Active Administrator 8.6.2 - Installation Guide

Applying a license file Creating a passphrase Setting the Active Administrator database Setting the Active Administrator archive database Configuring purge and archive settings Storing Active Administrator data Setting up the email server Setting up features and the owner Configuring active template delegation enforcement Configuring group policy history Configuring Active Directory backups Configuring Active Administrator users Configuring service accounts Connecting to System Center Operations Manager and Enabling SNMP Notifications Reviewing selections

Installing Active Administrator console Setting up the console

Setting up auditing on domain controllers Installing audit agents Creating alerts

Setting up workstation logon auditing

Deploying the workstation logon audit agent Enabling the default port

Using Active Administrator

Appendix: Active Administrator Server Manager

Starting the Active Administrator Server Manager Active Administrator Foundation and Data Services

SQL Full-Text Search

Web Server Configuration Managing Security

Managing the passphrase Managing file security Managing database security Recovering from a lost passphrase

Auditing & Alerts

For all Active Administrator® modules to operate properly, the Active Administrator Foundation service (AFS) requires an account that is a member of the Domain Admins group. However, you may want to customize access to each module for console users or the AFS account. The following table lists the specific permission requirements for the Auditing & Alerts module.


	NOTE: To assign roles in Active Administrator, select Configuration \| Role Based Access \| New.

Table 14. Required permissions for the Auditing & Alerts module
Submodule	Console user account	AFS account
Auditing & Alert Landing Page	Must have any of these Active Administrator roles: Audit Report Management, Audit Report Viewer, Alert Editor or Alert Viewer.	Must be a member of the AA_Users group.
Audit Reports	Must have the Active Administrator Report Viewer role to view reports. Must have the Active Administrator Report Management role to manage reports.	Must be a member of the AA_Admins group.
Archives	Must have the Active Administrator Report Viewer role to view reports. Must have the Active Administrator Report Management role to manage reports.	Must be a member of the AA_Admins group.
Agents	Must have the Active Administrator Full Control role.	Must be a member of the AA_Admins group and have full access to the target server. The agent account must have read access to the security log on the target domain controller and be a member of the AA_Admins group.
Auditing Alerts	Must have the Active Administrator Report Viewer role to view alerts and alert history. Must have the Active Administrator Alert Editor role to manage alerts.	Must be a member of the AA_Admins group.
Event Definitions	Must have the Active Administrator Full Control role.	Must be a member of the AA_Admins group.
Archive & Purging	Must have the Active Administrator Full Control role.	Must be a member of the AA_Admins group.

Group Policy


	NOTE: To assign roles in Active Administrator, select Configuration \| Role Based Access \| New.

Table 15. Required permissions for the Group Policy module
Submodule	Console user account	AFS account
Group Policy Landing Page	Must have one of these Active Administrator roles: Group Policy Object Management, Group Policy History, or Group Policy Repository. Must have read access to all group policies objects in the selected domains.	Must have read access to the GPORepository, GPOBackups, and RSOPPlanning folders in the Active Administrator share.
Group Policy Objects	Must have the Active Administrator Group Policy Management role. To view GPOs, must have read access to all GPO objects in the selected domain. To create, edit, or delete GPOs, must have the appropriate permissions on the selected GPO. To link or unlink a GPO, must have the appropriate permissions on the target.	To backup GPOs, must have read access to the selected GPO and read/write access to the GPOBackup folder in the Active Administrator share. To add to the repository, must have full control access to the selected GPO, including SysVol and the System/Policies in Active Directory®. Must also have read/write access to the GPORepository folder in the Active Administrator share.
Group Policy by Container	Must have the Active Administrator Group Policy Management role. To view GPOs and GPO modeling, must have read access to all GPO objects in the selected domain. To create, edit, delete, block, and unblock GPOs, must have the appropriate permissions on the selected GPO. To link, unlink, or change link order, must have the appropriate permissions on the target. To create a new OU, must have the appropriate permissions in the selected OU.	N/A
GPO Settings Search	Must have the Active Administrator Group Policy Management role.	Must have read access to the GPOBackup, GPOCache, GPORepository, and GPOHistory folders in the Active Administrator share. Must have read access to the all of the GPOs in the managed domains.
GPO History	Must have the Active Administrator Group Policy History role.	Must have read/write access to the GPOHistory folder in the Active Administrator share and read access to all GPOs in the managed domains. To rollback GPOs, must have full control on the selected GPO.
GPO Repository	Must have the Active Administrator Group Policy Repository role.	To add, edit, remove, check out, check in, or discard, must have full control access to the selected GPO including the SysVol and the System/Policies in Active Directory®. Must have read/write access to the GPORepository folder in the Active Administrator share.
GPO Modeling	Must have the Active Administrator Group Policy Management role. Must have read access to the entire directory to run the simulation.	Must have read/write access to the RSOPPlanning folder in the Active Administrator share.
GPO Backup	Must have the Active Administrator Group Policy Management role.	Must have read/write access to the GPOBackup folder in the Active Administrator share. Must have read access to the selected GPO.
Client-side troubleshooting	Must have the Active Administrator Group Policy Management role. Must have full access to the target computer.	N/A
Purge GPO History	Must have the Active Administrator Full Control role.	Must have read/write access to the GPOHistory folder in the Active Administrator share.

Active Directory Recovery


	NOTE: To assign roles in Active Administrator, select Configuration \| Role Based Access \| New.

Table 16. Required permissions for the Active Directory Recovery module
Submodule	Console users account	AFS account
Recovery Landing Pages	Must have the Active Administrator Recovery role.	Must be a member of the AA_Users group.
Object Recovery	Must have the Active Administrator Recovery role. Must be a member of Domain Admins or Enterprise Admins group. To perform a restore, must have full access to the target and read access to the ADBackups folder in the Active Administrator share.	Must have read/write access to the ADBackups folder. Must have read access to the entire domain.
Purge AD Backups	Must have the Active Administrator Recovery role.	Must be a member of the AA_Users group. Must have read/write access to the ADBackups folder in the Active Administrator share.
Active Directory Infrastructure Landing Page	Must have any of these Active Administrator roles: Site Management or Trust Management. User must have read access to the entire forest.	Must be a member of the AA_Users group.
Active Directory Sites	Must have the Active Administrator Site Management role. Must have read access to view all sites, subnets and site links in the forest. To create, edit or delete sites, subnets and site links, must have enterprise access.	N/A
Replication Monitoring	Must have the Active Administrator Site Management role.	Must be a member of the AA_Admins group. Must have read access to the entire forest.
Replication Analyzer	Must have the Active Administrator Site Management role. Must have read access to the entire forest.	N/A
Active Directory Trust	Must have the Active Administrator Trust Management role. To view trusts, must have read access to the entire forest. To add, edit, or delete trusts, must have the appropriate permissions in the target domain.	N/A

DC Management


	NOTE: To assign roles in Active Administrator, select Configuration \| Role Based Access \| New.

Table 17. Required permissions for the DC Management module
Submodule	Console user account	AFS account
DC Management Landing Page	Must have the Active Administrator Domain Controller Management role. Must have read access to the selected domain controller.	N/A
DC Status	Must have the Active Administrator Domain Controller Management role. Must have read access to the selected domain controller, have WMI remote access enabled, and must be a member of the Distributed COM users group.	N/A
DC Services	Must have the Active Administrator Domain Controller Management role. Must have full control on the selected domain controller.	N/A
DC Performance	Must have the Active Administrator Domain Controller Management role. Must have read access to the selected domain controller and be a member of the Performance Log Users group.	N/A
DC Event Logs	Must have the Active Administrator Domain Controller Management role. Must have read access to the selected event log on the selected domain controller.	N/A

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Active Administrator 8.6.2 - Installation Guide

Auditing & Alerts

Group Policy

Active Directory Recovery

DC Management