Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Active Administrator 8.6 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator Appendix: Active Administrator Server Manager

Setting up auditing on domain controllers

To gather the proper information from the security event logs, the information must first be audited. You need to modify the Default Domain Controllers Policy to enable auditing.

* 
NOTE: If you have not installed the Active Administrator® console, you also can use the Active Directory® Users and Computers MMC snap-in.
To set up auditing on a domain controller
1
Start Active Administrator Console.
2
Select Group Policy | Group Policy Objects.
3
Select Default Domain Controllers Policy, and click Edit.
4
Expand Computer Configuration | Windows Settings | Security Settings | Local Policies, and select Audit Policy.
5
Verify that the following polices are defined. If not, double-click the following policies to edit their Success and Failure settings.
Audit logon events

[Success, Failure]
Audit account logon

[Success]
Audit account management

[Success]
Audit directory service access

[Success]
Audit policy change

[Success]
Audit system events

[Success]

6
Close the Group Policy window.
7
At the command prompt, type gpupdate /force.
* 
NOTE: Auditing policy changes may take a long time to take effect.

Installing audit agents

To collect data on a computer, you must install and activate the audit agent. A wizard guides you through installing the audit agent.

* 
IMPORTANT: Please review the minimum and port requirements for installing the audit agent before you begin the wizard. See Audit agents requirements and Port requirements.
To install an audit agent
1
Select Auditing & Alerting | Agents.
2
Click Install.
3
Click Next.
4
Type the domain name, or browse to locate a domain.
5
If necessary, click Find Domain Controllers.
To select all listed domain controllers, click Select all.
To clear all the check boxes, click Clear all.
6
Select the domain controllers from which you want to audit activity.
7
Click Next.
8
Select the options for the install process.
You can install the audit agent on the selected domain controllers themselves or on another computer in the current domain. A single audit agent should be able to monitor activity on up to five domain controllers, depending on the type and frequency of activities being audited.
* 
IMPORTANT: When installing the audit agent on a member server instead of a domain controller, the following inbound firewall exceptions for Windows® Management Instrumentation must be enabled:
ASync-In
DCOM-In
WMI-In
 
Table 2. Install options for the audit agent
Option
Description

Install on target Domain Controller(s)

By default, the audit agent is installed on the domain controllers you selected on the previous page.

Audit from an agent on the following computer

Select to install the audit agent on a computer in the domain. Type a computer's fully qualified domain name in the box, or browse to locate a computer.

NOTE: If you choose to do remote monitoring, the Advanced Agent is not installed on the selected domain controllers.

Start collecting events immediately after installation of the agent

By default, the audit agent is activated and collection begins immediately upon completion of the installation process. Clear the check box if you want to activate the audit agents manually.

Enable agent monitoring and recovery

By default, Active Administrator monitors the status of the audit agent.

9
Click Next.
10
In the Run as box, type an account with domain administrator rights, or browse to locate an account, and enter the password.
* 
NOTE: The Active Administrator Agent service can also run under a domain user account provided it is either a local administrator account, which gives it the rights to log on as a service and log on locally, or these two privileges can be granted individually. This user or service account should also be a member of the AA_Admin group, which by default is located in the local groups of the server where the ActiveAdministrator database is located. If the group is not found in this location, the settings during the initially database creation were modified and it can be found under the Users container object of Active Directory®.
11
To verify the account, click Test Audit Agent Account.
12
Click Next.
13
Review the summary.
14
Click Next.
15
Click Finish.
The Audit Agent page lists the domain controllers you selected, the time and date of the last event collected, the status of the audit agent and the advanced audit agent, the name of the server on which Active Administrator is installed, and the version number of the audit agent installed on the domain controller.
* 
NOTE: By default, the audit agent is activated upon installation. To change the default setting, select Configuration | Agent Installation Settings.

You can view details about the install in the AuditAgentInstall*.log file, which is located here: Program Files\Quest\Active Administrator\Server\Logging.

Creating alerts

A wizard guides you through creating a new Active Administrator® alert. Alerts provide you the opportunity to combine different conditions into one alert that is sent to specified email recipients. You also can add a filter to the alert to further isolate audit events for the recipient.

To create a new alert
1
Select Auditing & Alerting | Alerts.
2
Click New.
3
On the Welcome page, click Next.
4
Type a name and optional description for the alert.
5
Select the priority of the alert: normal, low, or high.
6
Click Next.
7
Set up the email list of the recipients of the alert notification.
To manage the email list
To add a new email address, click Add and type the email address.
To edit a selected email address, click Edit.
To remove a selected email address from the list, click Remove.
8
Click Next.
9
Select the Event Definitions to include in the alert.
To filter the list, type text in the Filter box. The list changes as you type characters. The definitions displayed contain the characters you type. For example, if you type com, the definitions displayed may contain the words Completed or Computer.
To clear the filter and restore the list, click X.
To show only selected definitions, open the Show box, and choose Selected.
To show only unselected definitions, open the Show box, and choose Unselected.
10
Click Next.
11
Add alert filters.
Use this feature to help limit the number of emails sent to the specified email list. Alert filters are optional and applied to the details section of the event. Only the events that match the filter will be included in the notification email. For example, if the alert filter is Contains OU=Sales, only the events where OU=Sales appears in the details section are included in the notification email.
To define an alert filter
a
Click Add to add a new alert filter.
–OR-
Click Edit to edit a selected alert filter.
b
Select if the email Contains or Does not contain the condition text.
c
Type the text to find in the details section of the alert.
d
By default the filter conditions are combined using the OR operator. If you want to connect with the AND operator, select AND all conditions.
12
Click Next.
13
Define the quiet time during which no notifications are sent. Alerts that are triggered during the quiet time are still logged to the Alert History. Setting an Alert Quiet Time is optional.
* 
NOTE: There is also a global quiet time that you can set. The quiet times set here are in addition to any global quiet times.
To define a quiet time
a
Click Add to add a new quiet time.
–OR-
Click Edit to edit a selected quiet time.
b
Select Enabled. To disable a quiet time, clear the check box.
c
Select All Days or specify a specific day.
d
Set the start and end time.
e
By default, actions associated with the alert are stopped during quiet time. To run actions during quiet time, select the check box.
14
Click Next.
15
Set the alert threshold. The alert threshold sets limits that must be met before alerts are sent out.
To add a new threshold
a
Click Add to add a new threshold.
–OR-
Click Edit to edit a selected threshold.
b
Select Enabled. To disable a threshold, clear the check box.
c
Select the event definition from the list.
d
Select the number of events and minutes to define the threshold.
19
Click Next.
19
Define the action that this alert runs when the alert condition is met.
The action is run using the Notification service account. Please make sure the Notification Service account has sufficient rights to all of the resources needed by the action.
To define the action the alert runs
a
Select Enabled. To disable an action, clear the check box.
b
Type the full path to the .EXE file for the program or script or browse to locate the .EXE file.
* 
NOTE: The script must reside in a share on the Active Administrator server. That share must be accessible to the Active Administrator Foundation Server (AFS) service and the operator of the remote Active Administrator console. The path to the script must be entered using Uniform Naming Convention (UNC).
c
For the argument, browse to open the list of Alert Action Variables.
d
Select a variable in the top box, and then click Insert.
e
Click OK.
f
Optionally, type the path to a folder that contains the .EXE file or browse to locate the folder.
16
Click Next.
17
Review the summary.
18
Click Finish.

Setting up workstation logon auditing

With workstation logon auditing, you can audit user logon and logoff events including lock and unlock. Enabling the default port adds these workstation events to the event definitions:
User Locked Workstation
User Logoff
User Logon (interactive)
User Logon (Remote Desktop)
User Unlocked Workstation

See also:
Deploying the workstation logon audit agent
Enabling the default port
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation