Chat now with support
Chat with Support

Change Auditor for Active Directory 7.0.4 - User Guide

ADAM (AD LDS) Auditing wizard

The ADAM (AD LDS) Auditing wizard opens when you click Add on the ADAM (AD LDS) Auditing page. This wizard steps you through the process of defining the ADAM (AD LDS) instance, directory objects or containers, and object classes to audit.

The following table provides a description of the available fields and controls:

 
Table 4. ADAM (AD LDS) Auditing wizard
Select an ADAM instance page: The first page of the wizard displays a list of available ADAM (AD LDS) instances found in your environment. This list only includes instances found on computers that are running a Change Auditor agent.

ADAM (AD LDS) Instances

This list includes the following information about each ADAM (AD LDS) instance discovered in your environment:
Agent - displays the name of the agent where each of the ADAM (AD LDS) instances reside.
Instance Name - displays the name of the ADAM (AD LDS) instances displayed.
Instance Port - displays the port number assigned to each of the ADAM (AD LDS) instances displayed.

From this list, select the ADAM (AD LDS) instance to be audited.

NOTE: If you have multiple ADAM (AD LDS) instances with replicating application partitions, there is no need to configure an auditing template for each instance. Change Auditor will automatically send the auditing configuration to each machine that is hosting an instance. You must have an agent installed on each instance host.
Select directory object or container page: On this page select where to conduct the audit (such as enterprise or individual objects) and what to audit (such as directory object or container).

Scope

Select the scope of coverage from the following options (This Object and All Child Objects is selected by default):
Enterprise - to audit the entire enterprise
This Object - to audit an individual object
This Object and Child Objects Only - to audit an object and its direct child objects
This Object and All Child Objects - to audit an object and all of its subordinate objects (all levels)

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the directory objects or containers to audit.

Search page

Use the controls at the top of the Search page to search your environment to locate the directory objects or containers to audit.

Options page

Use the Options page to modify the search options or ADAM instance to use to retrieve directory objects.

Select object class to audit page: On this page, select at least one object class to audit.

UnAudited Object Class list

The list box on the left contains a list of all the unaudited object classes available for auditing. Select one or more unaudited object classes and click Add to move them to the Audited Object Class list box.

At least one object class must be selected to continue.

Audited Object Class list

The list box to the right contains a list of all the object classes selected for auditing. Select one or more audited object classes and click Remove to remove them from auditing.

Add

Select one or more object classes from the UnAudited Object Class list to select them for auditing.

NOTE: You can also double-click an object class to move it into the Audited Object Class list or ‘drag and drop’ it into the Audited Object Class list.

Remove

Select one or more object classes from the Audited Object Class list to remove them from auditing. The selected object classes will then be moved back to the UnAudited Object Class list.

NOTE: You can also double-click an object class to move it back into the UnAudited Object Class list or ‘drag and drop’ it into the UnAudited Object Class list.

ADAM (AD LDS) event logging

In addition to real-time event auditing, you can enable event logging to capture ADAM (AD LDS) events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

For ADAM (AD LDS) events, event logging is disabled by default. When enabled, all ADAM activity is sent to the InTrust for ADAM event log. See the Change Auditor for Active Directory Event Reference Guide for a list of the events that can be sent to this event log.

To enable ADAM (AD LDS) event logging:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
5
On the Event Logging dialog, select ADAM (AD LDS).
6
Click OK to save your selection and close the dialog.
 

Active Directory Protection
Introduction
Active Directory object protection
Group Policy Object protection
ADAM (AD LDS) object protection
Setting extra security on protected objects

Introduction

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions. This allows you to protect the environment from harmful changes that could open security holes or cause resources to become unavailable. Once enabled, if an unauthorized user attempts to modify or delete a protected object, Change Auditor prevents the operation and captures an event.

Protection can be defined for any Active Directory, Group Policy, or ADAM (AD LDS) object that you consider critical such as Organizational Units, Group Policy Object, and service accounts.

 

 
* 
NOTE: Protection Notes and Recommendations:
1
Reserve protection for locking only critical objects.
2
Do not protect regular user accounts as it could prevent users from actions such as changing their passwords.
3
Certain applications and services need to make harmless changes to the Configuration and Schema NCs through the LocalSystem account. Therefore, Quest recommends that you do not protect the following applications and services:
Active Directory Knowledge Consistency Checker (KCC)
Quest Directory Analyzer
Microsoft Operations Manager (MOM)
Microsoft Licensing Computer
Microsoft Message Queuing Service (MSMQ)
Terminal Services Licensing Computer
HP OpenView’s Active Directory SPI
Microsoft Exchange
If you protect a User object and prevent it from being deleted or modified, you are protecting all the user attributes and the forward links. You are not protecting any back linked attributes as back links are maintained by the system to ensure referential integrity only.
If you modify the user’s memberOf attribute and add the user to a group, although you get an error or warning message, the user gets added to any group that is not protected.
To prevent anyone from being added to a Group, you would protect the Group object and prevent it from being modified. By locking the Group object, you are locking its member attribute. Hence its membership cannot be modified.
4
Before you can set up ADAM auditing or protection, you must enable the File and Printer Sharing feature under the Windows Firewall.
5
If you have Quest GPOADmin integrated with your Change Auditor deployment, the GPOADmin service account is exempt from protection.
6
A protected GPO can only be changed by override accounts that are excluded from protection.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating