Change Auditor for Active Directory 7.0.2 - User Guide

•

•

If applicable, this section of the grid displays the user and group accounts that are allowed (or not allowed) to change the protected objects.

Override Account


	NOTE: This field is not displayed when there are no override accounts specified in the Active Directory Protection wizard.

Attribute Protection

Displays the attribute setting specified in the wizard:

•

Protect All

•

Protect Only

•

Protect Except

For Protect Only and Protect Except, click the expansion box to the left of the field to display the individual attributes included in the protection template.

Administration Account

If applicable, this section displays the user or group accounts that have been selected on the last page of the wizard to manage this protection template.


	NOTE: This field is displayed only when there is at least one account specified on the last page of the protection wizard and your protection templates are being stored in SQL.


	NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Active Directory protection templates

The Active Directory protection templates are global settings and apply to all agents.

NOTE:

•

If you are planning to use multiple Active Directory Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.

•

Agents should be installed on all Domain Controllers to ensure that protection is fully covered.
For example, if a user is restricted from making changes and accesses a Domain Controller that does not have an agent installed, they are allowed to make changes.

•

To use protection templates, you must be logged in to Change Auditor with an account with Enterprise Admin privileges.

•

You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

To create an Active Directory Protection template:

Open the Administration Tasks tab.

Click Protection.

Select Active Directory in the Protection task list.

Click Add to open the Active Directory Protection wizard to specify the Active Directory objects to protect.

Enter a name for the protection template.

Use the Browse or Search pages to locate and select the object to protect. Click Add to add the object. Repeat this step to add more objects.

If you have many objects to protect, you can create a .csv file containing the object and protection details, then import them into the template.

NOTE: CSV File Details

The file must follow this format:

Valid protection scope values include:

•

•

•

Valid protected operations include:

•

•

•

•

The import supports the list separator defined for the locale of the operating system.

After you have the file created, select Import, browse to the file, and click Open.

If any objects cannot be found, you can copy the results (ctrl+c) from the list into the clipboard so that you can use the information to locate any issues and make the necessary adjustments.

By default, the create, modify attributes, and delete operations are selected; however, you can change this by using the drop-down arrow in the Operations cell in the list box and selecting or clearing the different operations.

By default, the scope of coverage is for This object only; however, you can change this by using the drop-down arrow in the Scope cell in the list box and selecting one of the other two options:

•

•

To specify users or groups that can change the protected object, click Next.

By default, all attributes for the object will be protected. However, if you want to protect individual attributes instead, click Next and select one of the following options to activate the attributes list:

•

Only Selected

•

All EXCEPT Selected

From the attributes list box on the left, select the individual attributes to include in this protection template, click Add, and click Next.

If you have selected to protect the userAccountControl attribute, you can select to protect specific attribute flags on the (Optional) Select Attribute Flags to Protect of the wizard. By default, all flags are selected. Clear the ALL checkbox to select specific flags and click Next.

Use the Browse or Search pages to locate and select the user or group accounts to exclude from protection. Click Add to add the required accounts.

On the next page of the wizard, you can specify users or groups to manage this protection template.


	NOTE: Allow is selected by default indicating that the selected users or groups can change the protected objects. However, you can select the Deny option and select individual users or groups that are not allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.


	NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.


	IMPORTANT: By default members of the Change Auditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, after you enter a user or group account on this page you are relinquishing your rights to modify the selected protection template to the users or groups specified on the last page of this protection wizard.


	NOTE: If the users or groups specified are not members of the Change Auditor Administrators group, you must add them to the AD Protection Role for them to view the Administration Tasks tab to access Active Directory and Group Policy protection templates. For more information about adding members to the AD Protection role using the Application User Interface Authorization page (in the Configuration task list of the Administration Tasks tab), see the Change Auditor User Guide.

On the next page of the wizard, you can schedule when to enforce the protection. You can either select to always run the protection or run only during specific times. To enable the protection only during specific times, select Protection is scheduled, and define when it should be enabled (hour blocks on a weekly basis). The times selected are the local agent time where the template is applied.


	NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups are denied access only during this time. Anytime outside of when the schedule is set to enabled, these denied accounts can access the protected object. When the schedule is disabled, all options are disabled with it, including any denied access to the specified users. The scheduling options override all other protection settings.

On the next page of the wizard, you can control when the protection is enabled based on the location. Location refers to the computer that is attempting to access the protected resource.

•

Protect access from all locations: Protection is always enabled regardless of the location.

•

Protect access only from select locations: Protection is only enabled for the specified locations.

•

Disable protection only for select locations: Protection is disabled for the selected locations. Enabled everywhere else.

•

Protect access from all unknown locations: All Active Directory requests from locations that cannot be determined by the Change Auditor agent will be protected.


	NOTE: If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group will be able to access the protected objects from these locations. The location options override all other protection settings.

Click Finish to save the protection template, close the wizard and return to the Active Directory Protection page.

To modify a protection template:


	IMPORTANT: If the current user who is creating the protection template is not in the authorized accounts list, a warning message displays prompting the user to continue or stop with the creation of the protection template. If you are in the authorized accounts list at template creation time, you may find yourself locked out later if someone else in the authorized accounts list decides to edit the template and remove you.

On the Active Directory Protection page, select the required template and click Edit.

This opens the Active Directory Protection wizard where you can modify the current list of objects, and the attribute selection, the override accounts selected, and the administration accounts authorized to manage this protection template.

Click Finish to save your changes and return to the Active Directory Protection page.

To disable a protection template:

Disabling a template temporarily stops protection for the specified objects without having to remove the protection template.

On the Active Directory protection page, either:

•

Place your cursor in the Status cell for the protection template to disable, click the arrow control, and select Disabled

•

Right-click the template to disable and select Disable

The entry in the Status column for the template changes to ‘Disabled’.

To re-enable the protection template, select Enable in the Status cell.

To disable an object’s protection within a protection template:

On the Active Directory Protection page, either:

•

Place your cursor in the Status cell for the required object, click the arrow control, and select Disabled.

•

Right-click the object and click Disable.

The entry in the Status column for the object changes to ‘Disabled’.

To re-enable an object’s protection, select Enable in the Status cell.


	NOTE: If you disable all the objects in a protection template, the template itself becomes disabled. Similarly, when you re-enable an object in the protection template, the template is automatically re-enabled.

To delete a protection template:

On the Active Directory Protection page, select the required template and click Delete | Delete Template.

Click Yes to confirm.

To delete an object from a protection template:

On the Active Directory Protection page, select the required object and click Delete | Delete Object.

Click Yes to confirm.

To delete an override account from a protection template:


	NOTE: When you delete the last object in a protect template, the entire protection template is deleted.

On the Active Directory Protection page, select the required account and click Delete | Delete Override Account.

Click Yes to confirm.

To delete an administration account from a protection template:

On the Active Directory Protection page, select the required account and click Delete | Delete Administration Account.

Click Yes to confirm.

Active Directory Protection wizard

The Active Directory Protection wizard opens when you click Add or Edit on the Active Directory Protection page. Using this wizard you can define the Active Directory objects and attributes to protect from unauthorized modifications.


	NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.


	NOTE: Agents should be installed on all Domain Controllers to ensure that protection is fully covered. For example, if a user is restricted from making changes and accesses a Domain Controller that does not have an agent installed, they are allowed to make changes.

The following table provides a description of the available fields and controls:


	NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.

Table 5. Active Directory Protection wizard

Select Active Directory objects to protect page: On the first page of the wizard, enter a name for the template and select the Active Directory objects to protect.

Template Name

Enter a descriptive name for the protection template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the Active Directory objects to protect.

After you have selected an object, click Add to add it to the list.

NOTE: If you have many objects that you want to protect, you can create a .csv file containing the object and protection details, then import them into the template.

After you have the file created, select Import, browse to the file, and click Open.

If any objects cannot be found, you can copy the results (ctrl+c) from the list into the clipboard so that you can use the information to locate any issues and make the necessary adjustments.

CSV File Details

The file must follow this format:

Valid protection scope values include:

•

•

•

Valid protected operations include:

•

•

•

•

The import supports the list separator defined for the locale of the operating system.

Search page

Use the controls at the top of the Search page to search your environment to locate an Active Directory object to protect.

After you have selected an object, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Object list

The list box across the bottom of the page displays the object(s) selected for protection. Use the buttons located above this list box to add and remove objects.

•

Add - Select an object in the Browse or Search page and add it to the Object list.

•

Remove - Select an entry in the Object list and remove it from the template.

Operations

By default, the create, modify attributes and delete operations are selected. To change this use the drop-down arrow in the Operations cell and select/clear operations.

•

•

•

•

By default, the scope of coverage is set to This object only. To change this setting, use the drop-down menu in the Scope cell to select a different scope.

•

•

•