Chatee ahora con Soporte
Chat con el soporte

Change Auditor for Active Directory 7.4 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Active Directory Database Protection wizard

The Active Directory Database Protection wizard opens when you click Add or Edit on the Active Directory Database Protection page. Using this wizard you can define the Active Directory Database processes to protect from unauthorized modifications.

Select Active Directory Database processes to protect: On the first page of the wizard, enter a name for the template and select the Active Directory database processes that are exempt from protection.

Template Name

Enter a descriptive name for the protection template.

(Optional) Select processes exempt from protection: Select processes to exclude from protection (for example, changes made by the processes specified on this page will be excluded from protection).

Add

Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be audited.

You can also view processes on a different server or enter a process not listed in the process list.

Remove

The list box across the bottom of the page displays the objects that are exempt from auditing. Click Remove to remove a process from the exemption list.

Setting extra security on protected objects

By default, Change Auditor settings are accessible by all domain administrators. In some environments, there are many individuals assigned domain administrator privileges. You can use the Security feature to provide an extra layer of security for your protected objects. You can delegate the right to manage protected objects to trusted administrators, limiting the number of administrators that can change settings.

When you change the security settings on a protected object through the Active Directory Protection page (or Group Policy Protection page) in Change Auditor, you are not changing the permissions assigned to the object. You are changing the access rights on who can change the Change Auditor settings.

If you do not want to use the default global catalog to apply the ACLs to the protected object, click Connect To and enter the domain controller to use.

Each entry for the objects listed in the Protection template has it's individual security settings.

 

Event Details Pane

This section describes the Event Details pane for Active Directory and Group Policy events and the Restore Value feature that is available for some Active Directory events. It also describes the additional details added to this pane for Group Policy events.

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for an Active Directory event.

 

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Active Directory’.

Action

Displays the action that was taken against the Active Directory object, such as Add Attribute, Add Object, Delete Attribute, Delete Object, Modify Attribute, Move Object.

Facility

Displays the event class facility to which the event belongs.

Class

Displays the object class that was modified, such as group, user, computer, nTDSConnection, crossRefContainer.

Attr

If an attribute has been added, deleted, or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified, such as Global (Security), Domain Local (Security).

Object

Displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

Port

Indicates the port used for authentication.

From | To

Displays the old value that was assigned to the object and the new value that is now assigned.

Changes

For permission type changes, the Changes table replaces the To | From information. This table provides details about the changes made, such as operation, type, account, permission, scope, and condition.

For simple Active Directory attribute changes (such as Add Attribute, Modify Attribute, Delete Attribute), the Event Details pane features an option to restore changed values. When applicable, Restore Value is displayed at the top of the Event Details pane, allowing you to restore a changed value without needing to leave the client or use additional tools.

Additional notes

The Restore Value feature cannot be used to restore deleted objects.

The following table provides a description of the ‘What’ details that are provided on the Events Details pane for a Group Policy event.

 

What

Provides a brief description of the change that occurred.

Subsystem

Displays ‘Group Policy’.

Action

Displays the action that was taken against the Group Policy object or item, such as Add Attribute, Delete Attribute, Modify Attribute.

Facility

Displays the event class facility to which the event belongs:

Policy

Displays the name of the group policy that was modified.

Section

Displays what section of the group policy was modified.

Item

For events associated with Group Policy items, displays the group policy item that was modified.

From | To

Displays the old value that was assigned to the group policy object and the new value that is now assigned.

 

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación