Auditor Help:

"Who Made Change" (WMC) Functionality

The WMC (Who Made Change) functionality lets you collect and report information about who made changes for both Active Directory and Windows objects on client systems. When you turn on the WMC functionality, you can establish and customize real-time tracking settings on applications users, security events, and resource access attempts on the selected systems. The Ecora Enterprise Auditor Instructional Whitepaper, "Who Made Change," defines this process in detail.

For Windows systems, object changes are collected in the security event log when auditing is enabled. For Active Directory, changes can be collected from domain controllers in a 2000/2003 Active Directory domain; all other changes can be collected from the local computer being audited. See the Customizing WMC (Who Made Change) Settings help page for specific instructions.

Using Ecora Auditor Professional to track WMC involves a four-step process. For example, in Windows:

  1. Enable auditing for security events.
  2. Optionally, you may want to tune the Windows security event log.
  3. In Auditor, select WMI browser data collection options.
  4. In Auditor, run standard fact-finding (FFR) security reports; or, alternatively, customize report definitions based on your criteria for the WMC data.

Reference The Who Made Change Whitepaper outlines how to build the FFR reports that present the WMC data.