Change Auditor for Active Directory 7.2

The Active Directory Protection wizard opens when you click Add or Edit on the Active Directory Protection page. Using this wizard you can define the Active Directory objects and attributes to protect from unauthorized modifications.


	NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.


	NOTE: Agents should be installed on all Domain Controllers to ensure that protection is fully covered. For example, if a user is restricted from making changes and accesses a Domain Controller that does not have an agent installed, they are allowed to make changes.

The following table provides a description of the available fields and controls:


	NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.

Table 7. Active Directory Protection wizard

Select Active Directory objects to protect page: On the first page of the wizard, enter a name for the template and select the Active Directory objects to protect.

Template Name

Enter a descriptive name for the protection template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the Active Directory objects to protect. If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

After you have selected an object, click Add to add it to the list.

NOTE: If you have many objects that you want to protect, you can create a .csv file containing the object and protection details, then import them into the template.

After you have the file created, select Import, browse to the file, and click Open.

If any objects cannot be found, you can copy the results (ctrl+c) from the list into the clipboard so that you can use the information to locate any issues and make the necessary adjustments.

CSV File Details

The file must follow this format:

Valid protection scope values include:

•

This object only

•

This object and child objects only

•

This object and all child objects

Valid protected operations include:

•

•

•

•

The import supports the list separator defined for the locale of the operating system.

Search page

Use the controls at the top of the Search page to search your environment to locate an Active Directory object to protect.

After you have selected an object, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Object list

NOTE: You can select a root domain object to prevent users from linking GPOs. However, if you do so, the gPLink attribute will be added by default and you will not be able to add other Active Directory objects or additional attributes to protect.

The list box across the bottom of the page displays the object(s) selected for protection. Use the buttons located above this list box to add and remove objects.

•

Add - Select an object in the Browse or Search page and add it to the Object list.

•

Remove - Select an entry in the Object list and remove it from the template.

Operations

By default, the create, modify attributes and delete operations are selected. To change this use the drop-down arrow in the Operations cell and select/clear operations.

•

•

•

•

By default, the scope of coverage is set to This object only. To change this setting, use the drop-down menu in the Scope cell to select a different scope.

•

This object only

•

This object and child objects only

•

This object and all child objects

For example, if you protect an OU and set an option with child objects, then all objects under the OU are also protected. If you protect a group, nested groups are not protected.

(Optional) Select Attributes to Protect page: By default all attributes for the selected objects are protected. However, you can protect individual attributes or to exclude individual attributes from protection.

All Attributes

Select this option to protect all attributes for the selected object.

Only Selected

Select this option to protect individual attributes. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes to be protected.

All EXCEPT Selected

Select this option to protect all attributes EXCEPT those selected. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes that are not to be protected.

Attributes list

The list box to the left displays all the available attributes which may be selected for inclusion in the protection template.

NOTE: This list box is not enabled when All Attributes is selected.

Add

Use the Add button to move the attributes selected in the Attributes list over to the Selected Attributes list.

Remove

Use the Remove button to move the attributes selected in the Selected Attributes list back over to the Attributes list.

Selected Attributes list

The list box to the right displays the attributes to be included in the protection template.

NOTE: This list box is not enabled when the All Attributes option is selected.

(Optional) Select Attribute Flags to Protect page: If you have selected to protect the userAccountControl attribute, you can select to protect specific attribute flags on this page. By default, all flags are selected. Clear the ALL checkbox to select specific flags and click Next.

Attributes Flags list

The list displays all the available attributes flags which may be selected for inclusion in the protection template.

NOTE: This list box is not enabled when ALL is selected.

(Optional) Select Accounts Allowed (NOT Allowed) to Access Protected Objects page: By default all users and groups are prevented from changing the Active Directory objects selected for protection. However, you can specify users or groups that are allowed (not allowed) to change the protected objects.

NOTE: Management actions performed by excluded accounts are audited but not prevented.

Allow

The Allow option is selected by default indicating that the users and groups selected on this page will be the only accounts allowed to change the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option if you would like to allow all users and groups to change the protected objects EXCEPT for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that are allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that are allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Accounts list

The list box across the bottom of the page displays the user and group accounts that are allowed (not allowed) to change the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.

•

Add — Select an account in the Browse or Search page and add it to the Override Accounts list.

•

Remove — Select an account in the Override Accounts list and remove it.

(Optional) Schedule when protection is enabled

You can either select to always run the protection or run it only during specific times.

To enable the protection only during specific times, select the Protection scheduled option, and define when it should be enabled (hour blocks on a weekly basis). The times selected are the local agent time where the template is applied.

NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups are denied access only during this time. Anytime outside of when the schedule is set to enabled, these denied accounts are able to access the protected object.

When the schedule is disabled, all options are disabled with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

(Optional) Enable or disable protection for specific location

Control when the protection is enabled based on the location. Location refers to the computer that is attempting to access the resource that is protected. Select from the following options:

•

Protect access from all locations: Protection is always enabled regardless of the location.

•

Protect access only from select locations: Protection is only enabled for the locations specified in the list box.

•

Allow access only from select locations: Protection is disabled for the select locations. Enabled everywhere else.

NOTE: Protect access from all unknown locations: All requests from locations that cannot be determined by the Change Auditor agent will be protected. If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group will be able to access the protected objects from these locations.

The location options override all other protection settings.

(Optional) Select Accounts Authorized to Manage This Protection Template page

By default members of the Change Auditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, after you enter a user or group account here you are relinquishing your rights to modify the selected protection template to the users or groups specified on this page of the protection wizard.

NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.

Browse page

Displays the hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be authorized to manage this protection template.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be authorized to manage this protection template.

After you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Administration Accounts list

The list box across the bottom of the page displays the user and group accounts authorized to manage this protection template.

NOTE: By adding accounts to this list, you are relinquishing your rights to modify this protection template. Only those accounts specified on this page have access to modify this protection template.

Use the buttons located above this list box to add and remove accounts.

•

Add — Select an account in the Browse or Search page and add it to the list.

•

Remove — Select an account in the Administration Accounts list and remove it.

Group Policy Object protection

You can prevent all changes to Group Policy Objects, regardless of the tool that is used to make the change. Protection includes both portions of the Group Policy data: the Group Policy Object (GPO) in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers.


	IMPORTANT: A protected GPO can only be changed by override accounts that are excluded from protection.


	NOTE: When an attempt is made to use the Windows Group Policy Editor to change a protected GPO, an access-denied error displays indicating that the change was not saved. However, when the error is dismissed the unsaved change will still be shown in the Editor as if it had been saved because the Group Policy Editor will not automatically refresh. To show the true (unchanged) state of the GPO, you must close and re-open the editor.

Group Policy protection page

The Group Policy protection page displays when you select Group Policy from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Group Policy Protection wizard to define critical group policy objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Group Policy Protection page contains an expandable view of all previously defined Group Policy Protection templates. To add a Group Policy container to the protection list, use the Add button. Once added, the following information is provided for each template:


	NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

Template

Displays the name assigned to the template when it was created.

Objects

This cell is used for filtering data.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Override Accounts

Indicates whether the override accounts listed are excluded from protection or included in protection. This setting corresponds to the option used at the top of the last page of the Group Policy Protection wizard:

•

Excluded from Protection — indicates that you selected the Allow option to allow only the selected accounts to change the protected objects.

•

Included in Protection - indicates that you selected the Deny option to allow all accounts to change the protected objects except for those selected.

Override Account Filter

This field is used for filtering data.

Click the expansion box to the left of the template name to expand this view and display the following details for each template:

Policy Name


	NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client redisplays the templates that meet the search criteria (that is, comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Displays the name of the group policy being protected.

Group Policy Object

Displays the group policy object being protected.

Status

Indicates whether protection for the object is enabled or disabled.

Operations

Displays the type of operations to protect:

•

•

•

If applicable, this section displays the user and group accounts that are allowed (or not allowed) to change the protected objects.


	NOTE: This field is not displayed when there are no override accounts specified in the protection wizard.

Administration Account

If applicable, this section displays the user or group accounts that have been selected on the last page of the wizard to manage this protection template.


	NOTE: This field is displayed only when there is at least one account specified on the last page of the protection wizard and your protection templates are being stored in SQL.

Group Policy protection templates

The Group Policy protection templates are global settings and apply to all agents.


	NOTE: If you are planning to use multiple Group Policy Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.


	NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

To create a Group Policy Protection template:

Open the Administration Tasks tab.

Click Protection.

Select Group Policy in the Protection task list.

Click Add to open the Group Policy Protection wizard and specify the GPOs to protect.

Enter a name for the template.

Use the Browse or Search pages to locate and select the group policy container to protect.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Click Add to add the selected container to the list. Repeat this step to add additional group policy containers.


	NOTE: The Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Name field. Click Search to locate the Group Policy containers in your environment.

By default, the create, modify attributes, and delete operations are selected; however, you can change this by using the drop-down arrow in the Operations cell in the list box and selecting or clearing the different operations.

If you have trusted administrators whose accounts must be permitted to change the protected group policy object, click Next.

Use the Browse or Search pages to locate and select the user or group accounts to exclude from this protection template.

Use Add to add the accounts to the list at the bottom of the page.


	NOTE: The Allow option is selected by default indicating that the selected users or groups will be allowed to change the protected objects. However, you can select the Deny option at the top of this page and select individual users or groups that are NOT allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.

On the last page of the wizard, you can specify users or groups who are authorized to manage this protection template.


	NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.


	IMPORTANT: By default members of the ChangeAuditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, after you enter a user or group account on this page you are relinquishing your rights to modify the selected protection template to the users and groups specified on the last page of this protection wizard.


	NOTE: If the users and groups specified on this page are NOT members of the ChangeAuditor Administrators group, you need to add them to the AD Protection Role in order for them to view the Administration Tasks tab to access Active Directory and Group Policy protection templates. For more information about adding members to the AD Protection role using the Application User Interface Authorization page (in the Configuration task list of the Administration Tasks tab), see the Change Auditor User Guide.

Click Finish to save the template, close the wizard and return to the Group Policy Protection page.


	IMPORTANT: If the current user who is creating the protection template is not in the authorized accounts list, a warning message is displayed prompting the user to continue or stop with the creation of the protection template. If you are in the authorized accounts list at template creation time, you may find yourself locked out later if someone else in the authorized accounts list decides to edit the template and remove you.

To modify a protection template:

On the Group Policy protection page, select the template to modify and click Edit to open the Group Policy Protection wizard where you can modify the current list of objects and the authorized accounts.

Click Finish to save your changes and return to the Group Policy protection page.

To disable a protection template:

Disabling a template allows you to temporarily stop protection for the specified objects without having to remove the protection template.

On the Group Policy protection page, place your cursor in the Status cell of the template and click the arrow control and select Disabled.

The entry in the Status column for the template changes to ‘Disabled’.

To re-enable the protection template, use the Enable option in the Status cell.

To disable an object’s protection within a protection template:

On the Group Policy Protection page, place your cursor in the Status cell for the object, click the arrow control, and select Disabled.

The entry in the Status column for the object changes to ‘Disabled’.

To re-enable an object’s protection, use the Enable option in the Status cell.


	NOTE: If you disable all the objects in a protection template, the template itself becomes disabled. Similarly, when you re-enable an object in the protection template, the template will automatically be re-enabled.

To delete a protection template:

On the Group Policy Protection page, select the template and click Delete | Delete Template.

Click Yes to confirm.

To delete an object from a protection template:

On the Group Policy Protection page, select the object to delete and click Delete | Delete Object.

Click Yes to confirm.

To delete an override account from a protection template: