protection is enabled are properly protected. Refer to these Technet posts for more information regarding the Scripting Agent: • http://technet. add the Domain Controllers group to the Exchange View-Only Administrators group. The Change Auditor 5.Mailbox events may show incorrect path names: Occasional incomplete folder path names in Exchange Mailbox events have been reported by a few users. OWA protection: If protection is enabled while a user already has an active OWA session on the newly protected mailbox.xml file be present in the Exchange Server folder.

you are unable to change security on a file from the same computer as the Change Auditor agent hosting the FPolicy server. Auditing of non-primary email addresses is not supported. the connection 442110 between the agent and a NetApp filer (7-mode) may fail due to the “Secure Negotiate” added to SMB 3. After the Exchange Server actually creates the mailbox.7 Release Notes 18 . Change Auditor is unable to differentiate those system events from normal user activity. you are unable to change the security on a file immediately after making changes to the file itself. Dell recommends temporarily disabling the audit events for “Message Read by Owner/Non-Owner” in the Audit Event configurations to prevent generating large numbers of Message Read events during the move. however the Change Auditor event will still be generated. 366968 Table 7. 439040 For NetApp filers in cluster mode. For NetApp filers in cluster mode. For resolution details see the following: http://support. Change Auditor for Exchange known issues Known issue Issue ID Delayed events using Entourage and Exchange 2010/2013: There is a known issue with Microsoft Exchange 2010/2013 and Entourage EWS or Outlook® 2011 for Mac where content conversion may fail.0 for Windows Server 2012 which requires correct signing of error responses by all SMBv2 servers.technet. There is a fix available by calling Microsoft Support (1-800-Microsoft) and requesting the fix. While attempting to access the mailbox through Outlook.microsoft. Note: When the agent detects 446000 that access to the filer is blocked. There is no workaround for this at this time. All mailbox permission changes after this point will be generated by the server’s Local System account. an error will be raised and access will be denied. The use of alternate email addresses throughout audited modules is not supported. If you host an agent on Windows Server 2012 or Windows Server 2012 R2. “Message Read by Owner/Non-Owner” events on mailbox moves: When moving user mailboxes from one message store to another in your Exchange environment. This resolves the issue. See this Technet post for details: http://social. it disconnects itself from the filer and reconnects.Table 6. 439038 Dell Change Auditor 6. when the first Outlook or OWA client opens it.com/Forums/enUS/exchange2010/thread/352776de-ab8a-400f-9f09-fb13cfa89f52/ Exchange mailbox permission changes are reported as the System account: When a user is created but prior to creation of the mailbox in Exchange Server.microsoft. False “Mailbox Opened by Non-Owner” events: It is possible to generate this type of event in Outlook 2007 by adding an additional mailbox to Outlook that you do not have permission to open. and “Who” information is available. the MMC snap-in for Active Directory Users and Computers handles changes to the user attribute msExchMailboxSecurityDescriptor directly.com/en-us/kb/2686098. MMC Users and Computers delegates msExchMailboxSecurityDescriptor changes to another process from which no “Who” information is available. and connections are dropped by the server without any response to the client. Change Auditor for NetApp known issues Known issue Issue ID Resource access is blocked when agent configuration is refreshed.

Change Auditor for SQL Server known issues Known issue Issue ID SQL Data Level does not support auditing encrypted databases.Table 7. Refer to the “File/Folder Inclusion and Exclusion Examples Appendix” in the Dell™ Change Auditor for NetApp User Guide or online help for valid exclusion examples. the filer drops its connection to the FPolicy server with Data ONTAP® 7. An event will still be recorded with the application name. event class. the filer turns off signing and tries to send the subsequent requests to which the server responds with an access denied error. matches slash characters (\) and directory names in paths). When the responses to the multiple requests arrive. Table 8. as the specific URL parameters required for this detection are truncated.7 or prior. data changes larger than 8000 bytes will result in a truncated transaction log record. Workaround: Disable signing on the FPolicy server. which included exclusions using a single asterisk (*) or (*\) in front of file names or shared folders to exclude folders and files recursively will not function after upgrading to version 5.8 (or higher).1. The new syntax is to use a single asterisk (*) to specify a non-recursive match (find match in folder only. Changes to 449373 these types may produce no events. 344887 Table 9. 450412 The test credentials option available in SQL Data Level auditing templates will not validate 448942 Windows Authentication credentials when the Change Auditor client is running on the SQL Server to be audited. Modifications to SQL data columns of type TEXT.com/kb/887429 for the steps needed to turn off signing on the FPolicy server. NTEXT. Dell Change Auditor 6. Workaround: After the upgrade. some events are not included and the details no longer match the records in the Event Viewer interface. 453519 The SQL Data Level event details for some object types and operations will not display the “textdata” field if the changed data exceeds the limit (16K bytes) that can be handled by Change Auditor.microsoft. or IMAGE are not supported. 446624 From/to values larger than 4096 characters and text data larger than 8192 characters will be truncated by default for performance purposes but this limit can be customized via the registry. the signing check fails due to a bug in ONTAP. Change Auditor for NetApp exclusions and new syntax need to be applied after upgrading from ChangeAuditor versions 5. Change Auditor for NetApp known issues Known issue Issue ID ® Change Auditor for NetApp drops connection to FPolicy Server: If CIFS signing is enabled for communication between the filer and FPolicy server. edit any existing NetApp® auditing templates that include exclusions and apply the new rules for non-recursive and recursive matches. Change Auditor for SonicWALL known issues Known issue Issue ID SonicWALL URL flow packets limited to 128 characters: Change Auditor cannot detect a file upload event for iCloud®.7 or prior: Auditing templates added in 5. does not match any slash characters (\)). Since the signing check fails. or if an event is generated the changed values may not be recorded in the event details in Change Auditor. Use a double asterisk (**) to specify a recursive match (find match in folder and all subfolders in audit path.7 Release Notes 19 . Refer to http://support. Due to a limitation with the command used to retrieve transaction log records. This happens when multiple requests are pending from the filer to the FPolicy server without getting a response for the requests sent. who and where information but the resulting audit event may not show from/to values and text data information. 463669 When the Event Viewer sorts the SQL Data Level logs.3.

Dell Change Auditor 6. • SQL Server 2012 and newer: Using SQL Server Configuration Manager. Change Auditor agents will no longer capture SQL-related events unless the following action is taken on the SQL Server: • SQL Server 2008: Using SQL Server Configuration Manager. the workstation agent will not be able to connect to the Dell Data Protection service.7 or prior.8 (or higher). Connection to this service is required to see cloud storage events.msdn.aspx Due to some limitations on gathering logon information for SQL Server 2008 and 2008 R2.Table 9. Use a double asterisk (**) to specify a recursive match (find match in folder and all subfolders in audit path. Change Auditor for Windows File Servers known issues Known issue Issue ID Change Auditor for Windows File Servers exclusions and new syntax need to be applied after upgrading from ChangeAuditor versions 5. This requires a SQL Server service restart. Change Auditor for Cloud Storage known issues Known issue Issue ID Internal Cloud Storage events 389788 If the following internal events are disabled prior to agent deployment: Agent successfully connected to the Dell Data Protection service and/or Agent is unable to connect to the Dell Data Protection service. Workaround: Ensure these events are enabled prior to agent deployment. See this article for more information: http://blogs. The new syntax is to use a single asterisk (*) to specify a non-recursive match (find match in folder only. does not match any slash characters (\)).com/b/joaol/archive/2009/09/30/sql-server-2008-does-not-start-after-sp1with-etw-enabled. Workaround: After the upgrade.7 Release Notes 20 . Table 11. edit any existing File System auditing templates that include exclusions and apply the new rules for non-recursive and recursive matches. the following information may not be captured: • Origin • Application name 445996 Table 10. which included exclusions using a single asterisk (*) or (*\) in front of file names or shared folders to exclude folders and files recursively will not function after upgrading to version 5.-T1906” to the end of the SQL Server Startup Parameters on the Advanced tab in the SQL Server Properties dialog. Refer to the “File/Folder Inclusion and Exclusion Examples Appendix” in the Dell™ Change Auditor for Windows File Servers User Guide or online help for valid exclusion examples. add the string “.7 or prior: Auditing templates added in 5. add the startup parameter “-T1906” on the Startup Parameters tab in the SQL Server Properties dialog. Event: A user uploaded a file to a cloud storage service 362377 An upload event is not triggered when uploading an empty text file. Change Auditor for SQL Server known issues Known issue Issue ID Auditing events on SQL Server 2008 SP1 Update 5 (or higher): Due to a hotfix Microsoft released for SQL Server 2008 SP1 Update 5 (or higher). matches slash characters (\) and directory names in paths).

you will have the option to log into the enterprise server through the client with an email account and password that is valid on the enterprise server. you need to update the servername in the registry for all of the desired systems agents. You will need to edit this to reflect the server URL in your custom environment.Cloud Edition does not provide the server URL in the Server URL window when upgrading from the audit only version that is installed with the Change Auditor Cloud Storage license to the enterprise version.7 Release Notes 21 . Dropbox. then install them again to avoid any issues. and then remove one of them. you should remove them.7. Box and Onedrive). it is best if you do not yet have Box. Coordinator requirements Requirement Details Processor Intel® Core™ i7 equivalent or better Memory Minimum: 8 GB RAM or better Recommended: 32 GB RAM or better Dell Change Auditor 6. Once the registry key is updated. If you do. If applicable. Change Auditor for Cloud Storage known issues Known issue Issue ID Cloud storage providers may be unstable if installed before a workstation agent enabled for cloud storage monitoring 362456 Before deploying a workstation agent enabled for cloud storage monitoring. or OneDrive synchronization applications set up on your computer. deploy the workstation agent. The following is the correct path and an example of a server URL. Table 12. the synch folder (for the removed provider) is not removed. System requirements Before installing Change Auditor 6. HKLM\SOFTWARE\Dell\Dell Data Protection\Cloud Edition\ServerURL=”https://bhcaddpe:8443/cloud” Note: 8443 is the default port used by DDP |CE. use your company’s preferred cloud sync client. The best practice is to select and install just one cloud storage provider.Table 11. ensure that your system meets the following minimum hardware and software requirements. This will immediately convert them to enterprise mode. If you have more than one cloud storage synchronization provider installed on the same 370885 computer (for example. • Change Auditor coordinator (Server-side component) • Change Auditor client (Client-side component) • Change Auditor agent (Server-side component) • Change Auditor workstation agent (optional component) • Change Auditor web client (optional component) Change Auditor coordinator (Server-side component) The Change Auditor coordinator is responsible for fulfilling client and agent requests and for generating alerts. Dell Data Protection . Any changes made to that folder will display as being done by the cloud provider that is still installed. 384720 384746 Workaround: To change from the audit only version to the enterprise version.

(MDAC is part of the operating system and enabled by default. Dell strongly recommends: • Install the Change Auditor coordinator on a dedicated member server. • Windows administrative permissions to install software and stop/start services. Standard and Datacenter) • Windows Server 2012 R2 (Essentials. Coordinator software and configuration For the best performance. NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported. number of agent connections. Installation platforms supported up to the following versions • Windows Server 2003 SP2 • Windows Server 2003 R2 SP2 • Windows Server 2008 SP2 • Windows Server 2008 R2 SP1 • Windows Server 2012 (Essentials.Table 12.0 • x86 or x64 versions of Microsoft SQLXML 4. NOTE: The user account performing the installation. NOTE: Microsoft Windows Data Access Components (MDAC) must be enabled.7 Release Notes 22 .NET 4. Dell Change Auditor 6.) NOTE: Microsoft’s Windows Small Business Server 2003. Coordinator requirements Requirement SQL database supported up to the following versions Details • Microsoft® SQL Server® 2008 SP4 • Microsoft SQL Server 2008 R2 SP3 • Microsoft SQL Server 2012 SP2 • Microsoft SQL Server 2014 SP1 NOTE: Change Auditor does not support SQL high availability technology other than clusters. In addition. NOTE: Do NOT pre-allocate a fixed size for the Change Auditor database. and event volume.0 • Estimated hard disk space used: 1 GB • Coordinator RAM usage is highly dependent on the environment. must be a member of the Domain Admins group in the domain where the coordinator is being installed. dedicated SQL server instance. Table 13. Standard and Datacenter). Coordinator minimum permissions Account Minimum permissions User account performing the coordinator installation The user account that will be performing the coordinator installation needs to have the appropriate permissions to perform the following tasks on the target server: • Windows permissions to create and modify registry values.0 or higher • x86 or x64 versions of Microsoft XML Parser (MSXML) 6. • The Change Auditor database should be configured on a separate. • x86 or x64 versions of Microsoft’s . 2008 and 2011 are NOT supported. • Estimated database size will vary depending on the number of agents deployed and audited events captured. the following software/configuration is required: Coordinator footprint • The coordinator must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.

Coordinator minimum permissions Account Minimum permissions Service account running the coordinator service (LocalSystem by default) The service account running the coordinator service must have the following permissions: • Active Directory® permissions to create and modify SCP (Service Connection Point) objects under the computer object that will be running the Change Auditor coordinator.7 Release Notes 23 . This account must have a SQL Login and be assigned the following SQL permissions: • Must be assigned the db_owner role on the Change Auditor database • Must be assigned the SQL Server role of dbcreator Dell Change Auditor 6. NOTE: If you are running the coordinator under a service account (instead of LocalSystem).Table 13. • Local Administrator permissions on the coordinator server. use a Manual connection profile that specifies the IP address of the server hosting the Change Auditor coordinator whenever you launch the Change Auditor client. SQL Server database access account specified during installation An account must be created to be used by the coordinator server on an ongoing basis for access to the SQL Server database. See the Dell™ Change Auditor User Guide or online help for more information on defining and selecting a connection profile.

2008 and 2011 are NOT supported. Agent requirements Requirement Details Processor Intel® Core™ i5 equivalent or better Memory Minimum: 4 GB RAM or better Recommended: 8 GB RAM or better Dell Change Auditor 6. Table 15. These agents will then report these audit events to the Change Auditor coordinator which will insert the event details into the Change Auditor database. NOTE: Microsoft’s Windows Small Business Server 2003.500 MB • Client RAM usage is dependent on the number of tabs you have open. Table 14.0 • x86 or x64 versions of Microsoft SQLXML 4. NOTE: Queries that return a lot of data can cause the client to use as much memory as required to store the results in RAM. Essentials and Datacenter) • Windows 7 SP1 (Pro.0 or higher • x86 or x64 versions of Microsoft XML Parser (MSXML) 6. Client requirements Requirement Details Processor Intel® Core™ i5 equivalent or better Memory Minimum: 4 GB RAM or better Recommended: 8 GB RAM or better Installation platforms supported up to the following versions • Windows Server® 2003 SP2 • Windows Server 2003 R2 SP2 • Windows Server 2008 SP2 • Windows Server 2008 R2 SP1 • Windows Server 2012 (Standard.0 • Estimated hard disk space used: 140 MB • Estimated physical memory RAM) used: 150 . NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported. Enterprise and Ultimate) • Windows 8 and 8.1 (Pro and Enterprise) NOTE: Microsoft® Data Access Components (MDAC) must be enabled. Essentials and Datacenter) • Windows Server 2012 R2 (Standard. Change Auditor agent (Server-side component) A Change Auditor agent can be deployed to domain controllers (DCs) and member servers to monitor the configuration changes made on these servers. Client software and configuration Client footprint • x86 or x64 versions of Microsoft’s .Change Auditor client (Client-side component) The Change Auditor client connects to a Change Auditor coordinator and queries the audited event database for the desired results. MDAC is part of the operating system and is enabled by default.NET 4.7 Release Notes 24 .

0 • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain.5 (and above) agents. NOTE: Microsoft’s Windows Server 2012 Foundation edition is NOT supported. Standard and Datacenter) • Windows Server 2012 R2 (Essentials. you can define how many files to retain and the level of logging.0 or higher • x86 or x64 versions of Microsoft XML Parser (MSXML) 6. Agent footprint • Estimated hard disk space used: 120 MB + local database size + log size Change Auditor agent log retention and content is configurable. Standard and Datacenter) • Windows Server 2012 R2 Core (Essentials. • The Change Auditor agent service depends on the following Windows services to be running: • DNS Client • Remote Procedure Call (RPC) • Windows Event Log NOTE: Ensure communication over RPC between coordinators and agents. • Windows Server 2008 R2 SP1 • Windows Server 2008 R2 Core SP1 • Windows Server 2012 (Essentials. 2008 and 2011 are NOT supported.Table 15.NET 4. That is.NET 4. Standard and Datacenter) • Windows Server 2012 Core (Essentials.0 framework for Change Auditor 6. NOTE: Microsoft’s Windows® Small Business Server 2003.0 • x86 or x64 versions of Microsoft SQLXML 4. Agent RAM usage is dependent on the auditing modules you have licensed. MDAC is part of the operating system and is enabled by default.100 MB.7 Release Notes 25 . Agent requirements Requirement Installation platforms supported up to the following versions Details • Windows Server® 2003 SP2 • Windows Server 2003 R2 SP2 • Windows Server 2008 SP2 NOTE: Windows Server 2008 Core is no longer supported because it does not support the required . Standard and Datacenter) NOTE: Microsoft® Data Access Components (MDAC) must be enabled. Dell Change Auditor 6. • Estimated physical memory (RAM) used: 60 . Agent software and configuration • x86 or x64 versions of Microsoft’s .

• Box® 4. System account running on agent Change Auditor agents must run as localsystem. If you are targeting domain controllers only.4. you will get an access denied error.6 versions of Change Auditor • SecurityManager • Dell InTrust plug-ins: • ITAD • ITADAM • ITFA • ITEX • Active Administrator • DirectoryLockdown • EMC® EmailXtender® Table 16.Cloud Edition 1.3.Table 15. later released versions may work properly with DDP|CE. use your company’s preferred cloud sync client. Sync clients release updates fairly frequently. you must have administrative authority to install software on every target machine.3 Dell Change Auditor 6.3 Synchronization client NOTE: The following lists the latest tested sync clients. In addition.0 • Dropbox™ 3. Cloud storage auditing requirements Component Supported versions Change Auditor Change Auditor for Cloud Storage Dell Data Protection . The best practice is to select and install just one cloud storage provider. Agent minimum permissions Account Permissions User account deploying agents The Agent Deployment wizard runs under the security context of the currently logged on user account. Agent requirements Requirement Details Agent installation incompatibilities • Pre-5. membership in the Enterprise Admins group will grant you authority to all domain controllers in the forest.8 or later • OneDrive® 17. but should be tested prior to rolling out in a production environment.7 Release Notes 26 .4 • Dropbox™ for Business requires Dropbox version 2.Cloud Edition Dell™ Data Protection . If you are not a member of this security group for this installation. Table 17. Therefore. If applicable. This means you must be a Domain Admin in every domain that contains servers that you are targeting for installation. all users responsible for deploying Change Auditor agents must also be a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation.

Exchange Server auditing requirements Component Supported Versions Change Auditor Change Auditor for Exchange Exchange Servers supported up to Windows Server 2003 SP2 and 2003 R2 the following versions • Microsoft Exchange Server 2007 x64 SP3 Windows Server 2008 SP2 • Microsoft Exchange Server 2007 x64 SP3 • Microsoft Exchange Server 2010 SP3 Windows Server 2008 R2 SP1 • Microsoft Exchange Server 2007 x64 SP3 • Microsoft Exchange Server 2010 SP3 • Microsoft Exchange Server 2013 CU9 Windows Server 2012 • Microsoft Exchange Server 2010 SP3 • Microsoft Exchange Server 2013 CU9 Windows Server 2012 R2 • Microsoft Exchange Server 2013 CU9 NOTE: MAPI over HTTP protocol is supported starting from Microsoft Exchange Server 2013 CU8. SQL Server® auditing requirements Component Supported Versions Change Auditor Change Auditor for SQL Server SQL Servers supported up to the following versions For more information • Microsoft SQL Server 2005 SP4 • Microsoft SQL Server 2008 SP4 • Microsoft SQL Server 2008 R2 SP3 • Microsoft SQL Server 2012 SP2 • Microsoft SQL Server 2014 SP1 See the Dell™ Change Auditor for SQL Server® User Guide for information on using Change Auditor for SQL Server. Dell Change Auditor 6. For more information See the Dell™ Change Auditor for Exchange User Guide for information on using Change Auditor for Exchange. Cloud storage auditing requirements Component Agent (client) Operating Systems Supported versions • 15 – 20 GB space • TCP/IP installed and activated • IPv6 is not supported • Windows® 7 (64 & 32 bit) • Windows 7 SP1(64 & 32 bit) • Windows 8 Table 18.Table 17. Table 19.7 Release Notes 27 .

1 to 6.7. configuring and using Change Auditor for EMC. SQL Server® Data Level auditing requirements Component Supported Versions Change Auditor Change Auditor for SQL Server SQL Servers supported up to the following versions • Microsoft SQL Server 2008 SP4 • Microsoft SQL Server 2008 R2 SP3 • Microsoft SQL Server 2012 SP2 • Microsoft SQL Server 2014 SP1 NOTE: Due to some limitations on gathering logon information for SQL Server 2008 and 2008 R2.7 Release Notes 28 .0 EMC Celerra Event Enabler (CEE) Framework 4. Dell Change Auditor 6.5 (through 5.Supported up to the following versions EMC Common Event Enabler (CEE) Framework 6. the following information may not be captured: For more information • Who • Origin • Application name See the Dell™ Change Auditor for SQL Server® User Guide for information on using Change Auditor for SQL Server. Defender auditing requirements Components Supported Versions Change Auditor Change Auditor for Defender Defender .6.7 EMC VNX Event Enabled (VEE) Framework 4.Table 20. EMC Isilon CEE 6.8.7. Authentication Services auditing requirements Component Supported Versions Change Auditor Change Auditor for Authentication Services Authentication Services -Latest supported version Dell™ One Identity Authentication Services 4.1 Table 22.5 (or higher) is required for EMC Isilon® auditing EMC Celerra®/VNX® .1) NOTE: VNXe® is NOT supported.Latest supported version Dell™ One Identity Defender 5.3. Table 21.7 Table 23.0 NOTE: Requires manual configuration to audit Isilon file servers For more information See the Dell™ Change Auditor for EMC® User Guide for detailed information on installing. VNXe does not support CEPA at this time and therefore Change Auditor for EMC will NOT run successfully in VNXe environments. EMC® auditing requirements Component Supported Version Change Auditor Change Auditor for EMC NOTE: Change Auditor for EMC 6.

Lync auditing requirements Components Supported Versions Change Auditor Change Auditor for Lync Lync Microsoft Lync version 2010 and 2013 Dell Change Auditor 6.0 to 6.2.7 Release Notes 29 . NetApp® auditing requirements Component Supported Versions Change Auditor Change Auditor for NetApp NetApp Filer NetApp Filer with Data ONTAP® 7.0 Table 26. Change Auditor | Workstation agents Change Auditor for Logon Activity Workstation NOTE: See Change Auditor workstation agent (optional component).0 vCenter™ 5.1 For more information See the Dell™ Change Auditor for NetApp® User Guide for detailed information on installing.2 to 8. configuring and using Change Auditor for NetApp.3 Cluster mode is supported as of version 8. Table 25.Table 24. VMware® auditing requirements Component Supported versions Change Auditor Change Auditor (any license) VMware ESX®/ESXi® 5. Table 27.0 to 6. Table 28. Logon Activity auditing requirements Component Supported versions Change Auditor | Server agents Change Auditor for Logon Activity User NOTE: See Change Auditor agent (Server-side component). configuring and using Change Auditor for SharePoint. SharePoint® auditing requirements Component Supported versions Change Auditor Change Auditor for SharePoint SharePoint SharePoint Server 2010 or 2013 SharePoint Foundation 2010 or 2013 For more information See the Dell™ Change Auditor for SharePoint® User Guide for detailed information on installing.

Table 30. See the Dell™ Change Auditor for SonicWALL User Guide for more information on configuring and using Change Auditor for SonicWALL. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).Table 29.7 (or higher) Firewall requirements: For more information • At least one SonicWALL firewall that supports AppFlow with the ‘IPFIX with extensions’ external flow reporting format. The account must also be licensed for Exchange Online (other Office 365 licenses are not required). Office 365™ Exchange Online auditing requirements Component Supported versions Change Auditor Change Auditor for Exchange 6. • Office 365 Small Business Premium Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business Premium. SonicWALL auditing requirements Component Supported versions Change Auditor Change Auditor for SonicWALL SonicWALL firewall device SonicWALL firewall device running SonicOS firmware version 6.5 (or higher) Office 365 Exchange Online Office 365 platforms supported and required permissions: • Office 365 Small Business Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Administrator role for Office 365 Small Business. • The SonicWALL firewall must support the SonicOS DPI-SSL feature for cloud or SSL-based web site activity auditing. • Office 365 Enterprise Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Enterprise. For more information See the Dell™ Change Auditor for Exchange User Guide for more information on Exchange Online auditing. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).1.7 Release Notes 30 . Change Auditor workstation agent (optional component) Change Auditor workstation agents can be deployed to capture authentication activity and logon session events from monitored workstations when the Dell™ Change Auditor for Logon Activity Workstation license is applied Dell Change Auditor 6. • Office 365 Midsize Business Minimum permissions: The user account configured for Change Auditor auditing must be assigned the Global Administrator role for Office 365 Midsize Business.1. • The firewall must be configured to send AppFlow data to the Change Auditor agent. The account must also be licensed for Exchange Online (other Office 365 licenses are not required).

Local Group Policy Local Computer Policy\Computer Configuration\Windows Sercurity\Security Settings\Local Policies\Audit Policy\Audit logon events For more information See the Dell™ Change Auditor for Logon Activity User Guide for more information on using Change Auditor for Logon Activity. and OneDrive) when the Dell Change Auditor for Cloud Storage license is applied.NET 4. See the Dell™ Change Auditor Installation Guide for recommendations and instructions on manually deploying workstation agents.0 or higher • x86 or x64 versions of Microsoft XML Parser (MSXML) 6. MDAC is part of the operating system and is enabled by default.0 • x86 or x64 versions of Microsoft SQLXML 4. Dell Change Auditor 6. Table 31. • Network Discovery and File Sharing must be enabled. this service is stopped and set to ‘Manual’ for Windows 7 and Windows 8/8. Enterprise and Ultimate) • Windows 8 and 8. DropBox. • The Change Auditor agent service depends on the following Windows services to be running: • DNS client • Remote Procedure Call (RPC) • Windows event log NOTE: Ensure communication over RPC between coordinators and agents. the following must be enabled on the workstation: Authentication Activity auditing • Windows Management Instrumentation (WMI) must be enabled in firewall rule set (usually domain) on the workstation. However. Client software and configuration • x86 or x64 versions of Microsoft’s .7 Release Notes 31 . NOTE: The recommended installation for domain workstations is from the Deployment tab of the Change Auditor Windows® client. • Remote Registry service must be set to ‘Start Automatically’. Workstation agent requirements Requirement Details Processor Intel® Core™ i5 equivalent or better Memory Minimum: 1 GB RAM (x86)/2 GB RAM (x64) Recommended: 4 GB RAM or better Installation platforms supported up to the following versions • Windows 7 (Pro. By default.Group Policy Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policy\Audit Policy\Audit logon events • Workgroup .and cloud storage information (Box. for non-domain workstations you must manually install the Change Auditor workstation agent. you must first enable (that is. To capture Authentication Activity events. set to Success. NOTE: Workstation agents are not supported on Windows 8.1 (Pro and Enterprise) NOTE: Microsoft® Data Access Components (MDAC) must be enabled. Failure) the ‘Audit Logon events’ audit policy for all servers or workstations: • Domain .1.0 • The agent must have LDAP and GC connectivity to all domain controllers in the local domain and the forest root domain. NOTE: For workstation log management (such as Get Logs or View Agent Log).1 for cloud storage monitoring.

Web client requirements Component Supported versions Processor Intel® Core™ i7 equivalent or better Change Auditor Change Auditor (any license) NOTE: Change Auditor 6.7.9 and then upgrade to 6.9 version database and schedule a migration task to move events from legacy 5. Upgrade notes Version Details Change Auditor 5.Change Auditor web client (optional component) The Change Auditor web client is an optional component that is installed on the Internet Information Services (IIS) web server to provide users access to Change Auditor through a standard or mobile web browser.7. or 11 NOT running in Compatibility View mode • Safari® 8.5 for Mac® OS (Windows® Safari is not supported) See the Dell™ Change Auditor Web Client User Guide for more information on installing. 6.9 You can upgrade directly to version 6.9 version database and schedule a migration task to move events from legacy 5.6. If 5.7 database. Change Auditor 5.5.7 Release Notes 32 .9 in-place migration completes. Once the 5. Change Auditor 6.x tables to the upgraded 6.0 • x86 or x64 versions of Microsoft SQLXML 4.5 (or higher) is required for using the Administration Tasks page to manage Change Auditor. Once complete. you will NOT require new Change Auditor 6. The coordinator installer will detect a 5.9. configuring and using the web client. Essentials and Datacenter) with Application Server and Web Server roles • x86 or x64 versions of Microsoft’s .0 • Chrome™ 42 • Firefox® 37 • Internet Explorer® 9.7 upgrade is possible. Dell Change Auditor 6. Table 32.NET 4. you must return to the previous installation and let the coordinator finish the in-place migration.8 or below You must upgrade to 5.7 as long as the database does not contain 5.0 to 6. 6. If you are upgrading.7 database.0 or higher • x86 or x64 versions of Microsoft XML Parser (MSXML) 6.7 from the following versions of Change Auditor: 5. 6.0 You can upgrade directly to version 6.0. Table 33. The coordinator installer will detect a 5. you can upgrade directly to version 6. 10.0.x events are present. a 6. Installation platforms supported up to the following versions Software and configuration Browsers supported up to the following versions For more information • Windows Server 2008 SP2 with Application Server and Web Server roles • Windows Server 2008 R2 SP1 with Application Server and Web Server roles • Windows Server 2012 (Standard.x events.x tables to the upgraded 6.7. Essentials and Datacenter) with Application Server and Web Server roles • Windows Server 2012 R2 (Standard.7 licenses. Upgrade and compatibility You can upgrade to Change Auditor 6.

The following Change Auditor products require separate licenses which can be applied during the coordinator installation process: • Change Auditor for Active Directory • Change Auditor for Active Directory Queries • Change Auditor for Authentication Services • Change Auditor for Cloud Storage • Change Auditor for Defender • Change Auditor for EMC • Change Auditor for Exchange • Change Auditor for Logon Activity User (to capture logon activity from server agents) • Change Auditor for Logon Activity Workstation (to capture logon activity from workstation agents) • Change Auditor for Lync • Change Auditor for NetApp • Change Auditor for SharePoint • Change Auditor for SonicWALL • Change Auditor for SQL Server • Change Auditor for Windows File Servers Dell Change Auditor 6. Change Auditor 6. This upgrade path is dependent upon the Change Auditor version you are running.7 as long as the database does not contain 5.5 You can upgrade directly to version 6. Refer to Change Auditor 6. Product licensing NOTE: BEFORE you can upgrade to Change Auditor 6.5 to 6.5 had offered an in-place upgrade option where your existing Change Auditor 5.7 Release Notes 33 . you only need to download one instance of the Change Auditor product.x events in the database which cannot be migrated at this time.0 and 6. which will need to be applied during the coordinator installation process. The code is the same for all and the license keys are the mechanism used to determine what features are enabled/disabled in the product.x events are present.x events.x events.6 If the database contains legacy 5. Once complete. the installer will silently acknowledge this and allow the upgrade to 6. NOTE: Change Auditor 6.7 upgrade is possible.8 or 4.9.x license(s). If you purchased multiple Change Auditor products.x (5. you will require new Change Auditor 6.7.8 and higher) database is upgraded similar to previous upgrades. Please contact Dell Technical Support.Table 33. you WILL require new Change Auditor licenses for all licensed Change Auditor products.x. in addition to following the prescribed upgrade path. On startup. Upgrade notes Version Details Change Auditor 6. the coordinator service will issue a log warning stating that it has detected 5.5 documentation for more information. If 5. a 6. If you are running Change Auditor 4. you must return to the previous installation and let the coordinator finish the in-place migration. For new installations (not upgrades from a previous version).

you can use the License Manager to apply these new Change Auditor license(s). • On the License Status dialog. click the Licenses button to locate and apply the new license file(s) or update existing licenses. If you have previously installed a trial or other permanent license on your computer. 7 • Select a license from the list. 3 On the Select License File dialog. 5 After applying new product licenses. click the Update License button. To apply licenses after initial installation: If you purchased additional Change Auditor product(s) after the initial installation. locate and select the new license. • Close the dialog and select Next to apply the license(s) and continue the coordinator installation. 4 During the coordinator installation. • Click OK to close the License details pane. locate and select the new license. 1 From the member server where the coordinator is installed. • On the Licenses page. Click Open.com/support/.dell. click the Install button for the Install Change Auditor Coordinator option to launch the Change Auditor Coordinator Setup wizard. 2 If you have not installed the Change Auditor components.7 Release Notes 34 . click the Browse License button to locate the Change Auditor license(s) you previously copied to your desktop or local hard drive. restart the Change Auditor agents to capture the new events. you will be prompted to locate the Change Auditor license file(s). you can apply the licenses in any order but must apply all the licenses provided. • Click the Details button. 4 Click OK to save your selection and close the dialog.If you are licensing multiple Change Auditor products. See Upgrade and installation instructions for more information in installing the Change Auditor components. If an invalid or expired license is entered. Click Open. • On the Select License File dialog. 3 On the Install page of the autorun. the coordinator installation will not continue.exe file to launch the Dell Change Auditor autorun. • Click OK to save your selection and close the dialog. 6 You may review your installed licensed component(s) in the License Manager (Start | All Programs | Dell | Change Auditor | License Manager). If you are licensing multiple Change Auditor products. To activate a trial or purchased commercial license: 1 Copy the Change Auditor license file(s) to your desktop. from a member server run the autorun. Dell Change Auditor 6. you can use the License Manager to upgrade to a new license. select each of the licenses to be applied. 2 From the About Change Auditor dialog. use the following path: Start | All Programs | Dell | Change Auditor | License Manager. 5 If the license key you applied does not function as expected. • Click the Update License button. or other convenient location. please visit http://software.

6.9 and then upgrade to 6. including best practices that should be taken into consideration before you begin the installation process. run the autorun. click the Install button for the Install Change Auditor Web Client option to launch the Web Client Setup wizard. click the Install button for the Install Change Auditor Coordinator option to launch the Coordinator Setup wizard. which contain the previously entered data.8 and lower). Direct upgrades to 6. • Launch the Change Auditor client and open the Deployment page.5. run the autorun. • Enter the information as requested on the Setup wizard. • Specify when you want to deploy the agents: Now or When (date and time).exe file.7 coordinator and client. which contain the previously entered data.7 are only supported from versions 5.6.exe file. • Click through the wizard pages.7 Upgrade and installation instructions To upgrade Change Auditor: See the Dell™ Change Auditor Installation Guide for more detailed upgrade instructions.Getting started with Change Auditor 6.9.9. • Wait until the coordinator status goes from ‘Initializing’ to ‘Running’ status. To ensure a successful upgrade of Change Auditor. upgrade the Change Auditor components in the following order: 1 2 Upgrade all Change Auditor coordinators (and database schema) • From the desired member server. Upgrade all Change Auditor clients To upgrade a Change Auditor client: • From the desired workstation. and 6. • Click OK to confirm the upgrade.8.and post-upgrade information that should be taken into consideration before you begin the upgrade process.6) can connect and work with the new Change Auditor 6.exe file. • Continue to upgrade the remaining coordinators one at a time. • Click through the wizard pages.7. 5. laptop or member server. 6. run the autorun. • On the Install page of the autorun. To upgrade a Change Auditor web client: 3 • On the IIS server. • Select the agents to be upgraded and select the Install or Upgrade tool bar button. click the Install button for the Install Change Auditor Client option to launch the Client Setup wizard. It is recommended that you install the Change Auditor components in the following order: Dell Change Auditor 6. • Click OK to confirm the upgrade. you must upgrade to 5. • On the Install page of the autorun. 6. To install Change Auditor: See the Dell™ Change Auditor Installation Guide for more detailed installation instructions.0. • Click OK to confirm the upgrade. or 6. 6. including pre.7 Release Notes 35 . Upgrade the Change Auditor agents Previous versions of Change Auditor agents (5.5.x 95. To upgrade 5. • On the Install page of the autorun.0.

Once you have confirmed that the coordinator is functioning correctly. • From the desired member server. click the Licenses button to locate and apply the new Change Auditor license(s). run the autorun. deploy Change Auditor agents to the domain workstations to be monitored for logon activity. click the Install button for the Install Change Auditor Client option to launch the Change Auditor Client Setup wizard. run the autorun. If you wish to install the Change Auditor database to a SQL instance other than the default instance of the selected SQL Server. verify that the user account is a member of the ChangeAuditor Administrators group in the specified ChangeAuditor installation.1 Database (SQL Server®) . • On the desired workstation. Agents . click the Browse License button to locate the Change Auditor license(s) to be applied. • Select an entry and use the Credentials | Set tool bar button or right-click command to enter the user credentials for installing agents to the selected domain.Choose the SQL database you are going to use. If you are planning on installing the Change Auditor web client. install the Change Auditor coordinator. • Verify that the user account being used to install the coordinator is at least a Domain Admin in the domain to which the coordinator server belongs. • Enter the information requested on the wizard pages. enter a static client port.Deploy agents to your domain controllers and member servers. • On the Install page. • Verify that the user account deploying agents is at least a Domain Admin in every domain that contains servers/workstations where agents are to be deployed. select each license to be applied. It is recommended that you use the default (DEFAULT) installation name.Once you have confirmed that the database instance to be used is installed and functioning correctly. On the ChangeAuditor Administrators screen. On the Installation Name screen. 3 4 Client . Also. laptop or member server. click the Install button for the Install Change Auditor Coordinator option to launch the Change Auditor Coordinator Setup wizard. • Use an existing account or create a new user account in Active Directory® that will be used by Change Auditor to access the SQL Server. • Launch the Change Auditor client and open the Deployment page (View | Deployment). On the License Status dialog. you can use the port settings on the Specify Port Information page to specify static SCP listening ports to be used instead. • Enter the information requested on the wizard pages: On the Product Licensing screen. On the SQL Server Information screen. By default Change Auditor dynamically assigns ports to be used to communicate with each installed coordinator.exe file • On the Install page. create the new instance before running the installer.<InstallationName>” security group option is selected by default and will add the current user to the security group. the Add the current user to the “ChangeAuditor Administrators .exe file. Dell Change Auditor 6. Enter the name to be assigned to the Change Auditor database. However. Also. if you have the Change Auditor for Logon Activity Workstation auditing module licensed. enter a unique installation name to identify the database to which the coordinator is to be connected. • Create a SQL Login for this AD user account and assign the following permissions to this login: Change Auditor database role: db_owner SQL Server role: dbcreator 2 Coordinator .7 Release Notes 36 . If you are installing multiple Change Auditor modules. enter the server name or IP address (member server running the SQL instance) and the SQL instance name to be used for the Change Auditor database. install the Change Auditor client.

• As agents are successfully deployed.dell.com.Install the web-based portal on the IIS web server. This release is targeted to support operations in the following regions: North America.dell.exe file. In this release. Open the Ports tab and in the Client Port field. such as those needed by customers outside of North America. select the entry and use the Credentials | Test tool bar button or right-click command.7 Release Notes 37 .dell. About Dell Dell listens to customers and delivers worldwide innovative technology.com/techcenter/windows-management/) Globalization This section contains information about installing and operating this product in non-English configurations. • Enter the information requested on the wizard pages. Right-click the coordinator system tray icon and select Coordinator Configuration. For more information. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation. business solutions and services they trust and value. enter the date and time to schedule the deployment task.com/) • Windows® Management and Migrations Community (http://en.software. click the Install button for the Install Change Auditor Web Client option to launch to Change Auditor Web Client Setup wizard. (Optional) Web Client . run the autorun. select a unique port for the web site to avoid conflicts with other IIS applications.community. enter the static port to be used to communicate with the coordinator. If you select the When option. Additional resources Additional information is available from the following: • Online product documentation (http://documents. • If you did not specify a static client port as part of the coordinator installation. • On the IIS web server. • On the Install page. See the Dell™ Change Auditor Web Client User Guide for more detailed information on installing the web client. Dell Change Auditor 6. On the Internet Information Services screen. you can start deploying agents to that domain. • Select one or more servers/workstations and click the Install or Upgrade tool bar button or rightclick command. all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. Japan. visit www. Central and Eastern Europe.5 • After entering the credentials. the Agent Status will display ‘Active’ and a desktop notification will be displayed in the lower right corner of your screen. This release is Unicode-enabled and supports any character set. use the Coordinator Configuration tool to specific a static client port. Far-East Asia. the Deployment Result will display ‘Success’. If you get a Valid Creds status in the Deployment Result column. • Select the deployment schedule: Now or When.software. Western Europe and Latin America.

For trial software.com/support/. In addition. 24 hours a day.com Technical support resources Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions.dell. 365 days a year.7 Release Notes 38 . go to Trial Downloads. To access the Support Portal. and manage Service Requests (cases) • View Knowledge Base articles • Obtain product notifications • Download software.dell. The site enables you to: • Create.Contacting Dell Technical support: Online support Product questions and sales: (800) 306-9329 Email: info@software. • View how-to videos • Engage in community discussions • Chat with a support engineer Dell Change Auditor 6. The Support Portal provides self-help tools you can use to solve problems quickly and independently. the portal provides direct access to product support engineers through an online Service Request system. update. go to http://software.

VMware. or its affiliates. Patents This product is protected by U.S. PowerPoint. contact: Dell Inc. Blackberry® and related trademarks. Inc. ESXi. Excel. vCenter. CONSEQUENTIAL.494. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. in the United States or other countries. Additional Patents Pending. SonicWALL and InTrust are trademarks of Dell Inc. THE IMPLIED WARRANTY OF MERCHANTABILITY.578. Box® is a registered trademark of Box. Windows PowerShell and Windows Server are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other countries. Patents # 7. including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.231. names and logos are the property of Research In Motion Limited and are registered and/or used in the U. and vSphere are registered trademarks or trademarks of VMware.266. DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS. Attn: LEGAL Dept 5 Polaris Way Aliso Viejo.185. FITNESS FOR A PARTICULAR PURPOSE. Inc. Legend CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. personal injury. EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.650. ActiveSync. Linux® is a registered trademark of Linus Torvalds in the United States. OR NON-INFRINGEMENT. Safari and iCloud are registered trademarks of Apple Inc. The software described in this guide is furnished under a software license or nondisclosure agreement. Symantec and Backup Exec are trademarks or registered trademarks of Symantic Corporation or its affiliates in the U. ALL RIGHTS RESERVED. BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT. IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING. Dell disclaims any proprietary interest in the marks and names of others. Inc. 8. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT. Outlook.7 Release Notes 39 . to any intellectual property right is granted by this document or in connection with the sale of Dell products. VNX. TIP. and VNXe are registered trademarks of EMC Corporation. Trademarks Dell. in the United States and other countries.com. Internet Explorer. 8. Change Auditor is not affiliated with or otherwise sponsored by Dropbox. If you have any questions regarding your potential use of this material. express or implied. PUNITIVE. Itanium is a trademark of the Intel Corporation in the U. Amazon Cloud Drive is a trademark of Amazon. Celerra. and other countries. and countries around world. No license. Office 365. and 8. Inc.598.979. IMPORTANT NOTE. ESX. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT. NOTE. Dell Change Auditor 6. CA 92656 Refer to our web site (software. INDIRECT.S. Inc. BeyondTrust and PowerBroker are trademarks or registered trademarks of BeyondTrust in the United States and other countries. OneDrive. GPOADmin. BUT NOT LIMITED TO. other countries. McAfee is a registered trademark of McAfee. EMC. SPECIAL OR INCIDENTAL DAMAGES (INCLUDING.© 2015 Dell Inc. and/or other countries. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.S.dell.S. Dell does not make any commitment to update the information contained in this document. This guide contains proprietary information protected by copyright. Windows. CommVault is a registered trademark or CommVault Systems. Active Directory. electronic or mechanical. Lync. MOBILE. Used under license from Research In Motion Limited. This software may be used or copied only in accordance with the terms of the applicable agreement. Microsoft. the Dell logo. SharePoint.com) for regional and international office information. WARNING: A WARNING icon indicates a potential for property damage. or VIDEO: An information icon indicates supporting information. Isilon. The information in this document is provided in connection with Dell products. No part of this guide may be reproduced or transmitted in any form or by any means. WITHOUT LIMITATION. by estoppel or otherwise. SQL Server. DAMAGES FOR LOSS OF PROFITS. or death.