Change Auditor for Active Directory 7.1.1 - User Guide

Active Directory Protection

Introduction

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions. This allows you to protect the environment from harmful changes that could open security holes or cause resources to become unavailable. Once enabled, if an unauthorized user attempts to modify or delete a protected object, Change Auditor prevents the operation and captures an event.

Protection can be defined for any Active Directory, Group Policy, or ADAM (AD LDS) object that you consider critical such as Organizational Units, Group Policy Object, and service accounts.

NOTE: Protection Notes and Recommendations: 1 Reserve protection for locking only critical objects. 2 Do not protect regular user accounts as it could prevent users from actions such as changing their passwords. 3 Certain applications and services need to make harmless changes to the Configuration and Schema NCs through the LocalSystem account. Therefore, Quest recommends that you do not protect the following applications and services: • Active Directory Knowledge Consistency Checker (KCC) • Quest Directory Analyzer • Microsoft Operations Manager (MOM) • Microsoft Licensing Computer • Microsoft Message Queuing Service (MSMQ) • Terminal Services Licensing Computer • HP OpenView’s Active Directory SPI • Microsoft Exchange If you protect a User object and prevent it from being deleted or modified, you are protecting all the user attributes and the forward links. You are not protecting any back linked attributes as back links are maintained by the system to ensure referential integrity only. If you modify the user’s memberOf attribute and add the user to a group, although you get an error or warning message, the user gets added to any group that is not protected. To prevent anyone from being added to a Group, you would protect the Group object and prevent it from being modified. By locking the Group object, you are locking its member attribute. Hence its membership cannot be modified. 4 Before you can set up ADAM auditing or protection, you must enable the File and Printer Sharing feature under the Windows Firewall. 5 If you have Quest GPOADmin integrated with your Change Auditor deployment, the GPOADmin service account is exempt from protection. 6 A protected GPO can only be changed by override accounts that are excluded from protection.

Active Directory object protection

When configured, Change Auditor prevents changes from occurring to a protected object regardless of who attempts to change the object and the tool or method used. Attempts to change or delete a protected object fail and an event is generated. These ‘failed’ events are identified in the client by displaying ‘Protected’ in the Result column on the Search Results page and Result field in an event’s detail pane.

NOTE: By default, Change Auditor captures events regardless of the result of the operation mentioned in the event. However, you can specify which events to capture based on an event’s result: • All Results (default) • Success Only • Success and Failed Only • Success and Protected Only See the Change Auditor User Guide for more information about defining the events to be captured based on result.

Active Directory protection page

This page displays when you select Active Directory from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Active Directory Protection wizard to define critical Active Directory objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Active Directory protection page contains an expandable view of all previously defined Active Directory protection templates. To add new template, use the Add button.

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

Once added, the following information is provided for each template:

NOTE: This field is only displayed when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.

Click the expansion box to the left of the template name to expand this view and display the following details for each template:

NOTE: This field is not displayed when there are no override accounts specified in the Active Directory Protection wizard.

NOTE: This field is displayed only when there is at least one account specified on the last page of the protection wizard and your protection templates are being stored in SQL.

NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.