Change Guardian provides enhanced monitoring fidelity for Microsoft Active Directory (AD) in conjunction with Directory and Resource Administrator (DRA) and includes use of the DRA Service Account and DRA Assistant Administrator (Impersonation Account).This provides better visibility into AD changes made through approved controls and processes.Together they provide an integrated solution to control, manage, and monitor AD environments. For example, when you use DRA to make changes to AD, and you use the Create User wizard to create a user in DRA, the Change Guardian server is notified and the web console displays the actual user name of the user logged into DRA to make AD changes.
By monitoring activities in AD, Change Guardian detects if users are bypassing DRA to making changes in AD that are not compliant with policies defined in DRA.Change Guardian displays the actual user name for the following specific set of actions performed using DRA in AD:
User account created
User account modified
User account unlocked
User account enabled
User account disabled
Active Directory (AD) object created
Active Directory (AD) object modified
Computer account created
Computer account modified
Computer account enabled
Computer account disabled
Contact created
Contact modified
Group created
Group modified
Organizational Unit (OU) added
Organizational Unit (OU) modified
Other Change Guardian benefits which reduce administration costs and assure enterprise security include:
Secure privilege delegation
Centralized audits and reports
Streamlined provisioning and de-provisioning
Repetitive task automation and enforcement of policies
Change Guardian also enriches configured additional information for AD events, when an event is initiated by DRA, and populates two additional fields in a Change Guardian event. This helps you retrieve and filter events generated by DRA. To use the DRA integration capability, you must use Directory Resource Administrator 9.0 and later.
NOTE:You must consider changes performed in DRA as managed events.
For more information, see Directory and Resource Administrator 9.2 documentation.