A.4 Configuring Active Directory Security Access Control Lists

The Security Access Control List (SACL) describes the objects and operations to monitor. You must configure the SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.

To monitor all changes of current and future objects inside Active Directory with Change Guardian for Active Directory, follow the steps in Section A.4.1, Configuring SACLs for Change Guardian for Active Directory. If you are running only Change Guardian for Group Policy in your environment, see Section A.4.2, Configuring SACLs for Change Guardian for Group Policy Only.

A.4.1 Configuring SACLs for Change Guardian for Active Directory

If you are running Change Guardian for Active Directory in your environment, complete the steps in this section. To monitor all changes of current and future objects inside Active Directory with Change Guardian, you must configure the domain node.

NOTE:To use adsiedit.msc in Windows ServerĀ 2003, you must install the Windows Support Tools. For more information about installing Windows Support Tools, see http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure that Name is set to Default naming context, and Path points to the domain to configure.

    NOTE:You must perform Step 5 through Step 13 three times, configuring the connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, select Select a well known Naming Context, and then select one of the following:

    • On the first time through this step, select Default naming context in the drop-down list.

    • On the second time through this step, select Schema.

    • On the third time through this step, select Configuration.

  6. Click OK, and then expand Default naming context or Schema or Configuration.

  7. Right-click the node under the connection point (begins with DC= or CN=), and select Properties.

  8. On the Security tab, click Advanced.

  9. On the Auditing tab, click Add.

  10. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Access list, select Successful and Failed for the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

  11. In the Applies to or Apply onto field, select This object and all descendant objects.

  12. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  13. Click OK until you close all open windows.

  14. Repeat Step 5 through Step 13 two more times.

A.4.2 Configuring SACLs for Change Guardian for Group Policy Only

If you are running only the Change Guardian for Group Policy product in your environment, complete the steps in this section.

To verify or set this configuration:

NOTE:To use adsiedit.msc in Windows ServerĀ 2003, you must install the Windows Support Tools. For more information about installing Windows Support Tools, see http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx.

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure Name is set to Default naming context, and Path points to the domain to configure.

  5. In Connection Point, select Select a well known Naming Context, and then select Default naming context in the drop-down box.

  6. Click OK, and then expand Default naming context.

  7. Right-click the node under the connection point (begins with DC=), and select Properties.

  8. Select the Security tab.

  9. Click Advanced > Auditing > Add.

  10. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Delete

        • Create Organizational Unit objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permissions list, select the following:

        • Delete

        • Create Organizational Unit objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  11. In the Applies to or Apply onto field, select This object and all descendant objects.

  12. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  13. Click OK until you close all open windows.

  14. In Connection Point, select Select a well known Naming Context, and then select Configuration in the drop-down list.

  15. Click OK, and then expand Configuration.

  16. Right-click the node under the connection point (begins with CN=), and select Properties.

  17. Select the Security tab.

  18. Click Advanced.

  19. Click Auditing.

  20. Click Add.

  21. Configure auditing to monitor every user.

    • If you are using Windows Server 2012:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permissions list, select the following:

        • Delete

        • Create Sites Container objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For all other versions of Windows:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permissions list, select the following:

        • Delete

        • Create Sites Container objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  22. In the Applies to or Apply onto field, select This object and all descendant objects.

  23. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  24. Click OK until you close all open windows.