Chat now with support
Chat with Support

Change Auditor for Active Directory 7.3 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

ADAM Protection Wizard

The ADAM (AD LDS) Protection wizard displays when you click Add or Edit on the ADAM (AD LDS) protection page. From the wizard, you can define the ADAM objects and attributes to protect from unauthorized modifications.

The following table provides a description of the available fields and controls:

Select ADAM (AD LDS) instance page: The first page of the wizard displays a list of ADAM (AD LDS) instances running a Change Auditor agent in your environment.

ADAM (AD LDS) Instances

This list includes the following information about each ADAM (AD LDS) instance listed:

Agent - this column displays the name of the agent where each ADAM (AD LDS) instance resides.

Select an instance from this list. When prompted, enter the user credentials to be used to access the selected instance.

Select ADAM (AD LDS) Objects to Protect page: On this page, enter a name for the template and select the objects to be protected.

Template Name

Enter a descriptive name for the protection template.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the Active Directory object(s) to be protected.

After you have selected an object, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to search your environment to locate an Active Directory object to be protected.

After you have selected an object, click Add to add it to the list.

Options page

Use the Options page to modify the search options or ADAM instance used to retrieve directory objects.

Object list

The list box across the bottom of the page displays the objects selected for protection. Use the buttons located above this list box to add and remove objects.

Add - Select an object in the Browse or Search page and add it to the Object list.
Remove - Select an entry in the Object list and remove it from the template.

By default, the create, modify attributes and delete operations are selected. To change this setting, use the drop-down arrow in the Denied Operations cell and select or clear operations.

By default, the scope of coverage is set to This object only. To change this setting, use the drop-down menu in the Scope cell to select a different scope.

(Optional) Select Attributes to Protect page: By default all attributes for the selected objects will be protected. However, you can use this page to protect individual attributes or to exclude individual attributes from protection.

All Attributes

This option is selected by default indicating that all attributes will be protected from unauthorized access.

Only Selected

Select this option to protect individual attributes. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes to be protected.

All EXCEPT Selected

Select this option to protect all attributes EXCEPT those selected. Selecting this option will activate the list boxes on this page allowing you to select the individual attributes that are not to be protected.

Attributes list

The list box to the left displays all of the available attributes which may be selected for inclusion in the protection template.

NOTE: This list box is not enabled when the All Attributes option is selected.

Add

Use to move the attributes selected in the Attributes list over to the Selected Attributes list.

Remove

Use to move the attributes selected in the Selected Attributes list back over to the Attributes list.

Selected Attributes list

The list box to the right displays the attributes to be included in the protection template.

NOTE: This list box is not enabled when All Attributes are selected.

By default all users and groups are prevented from changing the ADAM (AD LDS) objects selected for protection. However, you can specify individual users or groups that are allowed (not allowed) to change the protected objects.

Allow (Default)

Indicates that the users and groups selected on this page ate the only accounts allowed to change the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select this if you want to allow all users and groups to change the protected objects except for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to locate the users or groups that will be allowed (not allowed) to change the protected objects.

After you have selected an account, click Add to add it to the list.

Options page

Use to modify the search options used to retrieve directory objects.

Override Accounts list

The list box across the bottom of the page displays the user and group account(s) that will be allowed (not allowed) to make changes to the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.

Add - Select an account in the Browse or Search page to add it to the Override Accounts list.
Remove - Select an entry in the Override Accounts list to remove it.

Active Directory Database protection

When configured, Change Auditor prevents copying and other tampering attempts on the Active Directory database (NTDS.dit) file. Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach.

This section includes a description of the Active Directory Database protection pages in the Administration Tasks tab, the procedure for creating an Active Directory Database protection template and description of the protection wizard used to define Active Directory Database protection template.

Active Directory Database protection page

This page displays when you select Active Directory Database from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Active Directory Database protection wizard to define your Active Directory Database protection template to protect your Active Directory database from unauthorized access. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Active Directory Database protection page contains an expandable view of all previously defined Active Directory Database protection templates. To add new template, use the Add button.

Once added, the following information is provided for each template:

Active Directory Database protection templates

1
Open the Administration Tasks tab.
2
Click Protection.
3
Select Active Directory Database in the Protection task list.
4
Click Add to open the Active Directory Database Protection wizard.
7
Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be protected from accessing the Active Directory database.
8
Click Finish or Finish and Assign to Agent Configuration to assign the template to an Agent Configuration immediately.
NOTE:  
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
1
On the Active Directory Database Protection page, select the required template and click Edit. This opens the Active Directory Database Protection wizard where you can modify the current settings.
2
Click Finish to save your changes and return to the Active Directory Database Protection page.

Disabling a template temporarily stops protection without having to remove the protection template.

2
2
Click Yes to confirm.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating