Chat now with support
Chat with Support

Change Auditor 7.0.3 - Web Client User Guide

Install Change Auditor Web Client Web Client Overview Overview Page Shared Overviews Administration Page Searches Page Search Results Page Administration Tasks Page Configuration Tasks (Administration Tasks Page) Auditing Tasks (Administration Tasks Page) Protection Tasks (Administration Tasks Page) Change Auditor Client Comparison

ADAM (AD LDS) object protection

When configured, Change Auditor for Active Directory prevents changes to objects in specified ADAM (AD LDS) instances.

The ADAM (AD LDS) Protection page is displayed when ADAM (AD LDS) is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the ADAM (AD LDS) Protection templates that have been previously defined. From this page, you can open the ADAM (AD LDS) Protection wizard to define critical objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer required.

The ADAM (AD LDS) protection templates defined on this page are global settings and apply to all ADAM instances associated with a Change Auditor agent.

NOTE: If you are planning to use multiple ADAM (AD LDS) Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
2
Click Protection.
3
Select ADAM (AD LDS) in the Protection task list to open the ADAM (AD LDS) Protection page.
4
Click Add to open the ADAM (AD LDS) Protection wizard which allows you to specify the objects to be protected.

ADAM (AD LDS) Instance

Select the ADAM (AD LDS) instance from which to choose protected objects.

The list displays the ADAM (AD LDS) instances discovered in your environment. Only instances running on computers with a Change Auditor agent installed are available.

3
Click Test to verify the credentials and enable the Next button. If the credentials were incorrect, an error message is displayed.
4
Click Next.

Welcome

Name your template.

2
Click Next.

Object Selection

Use the Browse or Search page to locate and select the objects to protect.

See Directory object picker for a detailed description of this wizard page.

2
To change the default operations, click the entry in the Operations cell and select or clear operations.
3
To change the default scope, click the entry in the Scope cell and select a different scope.
4
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Attribute Protection

(Optional) Specify the attributes to include and exclude.

By default, all attributes for the selected objects are protected.

2
From the attribute list on the left, select the individual attributes to include and click Add to move them to the Selected Attributes list on the right.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed to change the protected objects.

By default, all users and groups are prevented from changing the objects selected for protection.

1
Select whether to Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object except for those selected on this page.
2
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
3
Click Finish to save the template and close the wizard.

Group Policy object protection

When configured, Change Auditor prevents all changes to GPOs, regardless of the tool that is used to make the change. Protection includes both portions of the Group Policy data: the Group Policy objects in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers.

The Group Policy Protection page is displayed when Group Policy is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Group Policy Protection templates that have been previously defined. From this page, you can open the Group Policy Protection wizard to define critical group policy objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Group Policy protection templates defined on this page are global settings and apply to all Change Auditor agents.

NOTE: If you are planning to use multiple Group Policy Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
2
Click Protection.
3
Select Group Policy in the Protection task list to open the Group Policy Protection page.
4
Click Add to open the Group Policy Protection wizard which allows you to specify the group policy objects to be protected.

Welcome

Name your template.

2
Click Next.

Object Selection

Use the Browse or Search page to locate and select a group policy container to protect.

See Directory object picker for a detailed description of this wizard page.

2
To change the default operations, click the entry in the Operations cell and select or clear operations.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed to change the protected group policy object.

By default all users and groups are prevented from changing the Group Policy containers selected for protection.

1
Select whether to Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object EXCEPT for those selected on this page.
2
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Template Management

(Optional) Specify individual users or groups who are authorized to manage this protection template.

1
From the Browse or Search page, select an account and click Add to add it to the selection list at the bottom of the page.
2
Click Finish to save the protection template and close the wizard.

If you are in the authorized accounts list at template creation time, you may be f locked out later if someone else in the authorized accounts list edits the template and remove you.

Application

When licensed, Change Auditor for Exchange can provide extra protection over important mailboxes. The Exchange Mailbox protection prevents unwanted access to Exchange mailboxes, making it much more difficult for rogue administrators to access critical mailboxes.

Protection prevents users from accessing a mailbox through Outlook client; it does not prevent accessing a protected mailbox using OWA, ActiveSync, and EWS or changing permission on the mailbox through the Exchange Administration tools

See the Exchange Mailbox protection description for more information.

Exchange Mailbox protection

To enable Exchange Mailbox protection, you must first create one or more Exchange Mailbox Protection templates which specify whose mailboxes to lock down. Once Exchange Mailbox Protection templates are defined, they apply to all Exchange servers that host a Change Auditor agent.

NOTE: If you are planning to use multiple Exchange Mailbox Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
The Exchange Mailbox Protection page opens when Exchange Mailbox is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Exchange Mailbox Protection templates that have been previously defined. From this page, you can open the Exchange Mailbox Protection wizard to define whose mailboxes to protect from unauthorized access. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.
2
Click Protection.
3
Select Exchange Mailbox in the Protection task list to open the Exchange Mailbox Protection page.
4
Click Add to open the Exchange Protection wizard which steps you through the process of defining the mailboxes to protect.

Welcome

Name your template.

2
Click Next.

Mailboxes

Use the Browse or Search page to locate and select the directory objects whose mailbox is to be protected.

See Directory object picker for a detailed description of this wizard page.

2
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed access to the selected protected mailboxes.

By default, all users and groups are prevented from changing the objects selected for protection and mailbox owners can bypass protection to access their mailbox.

1
Select to either Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object EXCEPT for those selected on this page.
2
From the Browse or Search page, select a user or group account and click Add to add it to the selection list at the bottom of the page.
3
4
Click Finish to save the template and close the wizard.
Related Documents