DRA enables delegation of managed changes in an enterprise organization and Change Guardian (CG) enables monitoring for managed and unmanaged changes occurring in Active Directory. Integrating DRA and CG provides:
Ability to see DRA delegated Assistant Administrator that made a change to Active Directory in CG events for changes made through DRA.
Ability to see recent change history for an object in DRA of both changes made through DRA and changes captured by CG that originated outside of DRA.
Changes made through DRA are designated as “Managed” changes in CG.
To configure DRA change history reporting, follow these steps:
Once you have completed the steps above for installing Change Guardian and configuring DRA and CG integration, users can generate and view UCH reports in the Web Console.
For more information, see Generating Change History Reports
in the Directory and Resource Administrator User Guide.
Before you begin DRA and CG integration, install the Change Guardian Windows Agent. For more information, see the Change Guardian Installation and Administration Guide.
You must add licenses for both the Change Guardian server and applications or modules you plan to monitor. For more information, see the Change Guardian Installation and Administration Guide.
To configure Active Directory for Change History, reference the following sections:
Configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.
To configure the security event log:
Log in as an administrator to a computer in the domain that you want to configure.
To open Group Policy Management Console, enter the following at the command prompt: gpmc.msc
Open Forest > Domains > domainName> Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.
Expand Computer Configuration > Policies > Windows Settings > Security Settings.
Select Event Log and set:
Maximum security log size to 10240 KB (10 MB) or more
Retention method for security log to Overwrite events as needed
To update policy settings, run the gpUpdate command at the command prompt.
To verify the configuration is successful:
Open a command prompt as an administrator to the computer.
Start Event Viewer: eventvwr
Under Windows logs, right-click Security, and select Properties.
Ensure that the settings show maximum log size of 10240 KB (10 MB) or more and that Overwrite events as needed
is selected.
Configure AD auditing to enable logging of AD events in the security event log.
Configure Default Domain Controllers Policy GPO with Audit Directory service access to monitor both success and failure events.
To configure AD auditing:
Log in as an administrator to a computer in the domain that you want to configure.
To open Group Policy Management Console, run gpmc.msc at the command prompt.
Expand Forest > Domains > domainName > Domain Controllers.
Right-click Default Domain Controllers Policy, and click Edit.
NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
To configure AD and Group Policy, under Account Management, and Policy Change, select the following for each subcategory: Configure the following audit events, Success, and Failure.
To configure only AD, under DS Access, select the following for each subcategory: Configure the following audit events, Success, and Failure.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
For each of the following policies, select Define these policy settings, Success, and Failure in the Security Policy Setting tab:
Audit account management
Audit directory service access
Audit policy change
To update policy settings, run the gpUpdate command at the command prompt.
For more information, see Monitoring Active Directory for Signs of Compromise in the Microsoft Documentation site
Configure user and group auditing to audit the following activities:
Logon and logoff activities of local users and Active Directory users
Local user settings
Local group settings
To configure user and group auditing:
Log in as an administrator to a computer in the domain that you want to configure.
Open Microsoft Management Console, select File > Add/Remove Snap-in.
Select Group Policy Management Editor and click Add.
In the Select Group Policy Object window, click Browse.
Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.
Select Default Domain Controllers Policy.
In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
Under Audit Account Logon Events and Audit Logon Events, select Define these policy settings, Success, and Failure.
In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
Under Audit Logon, select Audit Logon, Success, and Failure.
Under Audit Logoff, select Audit Logoff, Success, and Failure.
To update policy settings, run the gpupdate /force command at the command prompt.
To monitor all changes of current and future objects inside Active Directory, configure the domain node.
To configure SACLs:
Log in as an administrator to a computer in the domain that you want to configure.
To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.
Right-click ADSI Edit, and select Connect to.
In the Connection Settings window, specify the following:
Name as Default naming context.
Path to the domain to configure.
If you are performing this step for the first time, select Default naming context.
If you are performing for the second time, select Schema.
If you are performing for the third time, select Configuration.
In Connection Point, set Select a well known Naming Context to Default naming context.
In the ADSI Edit window, expand Default naming context.
Right-click the node under the connection point (begins with DC= or CN=), and click Properties.
On the Security tab, click Advanced > Auditing > Add.
In Applies to or Apply onto, select This object and all descendant objects.
Configure auditing to monitor every user:
Click Select a principal, and type everyone in Enter the object name to select.
Specify the following options:
Type as All
Select Permissions as:
Write All Properties
Delete
Modify Permissions
Modify Owner
Create All Child Objects
The other nodes related to child objects are selected automatically
Delete All Child Objects
The other nodes related to child objects are selected automatically
Deselect the option Apply these auditing entries to objects and/or containers within this container only.
You can create a fresh policy without preconfigured settings.
To create a policy:
In Policy Editor, select one of the applications, such as Active Directory.
Expand the list of policies and select the policy type you want to create. For example, select Active Directory Policies > AD Object.
On the Configuration Policy screen, make the appropriate changes.
(Conditional) If you want to enable the policy immediately, select Enable this policy revision now.
To assign:
Click CONFIGURATION > Policies > Assign Policies.
(Conditional) To assign to an agent group, click Agent Groups and Default Group or Custom Group, and click on the group name.
(Conditional) To assign to an agent, click AGENTS and select the agent name.
Click on the icon under ASSIGN UNASSIGN.
Select the policies from either POLICY SETS, POLICIES, or both, and click APPLY.
NOTE:You cannot assign policies using agent groups for the following asset types: Azure AD, AWS for IAM, Dell EMC, Microsoft Exchange, Microsoft Office 365
To configure a domain in DRA as a Managed domain, see Managing Active Directory Domains.
When AD Domain Services auditing is enabled, DRA events are logged as having been generated by either the DRA Service account or the Domain Access account if one is configured. Event Stamping takes this feature one step further by generating an additional AD DS event that identifies the assistant administrator who performed the operation.
For these events to be generated you must configure AD DS auditing and enable Event Stamping on the DRA Administration Server. When Event Stamping is enabled, you will be able to view the changes that assistant administrators make in Change Guardian Event reports.
To configure AD DS auditing, see the Microsoft documentation on AD DS Auditing Step-by-Step Guide.
To configure Change Guardian integration, see Configuring Unified Change History Servers.
To enable Event Stamping, open the Delegation and Configuration console as DRA Administrator, and do the following:
Navigate to Configuration Management > Update Administration Server Options > Event Stamping.
Select an object type, and click Update.
Select an attribute to use for Event Stamping for that object type.
DRA currently supports Event Stamping for users, groups, contacts, computers, and organizational units.
DRA also requires that the attributes exist in the AD schema for each of your managed domains. You should be aware of this if you add managed domains after configuring Event Stamping. If you were to add a managed domain that does not contain a selected attribute, operations from that domain would not be audited with the Event Stamping data.
DRA will be modifying these attributes so you should select attributes that are not used by DRA or any other application in your environment.
For more information about Event Stamping, see How Event Stamping Works.
The Unified Change History (UCH) Server feature enables you to generate reports for changes made outside of DRA.
To manage Unified Change History Server, assign the Unified Change History Server Administration role or the applicable powers below to assistant administrators:
Delete Unified Change History Server Configuration
Set Unified Change History Configuration Information
View Unified Change History Configuration Information
To delegate Unified Change History Server powers:
Click Powers in the Delegation Management node, and use the search objects feature to find and select the UCH powers that you want.
Right-click one of the selected UCH powers and select Delegate Roles and Powers.
Search for the specific user, group, or assistant administrator group that you want to delegate powers to.
Use the Object Selector to find and add the objects that you want, and then click Roles and Powers in the Wizard.
Click ActiveViews, and use the Object Selector to find and add the ActiveViews that you want.
Click Next and then Finish to complete the delegation process.
To configure Unified Change History Servers:
Log in to the Delegation and Configuration Console.
Expand Configuration Management > Integration Servers.
Right-click Unified Change History, and select New Unified Change History Server.
Specify the UCH server name or IP address, port number, server type, and access account details in the Unified Change History configuration.
Test the server connection and click Finish to save the configuration.
Add additional servers as required.
To enhance security, DRA validates the communication between DRA server and CG server using the CG server certificate. To achieve this, provide details of the certificate bound to the CG server by modifying the 'CGAuditDriver.dll' configuration file present in C:\Program Files (x86)\NetIQ\DRA\X64 and the content need to added as per the below example.
example:
<?xml version=”1.0” encoding=”utf-8”?
<configuration>
<CertificateValidation>
<Certificate server=”10.204.102.188” hash=”0E982C1D4463590DF4FF1D9626724AE8CBED49B5”/>
<CertificateValidation>
</configuration>
To configure multiple CG servers, add multiple entries to the configuration file.
Where,
Certificate server: IP address or host name of the CG server.
Hash: Certificate hash that is bound to the CG server.
By default, audit config file will not be present and operations will continue to work with bypassing certificates.
Restart IIS and DRA Audit Service after adding config file.
To generate and view Unified Change History reports on Active Directory objects via Change Guardian, see Generating Change History Reports
in the Directory and Resource Administrator User Guide.