Change Guardian

Version 4.1

Release Notes

Date Published: March 2014

 
 

 

NetIQ Change Guardian 4.1 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Change Guardian forum in the NetIQ Forums, our online community that also includes product information, blogs, and links to helpful resources.

The documentation for this product is available on the NetIQ Web site in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Change Guardian Documentation page. To download this product, see the Change Guardian Web site.

What's New?

The following outline the key features and functions provided by this version, as well as issues resolved in this release:

Enhancements

Enhanced Operating System Support

This version of Change Guardian supports existing monitoring functionality on the following operating systems:

  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1

Support for LDAP Authentication

This version of Change Guardian supports LDAP authentication in addition to database authentication. You can configure a Change Guardian server for LDAP authentication to enable users to log in to Change Guardian with their LDAP directory credentials.

New Dynamic Groups

This version of Change Guardian allows you to group agents to device groups dynamically, based on specified attributes.

New OVF Appliance Package Format

Beginning with this version, Change Guardian will no longer include specific Xen or VMware formats of the appliance. Instead, the release will include an .ovf appliance that can be used on both Xen and VMware hypervisors. This version also includes an .iso file. You can still deploy Change Guardian patches to the previous Xen and VMware appliances.

Enhanced Active Directory Monitoring Capabilities

This version of Change Guardian for Active Directory several new "best practice" policy templates as well as new monitoring functionality.

  • Best Practice Monitoring Policies
  • The new policy templates allow you to monitor changes in Active Directory configuration in the following areas:

    • Active Directory Configuration
    • Active Directory Sites and Services
    • Active Directory Forests
  • New Monitoring Functionality
    • New monitoring functionality allows you to:

    • Customize monitoring policies to monitor all Active Directory objects based on object type and the attribute changed.
    • Monitor the Active Directory configuration and schema partitions.

New Diagnostics Feature

This new feature in Change Guardian informs you of any issues that prevent you from successfully monitoring an asset.

New Auditing of Administrative Actions

Change Guardian now tracks any change you make in the Policy Editor with a System Event.

Support for Custom Severity Settings

On the File System Policy window, you can set a severity level for a policy. Any event the policy generates will have the specified severity level. You can specify either a static severity level (1-5) or an automatic severity level. If you specify an automatic severity level, Change Guardian assigns the severity based on weighted factors.

Internationalization Support

This version of Change Guardian supports multibyte character sets.

Software Fixes

Change Guardian 4.1 includes software fixes that resolve several previous issues.

If you use the upgrade installer, the set of new features and fixed defects depend upon the version from which you upgrade. For example, if the system is running Change Guardian 4.0, defect fixes from Change Guardian 4.0 SP1 are also applied as part of this upgrade.

Change Guardian for Active Directory Does Not Send Some Events to NetIQ Sentinel

Change Guardian for Active Directory now sends all events to NetIQ Sentinel after rebooting the Domain Controller computer. (ENG329595)

Additional and Delayed Events Arrive when Configuring Windows Firewall

Issue:

When you create a new rule for inbound or outbound categories in the Windows Firewall with Advanced Security settings on a Group Policy Object on a Domain Controller computer running Microsoft Windows 2008, the provider does not generate the events related to your changes immediately. Instead, the events are delayed and arrive with duplicate events when you configure another setting. (ENG329244)

Fix:

Events related to changes in the Advanced Security settings on a Group Policy Object arrive when they are supposed to, with no delay or duplicate events.

Resource Expansion Does Not Work with Subdomains

Resource expansion now works correctly with subdomains. (ENG330278, ENG332023)

Resource Expansion Does Not Work After Installing Change Guardian 4.0 Service Pack 1

This version of Change Guardian corrects an issue where resource expansion did not work after installing Change Guardian 4.0 Service Pack 1. (ENG330168)

Policies Do Not Work When Using Fully Qualified Domain Name for Managed User

Policies in Change Guardian for Active Directory now allow you to specify managed users with either Fully Qualified Domain Name (FQDN) or NetBIOS. (ENG330861)

Web Console Displays 'Security Certificate is Not Trusted' Error

The Change Guardian Web Console no longer displays a 'Security Certificate is not trusted' error. (ENG330863)

All Reports Return Errors After Installing Change Guardian 4.0 Service Pack 1

This version of Change Guardian corrects an issue where generating a report returned an error after installing Change Guardian 4.0 Service Pack 1. (ENG330411)

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Cannot Use WebYaST to Upgrade the Change Guardian Server Appliance

You cannot use WebYaST to upgrade the Change Guardian server appliance because you must accept the updated license agreement. You need to upgrade the appliance by using the zypper patch.

Upgrade Fails if You Renamed the .msi Package for the Original Installation

If you renamed the .msi file when packaging the program to silently install a previous version of Change Guardian, the upgrade to the current release fails. During an upgrade, Microsoft Windows looks for an original installation with the same identification as the .msi package for the upgrade. For more information about this issue, see the Windows Installer Team Blog. (ENG328889)

VMware vSphere 5.5 Web Client Cannot Import OVF Templates

Issue:

An issue with VMware vSphere 5.5 Web Client prevents you from using it to import .ovf templates. (DOC332977)

Workaround:

To import an .ovf template, you must use the VMware vSphere 5.5 Client.

Modifications to System-Only Object Might Not Generate Security Events

Change Guardian for Active Directory requires a security event to generate a Change Guardian event. System-only object attributes in Active Directory cannot be modified manually. They can only be modified internally by Active Directory. Modifications to system-only attributes do not generate security events, so Change Guardian is unaware of these changes and cannot track them or create Change Guardian events. (ENG332134)

Missing Sections in 'Process was Terminated' Events

If you create a process policy in Change Guardian for Windows that monitors an application for Process was Terminated events, and the monitored application is open before you assign the policy to the agent, when the monitored application shuts down, the generated event does not contain the Event Message and Who sections. To ensure the generated event contains all sections, turn off the application you want to monitor before assigning the policy to the agent. After you assign the policy to the agent, start the application again. (ENG332876)

Resource Expansion Cannot Expand Group Members from Trusted Domains

If you configure resource expansion for a group that contains members from a trusted domain other than the domain to which the group belongs, Change Guardian cannot expand the group members. (ENG331982)

Resource Expansion Does Not Support Parentheses

Resource expansion does not work on Active Directory users or users of groups if the name attribute contains open or close parentheses:

( )

(ENG331896)

'Demoted from DC' Events Not Generated on Windows Server 2003

If you configure Change Guardian for Active Directory to monitor for Demoted from DC events, and the demoted computer is running Microsoft Windows Server 2003, a Demoted from DC event is not generated. (ENG332176)

LDIF Scripts Do Not Generate 'Class-Schema Was Created' Events

If you use an LDIF script to create a class-schema, Change Guardian generates a Class-Schema Was Modified event instead of a Class-Schema Was Created event. (ENG332311)

Change Guardian for Active Directory Does Not Generate Some Events on Microsoft Windows Server 2012 R2

If you run Change Guardian for Active Directory on a computer with the Microsoft Windows Server 2012 R2 operating system, Change Guardian for Active Directory does not generate some events. If you install Windows Update KB2911106, Change Guardian for Active Directory is able to generate all events except Active Directory Object was Renamed events. (ENG332396)

Microsoft Windows Server 2012 R2 + KB2887595 Can Cause Instability on Domain Controller

If your domain controller runs Windows Server 2012 R2, ensure you have installed the most recent Windows updates. If the most recent Windows Update you have installed is KB2887595, the computer can become unstable when the following are true:

  • Audit Directory Service Changes is enabled in Active Directory
  • An Active Directory object is renamed

(ENG332396)

Upgrading a Change Guardian Agent from Version 4.0 to Version 4.1 Might Require Reboot

When you upgrade a Change Guardian agent from version 4.0 to version 4.1, if files the upgrade process needs are locked or in use, the upgrade process might require a reboot to complete. (ENG333172)

Upgrading a Change Guardian Server from Version 4.0 to Version 4.1 Causes Invalid User Format Error

If you upgrade a Change Guardian server computer from version 4.0 to version 4.1, and then edit the include only events performed by these Active Directory users [user names] constraint on a Change Guardian for Active Directory policy you created in version 4.0, the constraint displays an Invalid User Format error. To correct this error, delete the constraint and add it again. The new constraint will not display the error. (ENG332795)

Upgrading a Change Guardian Agent from Version 4.0 to Version 4.1 Causes User Expansion to Fail in Registry Policies

If you manually add Active Directory users to a registry policy in Change Guardian for Windows version 4.0, and then upgrade a Change Guardian agent to version 4.1, Change Guardian cannot expand the users you added manually. To correct this, submit a new revision of the policy. For example, you can make a minor change to the policy description, and then submit the change. On the new revision, Change Guardian correctly expands the users you added manually. (ENG333316)

Change Guardian for Windows Does Not Capture Some File Share Settings

Change Guardian for Windows does not capture modifications to the following types of share settings:

  • Management Properties
  • Quota

(ENG326828)

Migrating Locally Saved Policies Not Supported

Before you upgrade the Policy Editor to the current version, ensure you back up or submit locally saved policies to the Change Guardian Policy Repository. If you upgrade without backing up locally saved policies from version 4.0 or version 4.0.1, the policies will be lost. (DOC331358)

Active Directory Schema Events Might Display 'N/A' in Before and After Fields

An issue with Active Directory causes Schema Attribute Modified and Schema Class Modified events to display N/A in both the Before and After fields. (ENG330960)

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

Return to Top

Legal Notice

Return to Top