Chatee ahora con Soporte
Chat con el soporte

Change Auditor for Active Directory 7.4 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Group Policy Protection wizard

The Group Policy Protection wizard opens when you click Add or Edit on the Group Policy Protection page. From here, you can define the Group Policy Objects to protect from unauthorized modifications.

The following table provides a description of the available fields and controls:

 

Create or modify a Group Policy Protection Template page: On the first page of the wizard, enter a name for the template and select the Group Policy objects to be protected.

Template Name

Enter a descriptive name for the template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the group policy container to be protected.

Once you have selected a container, click Add to add it to the list.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

 

Search page

The Search page initially contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Click Search to locate the Group Policy containers in your environment.

You can use the controls at the top of the page to search your environment for a group policy container to protect.

In the Find field, either enter or use the drop-down menu to select the type of object to locate. You can enter multiple classes, separated by either a comma or semicolon. When you type in an entry, either click the Enter key or use Search to display the objects.
In the Name field, specify a search expression to use to locate a particular object. Usually, this field contains an asterisk (*) indicating to search for all objects of the type specified in the Find field.
Select the ANR check box to use Ambiguous Name Resolution (ANR) as the search algorithm, which allows you to enter limited input (partial data) to find multiple objects in your network.
When the ANR check box is checked, use one of the following methods to enter your search expression:
When the ANR check box is not checked, the search expression entered will be used to search only the Display Name of directory objects to locate a particular object.

Once you have selected a container, click Add to add it to the list at the bottom of the page.

Options page

Use this page to modify the search options used to retrieve directory objects.

Policy list

The list box across the bottom of the page displays the group policy containers selected for protection. Use the buttons located above this list box to add and remove containers.

Add — Select a container in the Browse or Search page to add it to the Policy list.
Remove — Select an entry in the Policy list to remove it from the template.

Operations

By default, the create, modify attributes, and delete operations are selected. To change this use the drop-down arrow in the Operations cell and select and clear operations.

When the Link operation is selected, the GPO is protected from any attempts to link to or unlink from any Active Directory container in the forest. If Enterprise protection is selected, all GPOs in the forest are protected from linking and unlinking attempts.

When enabled, GPOADmin working copies selected for the protection template (or in the AD forest if Enterprise is selected), are ignored by the template.

Name-matching is used to identify GPOADmin temporary working copies based on a name prefix "[GPOADmin Working Copy] - ". The service account for the GPOADmin service should also be excluded from protection as an allowed account when the option to exclude GPOADmin working copies is selected.

(Optional) Select Accounts Allowed (Not Allowed) to Access Protected Objects page: By default all users and groups are prevented from changing the Group Policy containers selected for protection. However, you can use this page to specify individual users or groups that are allowed (not allowed) to change the protected objects.

Allow

Allow is selected by default indicating that the users and groups selected on this page will be the only accounts allowed to change the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option if you want to allow all users and groups to change the protected objects except for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Accounts list

The list box across the bottom of the page displays the user and group accounts allowed (not allowed) to make changes to the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.

Add - Select an account in the Browse or Search page to add it to the Override Accounts list.
Remove - Select an account in the Override Accounts list to remove it.
(Optional) Select Accounts Authorized to Manage This Protection Template page: By default members of the ChangeAuditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, once you enter a user or group account on this page you will be relinquishing your rights to modify the selected protection template to the users/groups specified on this page of the protection wizard.

Browse page

Displays the hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be authorized to manage this protection template.

Once you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be authorized to manage this protection template.

Once you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Administration Accounts list

The list box across the bottom of the page displays the user and group accounts authorized to manage this protection template.

Use the buttons located above this list box to add and remove accounts.

Add - Select an account in the Browse or Search page and add it to the Administration Accounts list.
Remove - Select an account in the Administration Accounts list to remove it.

ADAM (AD LDS) object protection

When configured, you can prevent changes to objects in specified ADAM (AD LDS) instances.

ADAM (AD LDS) protection page

The ADAM (AD LDS) protection page displays when you select ADAM (AD LDS) from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the ADAM (AD LDS) Protection wizard to define critical objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are not longer being used.

The ADAM (AD LDS) Protection page contains an expandable view of all previously defined ADAM (AD LDS) protection templates. To add new ADAM (AD LDS) protection template, use the Add button. Once added, the following information is provided for each template:

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.
Excluded from Protection - indicates you selected the Allow option to allow only the selected accounts to change the protected objects.
Included in Protection - indicates you selected the Deny option to allow all accounts to change the protected objects except for those selected.
For Protect Only and Protect Except, click the expansion box to the left of the field to display the individual attributes included in the protection template.

ADAM (AD LDS) protection templates

The ADAM (AD LDS) protection templates defined are global settings and apply to all ADAM instances associated with a Change Auditor agent.

NOTE: If you are planning to use multiple ADAM (AD LDS) Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
2
Click Protection.
3
Select ADAM (AD LDS) in the Protection task list to open the ADAM (AD LDS) protection page.
4
Click Add to open the ADAM (AD LDS) Protection wizard to specify the objects to protect.
Use the Browse or Search pages to locate and select the object to protect. Click Add to add the selected object to the list. Repeat this step to add additional objects.
By default, the scope of coverage is for This object only; however, you can change this by using the drop-down arrow in the Scope cell of the list box and selecting one of the other two options:
8
If you want to specify individual users or groups that are to be allowed to make changes to the protected object, click Next to display the Select Accounts Allowed (Not Allowed) to Access Protected Objects page.
9
Click Finish to save the protection template, close the wizard and return to the ADAM (AD LDS) Protection page.
NOTE: The Allow option is selected by default indicating that the selected users or groups will be allowed to change the protected objects. However, you can select the Deny option at the top of this page and select individual users or groups that are NOT allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.
2
Click Finish to save your changes and return to the ADAM (AD LDS) protection page.

Disabling a template allows you to temporarily stop protection for the specified objects without having to remove the protection template.

1
On the ADAM (AD LDS) protection page, place your cursor in the Status cell for the protection template, click the arrow control, and select Disabled.
The entry in the Status column for the template changes to ‘Disabled’.
2
To re-enable the protection template, use the Enable option in the Status cell.
1
On the ADAM (AD LDS) protection page, place your cursor in the Status cell for the object to be disabled, click the arrow control and select Disabled
The entry in the Status column for the object changes to ‘Disabled’.
2
To re-enable an object’s protection, use the Enable option in the Status cell.
2
Click Yes to confirm.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación