立即与支持人员聊天
与支持团队交流

Change Auditor for Active Directory 7.2 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Introduction

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions. This allows you to protect the environment from harmful changes that could open security holes or cause resources to become unavailable. Once enabled, if an unauthorized user attempts to modify or delete a protected object, Change Auditor prevents the operation and captures an event.

Protection can be defined for any Active Directory, Group Policy, or ADAM (AD LDS) object that you consider critical such as Organizational Units, Group Policy Object, and service accounts.

 

Active Directory object protection

When configured, Change Auditor prevents changes from occurring to a protected object regardless of who attempts to change the object and the tool or method used. Attempts to change or delete a protected object fail and an event is generated. These ‘failed’ events are identified in the client by displaying ‘Protected’ in the Result column on the Search Results page and Result field in an event’s detail pane.

See the Change Auditor User Guide for more information about defining the events to be captured based on result.

Active Directory protection page

This page displays when you select Active Directory from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Active Directory Protection wizard to define critical Active Directory objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Active Directory protection page contains an expandable view of all previously defined Active Directory protection templates. To add new template, use the Add button.

Once added, the following information is provided for each template:

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.
Excluded from Protection - indicates that you selected the Allow option to allow only the selected accounts to change the protected objects.
Included in Protection - indicates that you selected the Deny option to allow all accounts to change the protected objects except for those selected.

Click the expansion box to the left of the template name to expand this view and display the following details for each template:

For Protect Only and Protect Except, click the expansion box to the left of the field to display the individual attributes included in the protection template.

Active Directory protection templates

The Active Directory protection templates are global settings and apply to all agents.

NOTE:  
If you are planning to use multiple Active Directory Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated.
2
Click Protection.
3
Select Active Directory in the Protection task list.
4
Click Add to open the Active Directory Protection wizard to specify the Active Directory objects to protect.
7
Click Add to add the object. Repeat this step as required to add more objects.

The file must follow this format:

<Canonical Name>, <Protection Scope>, <Protected Operation 1><Protected Operation 2>

<Protected Operation n>, <Foreign Agent Forest FQDN>

Valid protection scope values include:

Valid protected operations include:

Foreign Agent Forest FQDN is not required for objects in the local forest of the coordinator. If left blank, the local forest is assumed.

The import supports the list separator defined for the locale of the operating system.

 

Example of CSV file entry for local forest object: Forest1.com/users/TestUser1, This object only, Create Delete Modify

 

Example of CSV file entry for foreign forest object: Forest2.com/users/TestUser2, This object only, Create Delete Modify, Forest2.com

After you have the file created, select Import, browse to the file, and click Open.
9
By default, the scope of coverage is for This object only; however, you can change this by using the drop-down arrow in the Scope cell in the list box and selecting one of the other two options:
NOTE: Allow is selected by default indicating that the selected users or groups can change the protected objects. However, you can select the Deny option and select individual users or groups that are not allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.
13
On the next page of the wizard, you can schedule when to enforce the protection. You can either select to always run the protection or run only during specific times. To enable the protection only during specific times, select Protection is scheduled, and define when it should be enabled (hour blocks on a weekly basis). The times selected are the local agent time where the template is applied.
Protect access from all locations: Protection is always enabled regardless of the location.
Protect access only from select locations: Protection is only enabled for the specified locations.
Disable protection only for select locations: Protection is disabled for the selected locations. Enabled everywhere else.
Protect access from all unknown locations: All Active Directory requests from locations that cannot be determined by the Change Auditor agent will be protected.
15
Click Finish to save the protection template, close the wizard and return to the Active Directory Protection page.

If you are in the authorized accounts list at template creation time, you may find yourself locked out later if someone else in the authorized accounts list decides to edit the template and remove you.

2
Click Finish to save your changes and return to the Active Directory Protection page.

Disabling a template temporarily stops protection for the specified objects without having to remove the protection template.

Place your cursor in the Status cell for the protection template to disable, click the arrow control, and select Disabled
The entry in the Status column for the template changes to ‘Disabled’.
Place your cursor in the Status cell for the required object, click the arrow control, and select Disabled.
The entry in the Status column for the object changes to ‘Disabled’.
2
Click Yes to confirm.
2
Click Yes to confirm.
2
Click Yes to confirm.
2
Click Yes to confirm.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级