Change Guardian provides enhanced user monitoring in conjunction with DRA. It provides solution to control, manage and monitor the Active Directory environments.
Change Guardian server captures the unmanaged changes on DRA and displays the actual user name (end-user who logged in to DRA) in the event list. You can view events by clicking ADMINISTRATION from the web console. As an auditor you can monitor the AD audit logs or events from DRA, and view the corresponding actual user name on the Change Guardian event list.
Prerequisites:
Ensure that you have completed the following:
Install DRA
Install Change Guardian
To set up Change Guardian to receive DRA events, perform the following steps:
To set up DRA, perform the following steps:
To manage AD domains
, see the Directory and Resource Administrator Administration Guide
Event stamping allows Change Guardian to receive the DRA user details.
When AD Domain Services auditing is enabled, DRA events are logged as having been generated by either the DRA Service account or the Domain Access account if one is configured. Event Stamping takes this feature one step further by generating an additional AD DS event that identifies the assistant administrator who performed the operation.
For these events to be generated you must configure AD DS auditing and enable Event Stamping on the DRA Administration Server. When Event Stamping is enabled, you will be able to view the changes that assistant administrators make in Change Guardian Event reports.
To configure AD DS auditing, see the Microsoft reference AD DS Auditing Step-by-Step Guide.
To configure Change Guardian integration, see Configuring Unified Change History Servers.
To enable Event Stamping, open the Delegation and Configuration console as DRA Administrator, and do the following:
Navigate to Configuration Management > Update Administration Server Options > Event Stamping.
Select an object type, and click Update.
Select an attribute to use for Event Stamping for that object type.
DRA currently supports Event Stamping for users, groups, contacts, computers, and organizational units.
DRA also requires that the attributes exist in the AD schema for each of your managed domains. You should be aware of this if you add managed domains after configuring Event Stamping. If you were to add a managed domain that does not contain a selected attribute, operations from that domain would not be audited with the Event Stamping data.
DRA will be modifying these attributes so you should select attributes that are not used by DRA or any other application in your environment.
The Unified Change History Server feature enables you to generate reports for changes made outside of DRA.
To manage Unified Change History Server, assign the Unified Change History Server Administration role or the applicable powers below to assistant administrators:
Delete Unified Change History Server Configuration
Set Unified Change History Configuration Information
View Unified Change History Configuration Information
To delegate Unified Change History Server powers:
Click Powers in the Delegation Management node, and use the search objects feature to find and select the UCH powers that you want.
Right-click one of the selected UCH powers and select Delegate Roles and Powers.
Search for the specific user, group, or assistant administrator group that you want to delegate powers to.
Use the Object Selector to find and add the objects that you want, and then click Roles and Powers in the Wizard.
Click ActiveViews, and use the Object Selector to find and add the ActiveViews that you want.
Click Next and then Finish to complete the delegation process.
To configure Unified Change History Servers:
Log in to the Delegation and Configuration Console.
Expand Configuration Management > Integration Servers.
Right-click Unified Change History, and select New Unified Change History Server.
Specify the UCH server name or IP address, port number, server type, and access account details in the Unified Change History configuration.
Test the server connection and click Finish to save the configuration.
Add additional servers as required.
To view DRA events, see Events Dashboard. The Change Guardian event details display the application as DRA.
To view the Unified Change History reports on AD objects from Change Guardian, see Utilizing Unified Change History
in the Directory and Resource Administrator User Guide.
Change Guardian events do not display the actual DRA user name in the following scenarios:
When you define the computer account enabled or disabled, user account unlock policies.
When you make any modifications in the Group scope or Group Type.
When you make changes to the remote access permission in Dial In tab in DRA, two modification events are populated.The event shows User-Parameters in the delta.
When you make changes in Azure AD and Exchange using DRA.
When you make changes in the following tabs in DRA:
Account tab
Password tab
Member of tab
Terminal Services tab
Dial in tab
Call back tab