立即与支持人员聊天
与支持团队交流

Change Auditor 7.4 - PowerShell User Guide

Managing Skype for Business auditing

The following commands are available to manage Skype for Business auditing:

Use this command to see the list of event classes available for the Skype for Business subsystem.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CASkypeEventClassInfo –Connection $connection

Use this command to add a Skype for Business template to Change Auditor.

Once the template has been created, the agent is notified of the Skype for Business Central Management Store details and the events to audit.

-AgentInfo

The Change Auditor agent to audit the Skype events. This agent must be running on the Skype for Business Central Management Store database server.

-AuditItems

Collection of events to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

-CMSInstanceName (Optional)

The Microsoft Skype for Business server Central Management Store (CMS) SQL Server Instance Name.

The CMS Instance name must be provided only when the Change Auditor Coordinator Service is not in the same Active Directory forest as Microsoft Skype for Business Server.

-DatabaseCMSCredential

Skype for Business Central Management Store database credentials.

-TemplateName

The name of the template.

-UseWindowsAuthentication

Specifies whether to use Windows authentication when connecting to the Central Management Store database. If Windows authentication is not used, SQL Authentication will be used.

-SkipCMSDatabaseConnectivityTest (Optional)

Specifies whether to test the Central Management Store (CMS) SQL Server Connection using the supplied CMS credentials.

-Disabled (Optional)

Specifies whether the template is disabled.

New-CASkypeTemplate -AgentInfo $agentInfo -AuditItems $auditItems -Connection

$connection -DatabaseCMSCredential $dbCredential -TemplateName 'Skype for Business

Template' -UseWindowsAuthentication $True -Disabled $False

Use this command to see all the Skype for Business templates that have been created.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CASkypeTemplates -Connection $connection

Use this command to update the properties of an existing Skype for Business template. Once the template has been updated, the agent is notified of the Skype for Business Central Management Store details, and the events to audit.

-AgentInfo

The Change Auditor agent to audit the Skype events. This agent must be running on the Skype for Business Central Management Store database server.

-AuditItems

Collection of events to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

-DatabaseCMSCredential

Skype for Business Central Management Store database credentials.

-Template

The name of the existing template to update.

-TemplateName

The name of the template.

-UseWindowsAuthentication

Specifies whether to use Windows authentication when connecting to the Central Management Store database. If Windows authentication is not used, SQL Authentication will be used.

-SkipCMSDatabaseConnectivityTest (Optional)

Specifies whether to test the Central Management Store (CMS) SQL Server Connection using the supplied CMS credentials.

-Disabled (Optional)

Specifies whether the template is disabled.

Set-CASkypeTemplate -Connection $connection -Template $templateToUpdate ‘Updated Skype for Business Template’ -AgentInfo &agentInfo -AuditItems &$auditItems -DatabaseCMSCredential $dbCredential -UseWindowsAuthentication $True -Disabled $False

Use this command to remove a Skype for Business template. Agents associated with the template would be notified and Skype for Business configuration events would not be audited anymore.

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The name of the template to remove.

Remove-CASkypeTemplate -Connection $connection -TemplateName 'Skype For Business

Template'

Configuring a Quest On Demand Audit integration

Quest On Demand Audit is a Software as a Service (SaaS) application, available through quest-on-demand.com that provides extensive, customizable auditing of critical activities and detailed alerts about vital changes taking place in Microsoft Office 365 and Azure Active Directory.

On Demand Audit can also provide a single view of activity across hybrid Microsoft environments. By sending Change Auditor Active Directory event data, you can gain visibility to on premises changes (including events gathered up to 30 days prior to installing or upgrading Change Auditor).

To begin, you need to configure a connection between Change Auditor and your organization in On Demand Audit. Once the connection is made, On Demand Audit creates the required subscription used to send events from Change Auditor to On Demand Audit. For details on how Change Auditor uses subscriptions to send events, see the Change Auditor SIEM Integration Guide.

Use this command to create the connection required to send Change Auditor event data to On Demand Audit. When you run this command, you are presented with a dialog where you need to enter the information required to configure the connection. Enter your Quest account credentials to sign in to On Demand Audit and if prompted select the organization. By default, the current installation is used for the configuration name. If required, you can enter a different name for the configuration. This is the configuration name used in On Demand Audit; it does not change the Chane Auditor installation name.

 

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Create a subscription to send Active Directory event data to On Demand Audit

New-CAODAConfiguration -Connection $connection

Use this command to see the details of the current On Demand Audit configuration.

-Connection

A connection obtained by using the Connect-CAClient command.

-SubscriptionId (optional)

The ID of an existing On Demand Audit subscription.

Get-CAODAConfiguration -Connection $connection

Command output

The command returns the following information.

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

BatchesSent

Number of batches sent.

Enabled

Whether the subscription is enabled.

EventsSent

Number of events sent.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

LastEventResponse

The last event response. Provides the response in JSON format from the event receiver.

LastEventTimeUTC

When the last event was sent.

NotificationInterval

How often how often (in milliseconds) notifications are sent.

StartTimeUTC

Starting point in time for events being sent.

Subscription Id

The subscription ID.

Subsystems

Subsystems that contain the event data being sent.

Webhook Subscription Id

The webhook subscription ID.

Use this command to modify an On Demand Audit configuration.

Table 2. Available parameters

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

Example: Set the allowed coordinators for the On Demand Audit configuration to the computers named "coordinator1" and "coordinator2"

Set-CAODAConfiguration -Connection $connection -AllowedCoordinators @("coordinator1", "coordinator2")

Working with Active Directory protection templates

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions.

The following commands are available to manage Active Directory protection:

Use this command to create an Active Directory protection template.

-Credential

Credentials used to access the foreign forest.

-Name

The template name.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-Attributes (Optional)

List of attributes to protect. When AttributeType is not set to “All” this specifies the attributes for the template. Default is none.

-AttributeType (Optional)

This is applied to the list of attributes specified in the Attributes parameter. Possible values include “All”, “Only” and “AllExcept”. Default is All.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Locations (Optional)

IP addresses to protect. Default is none.

-LocationProtectionType (Optional)

Applied to the IP addresses specified by the Locations parameter. The potential values include ProtectAllLocations, ProtectSelectLocations, AllowSelectLocations, or ProtectUnknownLocations.

Default is ProtectAllLocations.

-Schedule (Optional)

It is a list of PSCAScheduledTimeRange objects, created with the
New-CAScheduledTimeRange cmdlet. Default is no specified schedule, which means that protection is always enabled.

See New-CAScheduledTimeRange for details.

$protectedObject = New-CAProtectedObject -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

New-CAADProtectionTemplate -Connection $connection -Name TemplateSample1 -ProtectedObjects $protectedObject

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

Use this command to create a protected object to include in a protection template.

-ObjectDistinguishName

Distinguish name of object to protect.

-ProtectedScope (Optional)

Scope of coverage for the protected object. Specify the scope using one of the following values:

-Operations

Operations to be denied for the selected object:

New-CAProtectedObject -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

Use this command to remove protected objects from a protection template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove protected objects from.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the template object to remove protected objects from.

-Credential

Credentials used to access the foreign forest.

-ProtectedObject (Optional)

Protected object (distinguished name).

-All (Optional)

Remove all the protected objects.

Remove-CAProtectedObject -Connection $connection -Template $template -ProtectedObject $protectedObjectDn

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

$templates = Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Remove-CAProtectedObject -Connection $connection -Templates $template[2] -ProtectedObject $protectedObjectDn -Credential $forestCredential

Use this command to input credentials for foreign forests when creating Active Directory protection templates with PowerShell.

-ForestName

The name of the forest to access.

-Credential

Credentials used to access the foreign forest. The credential object is obtained by using the Get-Credential command.

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

Use this command to schedule when to enforce the protection.

-Day

Spelled out day of the week to begin the protection. For example, Monday.

-StartTime

The time to start the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to start on.

-EndTime

The time to end the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to end on.

New-CAScheduledTimeRange -Day Monday -StartTime 7 -EndTime 18

Use this command to see all the Active Directory protection templates that have been created including those in a foreign forest.

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

Get-CAADProtectionTemplates -Connection $connection

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Use this command to remove an Active Directory protection template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the object to remove.

-Force

Removes the template without providing confirmation.

Remove-CAADProtectionTemplate -Connection $connection -Template $template

Example: Remove an Active Directory Protection template in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Remove-CAADProtectionTemplate -Connection $connection -Template $selectedTemplate -Credential $forestCredential

Use this command to modify Active Directory protection templates.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to update.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the template object to update.

-TemplateName (Optional)

Sets the template name (string).

-Credential (Optional)

Credentials used to access the foreign forest.

-ProtectedObjects (Optional)

List of ProtectedObjects. See New-CAProtectedObject for details.

-Attributes (Optional)

List of attributes to protect. When AttributeType is not set to “All” this specifies the attributes for the template. Default is none specified.

-AttributeType (Optional)

This is applied to the list of attributes specified in the Attributes parameter. Possible values include “All”, “Only” and “AllExcept”. Default is All.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

String array of distinguished names.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. (If accounts are specified, then only those specified accounts can manage the template. If no accounts are specified, then all Change Auditor administrators can manage the template.) Default is none specified.

This is a string array of distinguished names.

-Locations (Optional)

IP addresses to protect. Default is none specified.

-LocationProtectionType (Optional)

Applied to the IP addresses specified by the Locations parameter. The potential values include ProtectAllLocations, ProtectSelectLocations, AllowSelectLocations, or ProtectUnknownLocations.

Default is ProtectAllLocations.

-Schedule (Optional)

It is a list of PSCAScheduledTimeRange objects, created with the
New-CAScheduledTimeRange cmdlet. Default is no specified schedule, which means that protection is always enabled.

See New-CAScheduledTimeRange for details.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

Set-CAADProtectionTemplate -Connection $connection -Template $template[2] -ProtectedObjects $protectedObject1, $protectedObject2 -AdminAccounts $adminAccountDn -Schedule $schedule -Disabled $False

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

$templates = Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Set-CAADProtectionTemplate -Connection $connection -Template $templates[2] -Schedule $schedule -Credential $forestCredential

Working with GPO protection templates

Enabling GPO protection, allows you to prevent all changes to Group Policy Objects, regardless of the tool that is used to make the change. Protection includes both portions of the Group Policy data: the Group Policy Object (GPO) in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers

The following commands are available to manage GPO protection:

Use this command to create a GPO protection template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential (Optional)

Credentials used to access the foreign forest.

-TemplateName

The template name.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-DoNotProtectWorkingCopies (Optional)

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template. The parameter accepts Boolean $true or $false.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

$ProtectedObjects = New-CAProtectedObject -ObjectDistinguishName “distinguishedName" -Operations Modify

New-CAGPOProtectionTemplate -Connection $connection -TemplateName TemplateSample1 -ProtectedObjects $protectedObjects

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Modify

New-CAGPOProtectionTemplate -Connection $connection -TemplateName TemplateSample1 -ProtectedObjects $EnterpriseProtectedObject

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

New-CAGPOProtectionTemplate -Connection $connection -TemplateName $templateName -ProtectedObjects $protectedObjects -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Credential $forestCredential

Use this command to see all the GPO protection templates that have been created.

 

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

Get-CAGPOProtectionTemplates -Connection $connection

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Get-CAGPOProtectionTemplates -Connection $connection -Credential $forestCredential

Get-CAGPOProtectionTemplates -Connection $connection | Where-Object {$_.TemplateName -eq "TemplateName" } | Select-Object -ExpandProperty ProtectedObjects

Use this command to modify a GPO protection template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to be modified.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-Credential (Optional)

Credentials used to access the foreign forest.

-TemplateName (Optional)

The new name for the template.

-DoNotProtectWorkingCopies (Optional)

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template. The parameter accepts Boolean $true or $false.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Disabled (Optional)

Specifies whether the template is enabled or disabled using the Boolean $true or $false.

$ProtectedObjects= New-CAProtectedObject -ObjectDistinguishName "distinguishedName" -Operations Create, Delete, Modify, Link

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Create, Delete, Modify, Link

Set-CAADProtectionTemplate -Connection $connection -Template $template - ProtectedObjects $protectedObject1, $protectedObject2 -AdminAccounts $adminAccountDn -Schedule $schedule -Disabled $False

$ProtectedObjects= New-CAProtectedObject -ObjectDistinguishName "distinguishedName" -Operations Create, Delete, Modify, Link

$EnterpriseProtectedObject= New-CAProtectedObject -ObjectDistinguishName "Enterprise" -Operations Create, Delete, Modify, Link

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $creds

Set-CAGPOProtectionTemplate -Connection $connection -Template $template - ProtectedObjects ($ProtectedObjects, $EnterpriseProtectedObject) - DoNotProtectWorkingCopies $true -OverrideAccounts "distinguishedName" - OverrideAccountsDenied $true -AdminAccounts "distinguishedName" -Disabled $False - Credential $forestCredential

Use this command to remove a GPO protection template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAGPOProtectionTemplates command and filter to select the object to remove.

-Force

Removes the template without providing confirmation.

Remove-CAGPOProtectionTemplate -Connection $connection -Template $template

 

 

 

 

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级