The Knowledge Pack for Active Roles Server is a link between InTrust on the one hand and Active Roles Server on the other hand. The Knowledge Pack enables you to use the InTrust workflow to control the operation of Active Roles Server.
The Knowledge Pack is essentially a collection of InTrust objects such as rules, sites, policies, tasks and reports. These objects are interdependent, and they blend in with other predefined InTrust objects you may have installed.
After you have set up the Knowledge Pack, you can work with the following objects using InTrust:
Using objects included in the Knowledge Pack, you can work with events that Active Roles Server records to its log. This log provides extended information about security events compared with the Security log.
The Knowledge Pack works with data provided by Dell Active Roles Server 7.* and Quest Active Roles Server 6.*.
The Knowledge Pack adds significantly to the value of Active Roles Server. In an enterprise where both Active Roles Server and InTrust are deployed, each of these products plays a central part. Active Roles Server is designed to be the Active Directory administration center for the environment, whereas InTrust is the main facility for auditing and ensuring policy compliance. The Knowledge Pack brings these administrative functions closer together, making administration easier and more direct.
The related topics describe particular benefits that you get by deploying the Knowledge Pack:
Active Roles Server is meant to be the control center for Active Directory administration. Accordingly, once you have deployed Active Roles Server, you should pay attention to any administrative activity that circumvents it. The Knowledge Pack enables you to find out whether any administrative actions are performed or attempted with other tools, such as the Active Directory Users and Computers MMC snap-in.
Administrative actions taken outside Active Roles Server may have different implications. This depends on whether the account that was used is one of the accounts reserved for the Active Roles Server service.
In a typical environment with Active Roles Server deployed, Active Directory-native permissions cannot be granted directly. Here, the term permissions includes membership in certain groups whose members have permissions on Active Directory objects. Only Active Roles Server accounts can delegate these permissions, but they are supposed to do it on behalf of Active Roles Server administrators by applying administrative templates (or roles) rather than dealing with individual permissions. One way of delegating Active Directory-native permissions on an individual basis is by using the Active Directory Users and Computers MMC snap-in.
In such cases, other accounts do not get direct access to Active Directory administration. If an account is not reserved for use with Active Roles Server, then administrative actions by that account fail. In such cases, you should investigate to find out who tried to get unauthorized access.
If the account is an Active Roles Server account, this may mean someone with access to the account performed the administrative action using a tool other than Active Roles Server. This can be done in an attempt to conceal the action or keep Active Roles Server from preventing it. Look into the matter to find out whether it is a case of impersonation or privilege abuse.
In some non-typical situations certain special-purpose administrative accounts retain the privileges to perform management outside Active Roles Server. Actions by these accounts should also be tracked to ensure that administrative measures do not violate the corporate policy.