6.11 Configuring Your Active Directory Environment

After you install Change Guardian, you must configure your Active Directory environment to ensure that the operating system generates and retains Active Directory events until Change Guardian processes them. The following items must be configured by someone with domain administrator permissions for the Windows domains that Change Guardian monitors:

  • Security event log

  • Active Directory auditing

  • Active Directory security access control lists (SACLs)

NOTE:You must restart the Active Directory tools, whenever you restart the Windows Agent.

For information about requirements and recommendations for computers running the Active Directory Domain Services, see the Technical Information page.

6.11.1 Configuring the Security Event Log

You must configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.

Set the maximum size of the Security Event Log to no less than 10 MB, and set the retention method to Overwrite events as needed.

To configure the security event log:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

  6. Select Event Log and configure Maximum security log size to a size of no less than 10240 KB (10 MB).

  7. Configure Retention method for security log to Overwrite events as needed.

  8. Return to the command prompt, type gpUpdate, and then press Enter.

To verify this configuration and ensure Active Directory events are not discarded before processing:

  1. Open a command prompt as an administrator.

  2. At the command line, type eventvwr to start the Event Viewer.

  3. In Windows logs, right-click Security, and select Properties.

  4. Verify the settings reflect a maximum log size of no less than 10240 KB (10 MB), and the selection to Overwrite events as needed.

6.11.2 Configuring Active Directory Auditing

This configuration enables auditing of Active Directory events and logs the events in the security event log.

You should configure the Default Domain Controllers Policy GPO with Audit Directory Service Access set to monitor both success and failure events.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

  6. Complete the following steps:

    1. In Security Settings, expand Advanced Audit Policy Configuration > Audit Policies.

    2. For CGAD and CGGP, click DS Access.

    3. For each subcategory, configure or verify the following selections:

      • Configure the following audit events

      • Success

      • Failure

    4. For CGAD only, define the same configuration for all subcategories of Account Management and Policy Change.

  7. Complete the following steps:

    1. In Security Settings, expand Local Policies and click Audit Policy.

    2. For CGAD and CGGP, click Audit directory service access.

    3. Configure or verify the following selections:

      • Define these policy settings

      • Success

      • Failure

    4. For CGAD only, configure or verify the same selections for Audit account management and Audit policy change.

  8. Return to the command prompt, type gpUpdate and press Enter.

6.11.3 Configuring User and Group Auditing

This configuration enables auditing of user logons and logoffs (by both local users and Active Directory users) and local user and group settings.

You can configure user and group auditing manually.

To manually configure user and group auditing, complete the following steps.

To manually configure user and group auditing:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open the Microsoft Management Console, and then select File > Add/Remove Snap-in.

  3. Select Group Policy Management Editor, and then click Add.

  4. On the Select Group Policy Object window, click Browse.

  5. Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.

  6. Click Add.

  7. Select Default Domain Controllers Policy, and then click OK.

  8. Click Finish, and then click OK.

  9. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  10. Under Audit Account Logon Events, select Define these policy settings, and then select Success and Failure.

  11. Under Audit Logon Events, select Define these policy settings, and then select Success and Failure.

  12. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  13. Under Audit Logon, select Audit Logon, and then select Success and Failure.

  14. Under Audit Logoff, select Audit Logoff, and then select Success and Failure.

  15. To update Group Policy settings, open a command prompt and type gpupdate /force.

6.11.4 Configuring Active Directory Security Access Control Lists

The Security Access Control List (SACL) describes the objects and operations to monitor. You must configure the SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.

To monitor all changes of current and future objects inside Active Directory with Change Guardian for Active Directory, follow the steps in Configuring SACLs for Change Guardian for Active Directory. If you are running only Change Guardian for Group Policy in your environment, see Configuring SACLs for Change Guardian for Group Policy Only.

Configuring SACLs for Change Guardian for Active Directory

If you are running Change Guardian for Active Directory in your environment, complete the steps in this section. To monitor all changes of current and future objects inside Active Directory with Change Guardian, you must configure the domain node.

NOTE:To use adsiedit.msc in Windows Server 2003, you must install the Windows Support Tools. For more information about installing Windows Support Tools, see http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure that Name is set to Default naming context, and Path points to the domain to configure.

    NOTE:You must perform Step 5 through Step 13 three times, configuring the connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, select Select a well known Naming Context, and then select one of the following:

    • On the first time through this step, select Default naming context in the drop-down list.

    • On the second time through this step, select Schema.

    • On the third time through this step, select Configuration.

  6. Click OK, and then expand Default naming context or Schema or Configuration.

  7. Right-click the node under the connection point (begins with DC= or CN=), and select Properties.

  8. On the Security tab, click Advanced.

  9. On the Auditing tab, click Add.

  10. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Access list, select Successful and Failed for the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

  11. In the Applies to or Apply onto field, select This object and all descendant objects.

  12. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  13. Click OK until you close all open windows.

  14. Repeat Step 5 through Step 13 two more times.

Configuring SACLs for Change Guardian for Group Policy Only

If you are running only the Change Guardian for Group Policy product in your environment, complete the steps in this section.

To verify or set this configuration:

NOTE:To use adsiedit.msc in Windows Server 2003, you must install the Windows Support Tools. For more information about installing Windows Support Tools, see http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx.

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure Name is set to Default naming context, and Path points to the domain to configure.

  5. In Connection Point, select Select a well known Naming Context, and then select Default naming context in the drop-down box.

  6. Click OK, and then expand Default naming context.

  7. Right-click the node under the connection point (begins with DC=), and select Properties.

  8. Select the Security tab.

  9. Click Advanced > Auditing > Add.

  10. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Delete

        • Create Organizational Unit objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permissions list, select the following:

        • Delete

        • Create Organizational Unit objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  11. In the Applies to or Apply onto field, select This object and all descendant objects.

  12. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  13. Click OK until you close all open windows.

  14. In Connection Point, select Select a well known Naming Context, and then select Configuration in the drop-down list.

  15. Click OK, and then expand Configuration.

  16. Right-click the node under the connection point (begins with CN=), and select Properties.

  17. Select the Security tab.

  18. Click Advanced.

  19. Click Auditing.

  20. Click Add.

  21. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Delete

        • Create Sites Container objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permissions list, select the following:

        • Delete

        • Create Sites Container objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  22. In the Applies to or Apply onto field, select This object and all descendant objects.

  23. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  24. Click OK until you close all open windows.

6.11.5 Synchronizing Active Directory User Accounts

Synchronizing Active Directory user accounts allows you to retrieve information about the user associated with a particular event, such as the user name, the user’s email address, and the user’s contact details. The user information comes from the Active Directory server in your environment. You can also view all the user’s recent activities.

Using the Change Guardian web console, you add one or more user containers and the user attributes that you want to synchronize.

To view and manage synchronized Active Directory accounts:

  1. In the Change Guardian web console, click Integration.

  2. Click AD Accounts.

Adding a User Container

Active Directory stores user accounts in containers. You can add one or more containers to Change Guardian to synchronize the users accounts.

To add a user container to Change Guardian:

  1. In the Change Guardian web console, click Integration > AD Accounts > Add User Container.

  2. Provide the appropriate information for the user container you want to synchronize.

Mapping User Profile Fields

To synchronize Active Directory user accounts to Change Guardian, Change Guardian needs to map the user account field names in Active Directory to an attribute in your directory service. By default, Change Guardian maps the most commonly used field names, but you can add or remove mappings as necessary.

To modify user profile mapping, in the Change Guardian web console, click Integration > AD Accounts > User Profile Mapping.