The Active Directory protection templates are global settings and apply to all agents.
|
2 |
Click Protection. |
3 |
Select Active Directory in the Protection task list. |
4 |
Click Add to open the Active Directory Protection wizard to specify the Active Directory objects to protect. |
6 |
Use the Browse or Search pages to locate and select the object to protect. Click Add to add the object. Repeat this step to add more objects. |
7 |
By default, the create, modify attributes, and delete operations are selected; however, you can change this by using the drop-down arrow in the Operations cell in the list box and selecting or clearing the different operations. |
8 |
By default, the scope of coverage is for This object only; however, you can change this by using the drop-down arrow in the Scope cell in the list box and selecting one of the other two options: |
9 |
By default, all attributes for the object will be protected. However, if you want to protect individual attributes instead, click Next and select one of the following options to activate the attributes list: |
11 |
NOTE: Allow is selected by default indicating that the selected users or groups can change the protected objects. However, you can select the Deny option and select individual users or groups that are not allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page. |
12 |
On the next page of the wizard, you can schedule when to enforce the protection. You can either select to always run the protection or run only during specific times. To enable the protection only during specific times, select Protection is scheduled, and define when it should be enabled (hour blocks on a weekly basis). The times selected are the local agent time where the template is applied. |
• |
Protect access from all locations: Protection is always enabled regardless of the location. |
• |
Protect access only from select locations: Protection is only enabled for the specified locations. |
• |
Disable protection only for select locations: Protection is disabled for the selected locations. Enabled everywhere else. |
• |
Protect access from all unknown locations: All Active Directory requests from locations that cannot be determined by the Change Auditor agent will be protected. |
14 |
Click Finish to save the protection template, close the wizard and return to the Active Directory Protection page. |
2 |
Click Finish to save your changes and return to the Active Directory Protection page. |
• |
Place your cursor in the Status cell for the protection template to disable, click the arrow control, and select Disabled |
2 |
• |
Place your cursor in the Status cell for the required object, click the arrow control, and select Disabled. |
• |
Right-click the object and click Disable. |
2 |
1 |
On the Active Directory Protection page, select the required template and click Delete | Delete Template. |
2 |
Click Yes to confirm. |
1 |
On the Active Directory Protection page, select the required object and click Delete | Delete Object. |
2 |
Click Yes to confirm. |
1 |
On the Active Directory Protection page, select the required account and click Delete | Delete Override Account. |
2 |
Click Yes to confirm. |
1 |
On the Active Directory Protection page, select the required account and click Delete | Delete Administration Account. |
2 |
Click Yes to confirm. |
The Active Directory Protection wizard opens when you click Add or Edit on the Active Directory Protection page. Using this wizard you can define the Active Directory objects and attributes to protect from unauthorized modifications.
Select Active Directory objects to protect page: On the first page of the wizard, enter a name for the template and select the Active Directory objects to protect. | |||||||||
After you have selected an object, click Add to add it to the list. After you have the file created, select Import, browse to the file, and click Open. The file must follow this format: Valid protection scope values include: Valid protected operations include:
The import supports the list separator defined for the locale of the operating system. | |||||||||
After you have selected an object, click Add to add it to the list. | |||||||||
Use the Options page to modify the search options used to retrieve directory objects. | |||||||||
| |||||||||
By default, the create, modify attributes and delete operations are selected. To change this use the drop-down arrow in the Operations cell and select/clear operations.
| |||||||||
By default, the scope of coverage is set to This object only. To change this setting, use the drop-down menu in the Scope cell to select a different scope. | |||||||||
(Optional) Select Attributes to Protect page: By default all attributes for the selected objects are protected. However, you can protect individual attributes or to exclude individual attributes from protection. | |||||||||
Select this option to protect all attributes for the selected object. | |||||||||
Use the Add button to move the attributes selected in the Attributes list over to the Selected Attributes list. | |||||||||
Use the Remove button to move the attributes selected in the Selected Attributes list back over to the Attributes list. | |||||||||
The list box to the right displays the attributes to be included in the protection template. | |||||||||
(Optional) Select Attribute Flags to Protect page: If you have selected to protect the userAccountControl attribute, you can select to protect specific attribute flags on this page. By default, all flags are selected. Clear the ALL checkbox to select specific flags and click Next. | |||||||||
(Optional) Select Accounts Allowed (NOT Allowed) to Access Protected Objects page: By default all users and groups are prevented from changing the Active Directory objects selected for protection. However, you can specify users or groups that are allowed (not allowed) to change the protected objects.
| |||||||||
The Allow option is selected by default indicating that the users and groups selected on this page will be the only accounts allowed to change the protected objects. Use the Browse or Search page to select the user or group accounts. | |||||||||
Select the Deny option if you would like to allow all users and groups to change the protected objects EXCEPT for those selected on this page. Use the Browse or Search page to select the user or group accounts. | |||||||||
After you have selected an account, click Add to add it to the list. | |||||||||
After you have selected an account, click Add to add it to the list. | |||||||||
Use the Options page to modify the search options used to retrieve directory objects. | |||||||||
| |||||||||
You can either select to always run the protection or run it only during specific times. The scheduling options override all other protection settings. | |||||||||
NOTE: Protect access from all unknown locations: All requests from locations that cannot be determined by the Change Auditor agent will be protected. If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group will be able to access the protected objects from these locations. The location options override all other protection settings. | |||||||||
After you have selected an account, click Add to add it to the list. | |||||||||
After you have selected an account, click Add to add it to the list. | |||||||||
Use the Options page to modify the search options used to retrieve directory objects. | |||||||||
Use the buttons located above this list box to add and remove accounts.
|
The Group Policy protection page displays when you select Group Policy from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Group Policy Protection wizard to define critical group policy objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.
The Group Policy Protection page contains an expandable view of all previously defined Group Policy Protection templates. To add a Group Policy container to the protection list, use the Add button. Once added, the following information is provided for each template:
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access. |
• |
Excluded from Protection — indicates that you selected the Allow option to allow only the selected accounts to change the protected objects. |
• |
Included in Protection - indicates that you selected the Deny option to allow all accounts to change the protected objects except for those selected. |
• |
• |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center