Chat now with support
Chat mit Support

Change Auditor for Active Directory 7.1.1 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Directory Protection Event Details Pane

Active Directory Database protection templates

To create an Active Directory Database protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select Active Directory Database in the Protection task list.
4
Click Add to open the Active Directory Database Protection wizard.
5
Enter a name for the Active Directory database protection template.
6
(Optional) Select processes to exclude from protection (for example, changes made by the processes specified on this page will be excluded from protection).
7
Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be protected from accessing the Active Directory database.
* 
NOTE: You can also view processes on a different server or enter a process not listed in the process list.
8
Click Finish or Finish and Assign to Agent Configuration to assign the template to an Agent Configuration immediately.
9
On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and drag and drop it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
10
If this configuration is not assigned to any agents, you will need to assign it to agents installed on your Domain Controllers to apply the Active Directory database protection.
* 
NOTE:  
Agents should be installed on all Domain Controllers to ensure auditing has complete coverage.
The auditing should be applied on all Domain Controllers to ensure complete coverage.
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
* 
NOTE: Active Directory database protection templates will not record audit events when access to the Active Directory database file is protected unless an Active Directory database auditing template is also assigned to the Change Auditor agent. See Active Directory Database Auditing for additional information.
To modify an Active Directory Database protection template:
1
On the Active Directory Database Protection page, select the required template and click Edit. This opens the Active Directory Database Protection wizard where you can modify the current settings.
2
Click Finish to save your changes and return to the Active Directory Database Protection page.
To disable an Active Directory Database protection template:

Disabling a template temporarily stops protection without having to remove the protection template.

1
On the Active Directory Database protection page, place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.
-OR-
Right-click the template to disable and select Disable.
The entry in the Status column for the template changes to ‘Disabled’.
2
To enable the protection template, select Enable in the Status cell.
To delete an Active Directory Database protection template:
1
On the Active Directory Database Protection page, select the required template and click Delete | Delete Template.
2
Click Yes to confirm.

Active Directory Database Protection wizard

The Active Directory Database Protection wizard opens when you click Add or Edit on the Active Directory Database Protection page. Using this wizard you can define the Active Directory Database processes to protect from unauthorized modifications.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
The following table provides a description of the available fields and controls:
Table 10. Active Directory Database Protection wizard
Select Active Directory Database processes to protect: On the first page of the wizard, enter a name for the template and select the Active Directory database processes that are exempt from protection.

Template Name

Enter a descriptive name for the protection template.

(Optional) Select processes exempt from protection: Select processes to exclude from protection (for example, changes made by the processes specified on this page will be excluded from protection).

Add

Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be audited.

You can also view processes on a different server or enter a process not listed in the process list.

Remove

The list box across the bottom of the page displays the objects that are exempt from auditing. Click Remove to remove a process from the exemption list.

Setting extra security on protected objects

* 
NOTE: The Security feature is only available if you have selected to save your Active Directory and Group Policy protection templates in Active Directory instead of SQL (using the Protection tab in the Coordinator Configuration tool). See the Change Auditor User Guide or online help for more information about the Coordinator Configuration tool.

By default, Change Auditor settings are accessible by all domain administrators. In some environments, there are many individuals assigned domain administrator privileges. You can use the Security feature to provide an extra layer of security for your protected objects. You can delegate the right to manage protected objects to trusted administrators, limiting the number of administrators that can change settings.

* 
NOTE:  
When you change the security settings on a protected object through the Active Directory Protection page (or Group Policy Protection page) in Change Auditor, you are not changing the permissions assigned to the object. You are changing the access rights on who can change the Change Auditor settings.
If you do not want to use the default global catalog to apply the ACLs to the protected object, click Connect To and enter the domain controller to use.
To set extra security on a protection template:
1
On the Active Directory Protection page (or Group Policy Protection page), right-click the protection template and click Security.
The Access Control editor is displayed for the selected object.
2
Select the permissions then click OK.
* 
NOTE: Selecting access rights is similar to selecting access rights in Active Directory Users and Computers.

Each entry for the objects listed in the Protection template has it's individual security settings.

To set individual settings:
1
On the Active Directory Protection page (or Group Policy Protection page), click the + icon next to the protection template.
2
Right-click the entry in the template that want to set the security on and select Security.
3
Select the permissions and click OK.
* 
NOTE: Selecting access rights is similar to selecting access rights in Active Directory Users and Computers.

 

Event Details Pane

This section describes the Event Details pane for Active Directory and Group Policy events and the Restore Value feature that is available for some Active Directory events. It also describes the additional details added to this pane for Group Policy events.

Active Directory event details

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for an Active Directory event.

 

Table 11. Event Details pane: Active Directory events
What field
Description

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Active Directory’.

Action

Displays the action that was taken against the Active Directory object, such as Add Attribute, Add Object, Delete Attribute, Delete Object, Modify Attribute, Move Object.

Facility

Displays the event class facility to which the event belongs.

Class

Displays the object class that was modified, such as group, user, computer, nTDSConnection, crossRefContainer.

Attr

If an attribute has been added, deleted, or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified, such as Global (Security), Domain Local (Security).

Object

Displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Port

Indicates the port used for authentication.

From | To

Displays the old value that was assigned to the object and the new value that is now assigned.

NOTE: The From | To information does not apply to permission and access control list (ACL) type changes and is replaced with the Changes table. This information is also not available for occurrence type events, such as when an object is created or deleted.

Changes

For permission type changes, the Changes table replaces the To | From information. This table provides details about the changes made, such as operation, type, account, permission, scope, and condition.

Restore Value feature

For simple Active Directory attribute changes (such as Add Attribute, Modify Attribute, Delete Attribute), the Event Details pane features an option to restore changed values. When applicable, Restore Value is displayed at the top of the Event Details pane, allowing you to restore a changed value without needing to leave the client or use additional tools.

* 
NOTE: The Restore Value feature honors the logged on user’s domain rights. If the logged on user does not have sufficient rights to perform the restore, a dialog is displayed allowing the user to enter elevated credentials. If a user does not have sufficient privileges, Change Auditor displays a failure message noting either an access denial or a login failure.
* 
NOTE: The Restore Value feature may not work for all events. Specifically, values cannot be restored for the following events:
User password changed
User password changed by non-owner
User account locked
User account unlocked
User must change password at next logon option changed
To restore a changed value:
1
At the top of the Search Results page, select an event (such as Modify Attribute, Add Attribute, Delete Attribute) to display the related Event Details pane.
2
At the top of the Event Details pane, click Restore Value.
3
One of the following prompts is displayed:
If you do not have domain rights to access the selected server, the Credentials Required dialog is displayed allowing you to enter the credentials to be used to access the server.
A confirmation dialog is displayed explaining that you are about to restore the value of an attribute. Click Yes to perform the restore or No to cancel the restore operation.
A confirmation dialog is displayed explaining that the restore operation is not restoring the most recent value for an attribute. Click Yes to perform the restore or No to cancel the restore operation.
* 
NOTE: The Restore Value feature cannot be used to restore deleted objects.
If the affected object has been deleted from the server, a message is displayed stating that the server cannot process the restore request because the object no longer exists on the server.
If the affected object has been marked for deletion but the change has not been fully replicated throughout the system, a similar message is displayed stating that the server is unable to process the request.
4
When a value is successfully restored, a success confirmation dialog is displayed and a Change Auditor event is generated reflecting the change that was made.
5
Events generated by a restore operation contain the ‘Restored by Change Auditor’ comment. To view a comment for an event, select the event in the grid at the top of the Search Results page and Comments.
Group Policy event details

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for a Group Policy event.

 

Table 12. Event Details pane: Group Policy events
What field
Description

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Group Policy’.

Action

Displays the action that was taken against the Group Policy object or item, such as Add Attribute, Delete Attribute, Modify Attribute.

Facility

Displays the event class facility to which the event belongs:
Group Policy Item
Group Policy Object

Policy

Displays the name of the group policy that was modified.

Section

Displays what section of the group policy was modified.

Item

For events associated with Group Policy items, displays the group policy item that was modified.

From | To

Displays the old value that was assigned to the group policy object and the new value that is now assigned.

 

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen