Chatee ahora con Soporte
Chat con el soporte

Change Auditor - For Advanced Users 7.3 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

Using multiple protection templates

Change Auditor protection

This section explains how access permissions are evaluated when multiple protection templates are assigned to an object which may contain conflicting rules. The evaluation process used is for all types of protection templates (Active Directory, ADAM (AD LDS), Group Policy, File System, and Exchange Mailbox). However, there are some special considerations to keep in mind when using the Exchange Mailbox Protection feature, see How access rules are evaluated.

Protection templates can be one of two types:
Classic (allow) templates which deny access by default, allowing access to the protected object by the override accounts explicitly specified in the protection template.
Reverse (deny) templates which allow access by default, denying access to the protected object by the override accounts explicitly specified in the protection template.

How access rules are evaluated

When a user attempts to access a protected object, each template is evaluated separately, and the ‘deny’ access rule takes precedence over any ‘allow’ access rule. This means, that if at least one protection template evaluates to ‘deny’, attempts to access the protected object is denied. The following table illustrates the overall results of conflicting access rules:

 
Table 18. How access rules are evaluated
Based on Settings in Template 1:
Based on Settings in Template 2:
Overall Result

User is allowed access

User is allowed access

User is allowed to access protected objects

User is allowed access

User is denied access

User is denied access to protected objects

User is denied access

User is allowed access

User is denied access to protected objects

User is denied access

User is denied access

User is denied access to protected objects

For Exchange Mailbox Protection templates, you can set the Mailbox owner can bypass protection option to allow the object’s owner to access their own mailbox, even if the protection template would normally deny access.

This override flag only affects the evaluation on a template where it is defined. It does not affect the evaluation of other protection templates.

* 
IMPORTANT: Care should be taken when defining multiple Exchange Mailbox Protection templates. For example, even though you cannot create a duplicate Exchange Mailbox protection template for the same object name, you could be including the same mailbox in multiple templates. That is, if you define templates for the Enterprise object, the top-level domain object, an OU container and several groups, this same mailbox could be a child or member of all these objects. The access to this mailbox is evaluated for each of the templates to which it belongs.
* 
NOTE: Exchange Mailbox protection is designed to provide protection coverage for a few high-value mailboxes. After monitoring has been enabled or changed, it may take several minutes to complete the configuration process necessary to enable the protection feature on the agent. Protecting a large number of mailboxes slows down the configuration process.
* 
NOTE: To control memory utilization, each Exchange Mailbox Protection template can have up to 20 users selected as ‘override accounts’ that can bypass the protection feature. This number applies to both allowed and denied user accounts and includes members of groups in the list.

How scheduling and location works with denied access

You can select to have the protection to always run or have it run only during specific times and control when the protection is enabled based on the location.

This section explains how the scheduling and location options affect the user and group accounts that have been denied access to protected objects.

Scheduling option

If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups are denied access only during this time. Anytime outside of when the schedule is set to enabled, these denied accounts will be able to access the protected object.

When the schedule is turned off, all options are turned off with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

Location option

If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group can access the protected objects from these locations.

The location options override all other protection settings.

 

 

Database Considerations
How to move the Change Auditor database and coordinator to another server
How to estimate the required SQL server disk space
How SQL Server Autogrow affects Change Auditor
How to query an archive database
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación