Chat now with support
Chat with Support

Change Auditor 7.1.1 - Web Client User Guide

Install Change Auditor Web Client Web Client Overview Overview Page Shared Overviews Administration Page Searches Page Search Results Page Administration Tasks Page Configuration Tasks (Administration Tasks Page) Auditing Tasks (Administration Tasks Page) Protection Tasks (Administration Tasks Page) Change Auditor Client Comparison

ADAM (AD LDS) object protection

When configured, Change Auditor for Active Directory prevents changes to objects in specified ADAM (AD LDS) instances.

ADAM (AD LDS) Protection page

The ADAM (AD LDS) Protection page is displayed when ADAM (AD LDS) is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the ADAM (AD LDS) Protection templates that have been previously defined. From this page, you can open the ADAM (AD LDS) Protection wizard to define critical objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer required.

The ADAM (AD LDS) protection templates defined on this page are global settings and apply to all ADAM instances associated with a Change Auditor agent.

* 
NOTE: If you are planning to use multiple ADAM (AD LDS) Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
To create an ADAM (AD LDS) Protection template:
1
Open the Administration Tasks page.
2
Click Protection.
3
Select ADAM (AD LDS) in the Protection task list to open the ADAM (AD LDS) Protection page.
4
Click Add to open the ADAM (AD LDS) Protection wizard which allows you to specify the objects to be protected.
 
Table 48. ADAM (AD LDS) Protection wizard
Page
Description
Procedure

ADAM (AD LDS) Instance

Select the ADAM (AD LDS) instance from which to choose protected objects.

The list displays the ADAM (AD LDS) instances discovered in your environment. Only instances running on computers with a Change Auditor agent installed are available.
1
Select the ADAM (AD LDS) instance from which to choose protected objects.
2
Enter the credentials for a Windows or ADAM/AD LDS account that can access the instance.
3
Click Test to verify the credentials and enable the Next button. If the credentials were incorrect, an error message is displayed.
4
Click Next.
NOTE: If you have multiple ADAM (AD LDS) instances with replicating application partitions, there is no need to configure an auditing template for each instance. Change Auditor sends the auditing configuration to each computer that is hosting an instance. You must have an agent installed on each instance host

Welcome

Name your template.
1
Enter a name for the template.
2
Click Next.

Object Selection

Use the Browse or Search page to locate and select the objects to protect.

See Directory object picker for a detailed description of this wizard page.
1
From the Browse or Search page, select an object to protect and click Add.
2
To change the default operations, click the entry in the Operations cell and select or clear operations.
3
To change the default scope, click the entry in the Scope cell and select a different scope.
4
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Attribute Protection

(Optional) Specify the attributes to include and exclude.

By default, all attributes for the selected objects are protected.
1
To protect individual attributes, select one of the following options:
Only Selected
All EXCEPT Selected
2
From the attribute list on the left, select the individual attributes to include and click Add to move them to the Selected Attributes list on the right.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed to change the protected objects.

By default, all users and groups are prevented from changing the objects selected for protection.
1
Select whether to Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object except for those selected on this page.
2
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
3
Click Finish to save the template and close the wizard.

Group Policy object protection

When configured, Change Auditor prevents all changes to GPOs, regardless of the tool that is used to make the change. Protection includes both portions of the Group Policy data: the Group Policy objects in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers.

* 
IMPORTANT: A protected Group Policy Object can only be changed by override accounts that are excluded from protection.
* 
NOTE: When an attempt is made to use the Windows Group Policy Editor to change a group policy object (that is protected by Change Auditor), an access-denied error is displayed indicating that the change was not saved. However, when the error is dismissed the unsaved change will still be shown in the Editor as if it had been saved because the Group Policy Editor will not automatically refresh. To show the true (unchanged) state of the group policy object, you must close and reopen the Editor.
Group Policy Protection page

The Group Policy Protection page is displayed when Group Policy is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Group Policy Protection templates that have been previously defined. From this page, you can open the Group Policy Protection wizard to define critical group policy objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Group Policy protection templates defined on this page are global settings and apply to all Change Auditor agents.

* 
NOTE: If you are planning to use multiple Group Policy Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
To create a Group Policy Protection template:
1
Open the Administration Tasks page.
2
Click Protection.
3
Select Group Policy in the Protection task list to open the Group Policy Protection page.
4
Click Add to open the Group Policy Protection wizard which allows you to specify the group policy objects to be protected.
 
Table 49. Group Policy Protection wizard
Page
Description
Procedure

Welcome

Name your template.
1
Enter a name for the template.
2
Click Next.

Object Selection

Use the Browse or Search page to locate and select a group policy container to protect.

See Directory object picker for a detailed description of this wizard page.
1
From the Browse or Search page, select a group policy container and click Add.
OR
To protect all group policy containers in the Enterprise, click the Enterprise button.
2
To change the default operations, click the entry in the Operations cell and select or clear operations.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed to change the protected group policy object.

By default all users and groups are prevented from changing the Group Policy containers selected for protection.

NOTE: Management actions performed by excluded accounts are audited but not prevented.
1
Select whether to Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object EXCEPT for those selected on this page.
2
From the Browse or Search page, select an object and click Add to add it to the selection list at the bottom of the page.
3
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Template Management

(Optional) Specify individual users or groups who are authorized to manage this protection template.

NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.
IMPORTANT: Edits made on this page impact template access rights. For more information about this protection feature, see the Quest Change Auditor User Guide.
1
From the Browse or Search page, select an account and click Add to add it to the selection list at the bottom of the page.
2
Click Finish to save the protection template and close the wizard.
IMPORTANT: If the current user who is creating the protection template is not in the authorized accounts list, a warning message is displayed prompting the user to continue or stop with the creation of the protection template.

If you are in the authorized accounts list at template creation time, you may be f locked out later if someone else in the authorized accounts list edits the template and remove you.

Application

When licensed, Change Auditor for Exchange can provide extra protection over important mailboxes. The Exchange Mailbox protection prevents unwanted access to Exchange mailboxes, making it much more difficult for rogue administrators to access critical mailboxes.

Protection prevents users from accessing a mailbox through Outlook client; it does not prevent accessing a protected mailbox using OWA, ActiveSync, and EWS or changing permission on the mailbox through the Exchange Administration tools

See the Exchange Mailbox protection description for more information.

Exchange Mailbox protection

To enable Exchange Mailbox protection, you must first create one or more Exchange Mailbox Protection templates which specify whose mailboxes to lock down. Once Exchange Mailbox Protection templates are defined, they apply to all Exchange servers that host a Change Auditor agent.

* 
NOTE: If you are planning to use multiple Exchange Mailbox Protection templates, see the Quest Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
* 
NOTE: For more information, including tips for improving process speed and full descriptions of the following protection page, see the Quest Change Auditor for Exchange User Guide.
Exchange Mailbox Protection page
The Exchange Mailbox Protection page opens when Exchange Mailbox is selected from the Protection task list in the navigation pane of the Administration Tasks page, and contains an expandable view of all the Exchange Mailbox Protection templates that have been previously defined. From this page, you can open the Exchange Mailbox Protection wizard to define whose mailboxes to protect from unauthorized access. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.
To create an Exchange Mailbox Protection template:
1
Open the Administration Tasks page.
2
Click Protection.
3
Select Exchange Mailbox in the Protection task list to open the Exchange Mailbox Protection page.
4
Click Add to open the Exchange Protection wizard which steps you through the process of defining the mailboxes to protect.
 
Table 50. Exchange Protection wizard
Page
Description
Procedure

Welcome

Name your template.
1
Enter a name for the template.
2
Click Next.

Mailboxes

Use the Browse or Search page to locate and select the directory objects whose mailbox is to be protected.

See Directory object picker for a detailed description of this wizard page.
1
From the Browse or Search page, select a directory object to protect and click Add.
OR
To protect all mailboxes in the Enterprise from unauthorized access, click Enterprise.
2
Click Next.
NOTE: Clicking Finish saves the template and closes the wizard.

Account Access

(Optional) Specify the accounts that are allowed access to the selected protected mailboxes.

By default, all users and groups are prevented from changing the objects selected for protection and mailbox owners can bypass protection to access their mailbox.
1
Select to either Allow or Deny access for the selected users or groups. Keep in mind that by selecting Deny, you are allowing all users to change the protected object EXCEPT for those selected on this page.
2
From the Browse or Search page, select a user or group account and click Add to add it to the selection list at the bottom of the page.
3
If you do not want mailbox owners to bypass protection and be able to access their own mailboxes, clear the Mailbox owner can bypass protection check box at the top of this page.
4
Click Finish to save the template and close the wizard.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating