InTrust 11.4.2 - Preparing for Auditing and Monitoring Active Roles

Archiving Data

InTrust is a complete auditing and reporting solution.

The Knowledge Pack enables you to efficiently store and archive data related to Active Roles. By gathering the data to InTrust repositories, you store data in a compact and flexible way, while keeping it available for further use.

You achieve this by using InTrust gathering jobs (which you can set up in InTrust Manager) or real-time event collection (which you can set up in InTrust Deployment Manager). For information about creating and modifying jobs and tasks, see the Auditing Guide. For information about real-time collection, see Getting Started with InTrust.

In addition to long-term archiving, you can use InTrust repositories to consolidate Active Roles audit trails from multiple departments of your enterprise if your Active Roles administration is decentralized. In this way, you centralize both the archiving and the reporting. Consolidation jobs in InTrust serve this purpose.

When you use InTrust to manage Active Roles audit data, there is no restriction on the number of separate Active Roles-managed portions of the environment.

Reporting

To get reports on administrative activity performed with Active Roles and outside it, use InTrust tasks to gather the necessary data and schedule reports. The most common use for reports is to focus on the activity of particular users or track who makes particular changes to Active Directory.

Using InTrust Tasks

The Knowledge Pack comes with tasks that address both auditing and reporting needs. Use the tasks as follows:

• The “Active Roles: Daily events collection” task collects the ARAdminService log from Active Roles servers. It stores the gathered data in the default repository. This task archives data. One of the reasons for it is compliance with regulations.
• The “Active Roles: Weekly reporting” task depends on the previous tasks for data. It uses all data from Active Roles logs and some data—related to account management—from the Security log. The task imports data for reports from the repository and creates those reports.

You do not necessarily have to work with these predefined tasks. You may want to use them as templates for your own tasks: copy them and make the necessary adjustments to the copies.

Complementing Audit Data

Even though Active Roles logging is very detailed, there are situations when additional data helps. Change Auditor for Active Directory complements Active Roles audit with events from its own log to more completely and accurately reflect what happens in the environment. It is recommended that you deploy Change Auditor for Active Directory for comprehensive audit and additional benefits such as prevention of unwanted changes.

The following are examples of cases where Active Roles data is not enough:

• A user logs on to a domain controller to perform some administrative action. Active Roles does not capture this logon event.
• A user directly accesses and modifies an Active Directory object without using Active Roles administrative templates. Active Roles is not aware of the change.
• An administrator uses the Active Directory Users and Computers MMC snap-in to directly grant permissions to certain users. The set of permissions for the users contradicts roles defined by Active Roles, but Active Roles has no way of disallowing the changes and keeping the roles consistent.

These actions are not allowed in environments administered using Active Roles. For more information, see the Tracking Administrative Activity Outside Active Roles topic.

In your particular environment, other situations may come up when you also need data from Change Auditor for Active Directory logs on domain controllers for detailed analysis. InTrust gathering jobs provide an easy way to get that data, and reporting jobs incorporate it in reports.

InTrust can also collect and consolidate data from other sources such as the Security log, Application log, Directory Service log and Exchange tracking log. This gives you more capabilities for implementing audit procedures and ensuring regulation compliance.