Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.
NOTE: You cannot perform forest-level recovery from IT Security Search. |
To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:
For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.
To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.
Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.
Active Roles brings information about the following:
To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:
To verify that your Active Roles server access works, click the Test Connection link.
Finally, click Apply.
Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server. |
Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.
To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.
A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted. By default, the number of results returned is limited to 100,000. For Recovery Manager for Active Directory items, the limit is fixed at 5,000.
IT Security Search groups the discovered data by object type:
These items can be selected at the top. The object type is also switched when you use links in the context of some object's details, such as Activity initiated by this user or Who granted permissions to this file.
To display events from only a specific time period, use the time range filter. For that, click the clock icon in the search box. If you choose not to specify a time range, the search will involve all available data.
The event timeline is a bar graph representation of search results, where you can quickly spot event patterns. For example, it helps you find out the peak hours for the events you are interested in or easily track activity outside business hours.
When you select an item from the result list, the right pane shows brief details about the item. To go to the full details view for this item, click View Details.
The details view also suggests links to related data which you might be interested in and which you might be trying to find in the first place. Clicking such a link starts a search in an automatically supplied context. For example, when you are viewing the details of a folder in a network share, the following links are ready for you:
Information about users, groups, computers and organizational units can come from more than one source. At this time, the following systems provide data about them: Enterprise Reporter, Recovery Manager for Active Directory and Active Roles. When multiple sources have information about the same object, IT Security Search shows data from the source that submitted it first, so that the results can be displayed sooner. A warning is shown about additional data that may be available. If you want these results, click the run a full scan link in the warning text. This will cause IT Security Search to retrieve the data from the remaining sources and correlate it.
As you work with the search results, your search path is saved as a breadcrumb sequence. This helps you go back to any previous step in your session without retracing the steps.
Facets are quick view filters by property value. When you apply a facet, IT Security Search shows only matching items. You can apply multiple facets at once, progressively limiting the number of results; you can also remove any of the facets you have applied.
Facets are shown to the left of the result pane. To apply a facet, click an available value link. For example, if you are viewing the details of a deleted user account (where the value of State is Deleted) and want to focus on other deleted users, click the Deleted link.
Alternatively, you can use the item's properties to work with facets. The properties that support this have funnel icons next to them in the details pane. To apply a facet, click such a property.
Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints—for example, by prefixing the field names to look in. For details, see Search Term Syntax.
Use the following syntax for search terms in the search box. Searches are case-insensitive.
|
Notes:
|
For details about the fields that you can use in your search queries, see Data Field Reference.
This is known as full-text search. The search involves all available fields and uses the Contains operator.
Meaning | Syntax | Details |
---|---|---|
Look for a single-word term in any attribute | Word without spaces Example: john |
john matches John or john in any attribute, but does not match stjohn in any attribute |
Look for a single-word term with the specified beginning in any attribute | Word ending in an asterisk (*) without spaces Example: john* |
john* matches John or Johnson in any attribute |
Find attributes where a specific single-word term is not contained in any attributes | Word without spaces with a leading hyphen Example: -john |
-john may match entries that contain stjohn, but does not match entries that contain john in any attribute |
Find entries where a specific single-word term with the specified beginning is not contained in any attributes | Word ending in an asterisk (*) without spaces with a leading hyphen Example: -john* |
-john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute |
Meaning | Syntax | Details |
---|---|---|
Look for entries with specific single-word terms in any attributes | Words separated by spaces Example: john glen* |
john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found |
Look for entries that do not contain specific single-word terms in any attribute | Word without spaces Examples:
|
|
Look for entries with a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: "Account Logon" |
"Account Logon" matches entries that contain the exact phrase Account Logon in any attribute |
Look for entries that do not contain a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: logon server01 -"Account Logon" |
logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute |
Meet one of the specified terms (or sets of terms) | Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
Examples:
|
|
Explicitly mark an AND operation for visual clarity | Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
Examples:
|
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur. |
Group and nest terms for logical operations on them | Parentheses enclosing the terms you want to group Example: (homer marge) OR (peter lois) |
(homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge. |
To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.
The following distinction is important:
For details about the meanings of labels in particular contexts, see Normalized Attributes below.
|
Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:
|
Meaning | Syntax | Details |
---|---|---|
Attribute contains term | Examples:
|
|
Attribute does not contain term | Examples:
|
|
Attribute equals term | Examples:
|
|
Attribute does not equal term | Examples:
|
|
Select one of the operators (explained in the following table), and enter your filter terms.
Operator |
Syntax |
Example |
Meaning |
---|---|---|---|
Contains |
[FieldName]:<Value> |
Name:Paul |
The attribute contains all of the specified terms at once in any combination |
Does not contain |
-[FieldName]:<Value> |
-Name:John |
The attribute contains none of the specified terms anywhere |
Equals |
[FieldName]=<Value> |
Name="John Paul" | The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
Does not equal |
-[FieldName]=<Value> |
-SamAccountName=jpaul |
The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
The following search syntax rules described above also apply to filter terms:
|
Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter. |
The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.
Label → Context ↓ |
Who | What | Where |
---|---|---|---|
Users |
|
N/A | DomainName |
Groups |
|
N/A | DomainName |
Computers |
|
N/A |
|
Shares | User information | N/A | ComputerName |
Files | Permission information | Permission information | ComputerName |
Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.
One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.
In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:
When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:
When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:
Object Type |
Field |
Examples |
---|---|---|
User or group |
aNR |
"Alan Smithee" becomes aNR:"Alan Smithee" "Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory) |
Computer or OU |
name |
primrose.domain.local becomes name:primrose.domain.local Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory) |
It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.
Data from Enterprise Reporter contains information about permission assignments, and you can get this information by using the Assignment field in your search queries. This field accepts the following values: Direct, Indirect and All. Example: Assignment=All. If the Assignment field is omitted, its value is assumed to be Direct.
If you use the Assignment field in a query, permissions are analyzed for the objects indicated by the Who field.
|
Caution: In queries about permission assignments, the value of the Who field must be in domain\user format, where the domain name is a NetBIOS name. |
Using the PermissionsForFile keyword also gives you permission assignment data from Enterprise Reporter. This keyword requires that you specify a nested search query enclosed in double quotes; the inner query must use single quotes. Example:
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"
In the inner query, the What keyword helps specify the kind of permission to search for. Both of the following queries will return users with the Full Control permission:
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:full"
PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:'full control'"
The PermissionsForFile keyword can be used in conjunction with other keywords and doesn't have to specify the entire query. The following will return all users called Administrator who have access permissions:
Who:Administrator PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"
You can query effective permissions by including What:Effective. For assignments, this option takes effect if you specify Assignment=All or Assignment=Indirect.
If What:Effective is omitted, the results include all files on which both Allow and Deny permissions are set. For example, if a user is a member of a group which is denied access to a particular file, then the file will be in the results, and Access Type will be recognized as Deny. If What:Effective is included, then the results will contain only Allow permissions.
Examples:
Who="ITSS\UserRead" AND Assignment=All AND What:Effective
Who="ITSS\UserRead" AND Assignment=All AND What:Effective AND What:modify
PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective"
PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective What:Modify"
Query | Meaning |
---|---|
Who:"John Smith" | Activity initiated by user John Smith |
What:"Group Member" AND "DL.RD" | Who was added to and deleted from group DL.RD |
Where:"primrose" | Access to computer primrose |
Workstation:"primrose" | Access from computer primrose |
Query | Meaning |
---|---|
Where:"primrose.mycorp.com" AND "D:\Private\assessment.pdf" | Who accessed the D:\Private\assessment.pdf file |
Where:"primrose.mycorp.com" AND "D:\Personal\assessment.pdf" AND What:"File Access Rights Changed" | Who granted permissions to the D:\Personal\assessment.pdf file |
Who:"John Smith" What:Owner | Files and folders owned by user John Smith |
Who:"John Smith" | Files and folders where user John Smith has permissions |
Where:"primrose.mycorp.com" AND "C:\_VIDEO" | Files and folders in the _VIDEO share |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center