Active Directory Connector Overview
Capabilities
This connector enables you to use File Access Manager to access and analyze data stored in Active Directory and do the following:
- Analyze the structure of your stored data.
- Monitor user activity in the resources.
- Classify the data being stored.
- Verify user permissions on the resources, and compare them against requirements.
- Manage access fulfillment - automated granting and revoking of access according to rules set in File Access Manager.
- Identity collector – collect IAM users, groups, roles, and the connections between them.
See the File Access Manager documentation for a full description.
Supported Versions
-
Activity Monitor - The system supports auditing on domain controllers installed on Windows Server 2008 and above.
Note
The relevant factor is the operating system of the domain controller. Not the domain functionality level.
-
Permissions Collection and Crawling - Supported for all domain versions, forest versions, and operating systems.
Active Directory Installation Flow Overview
To install the Active Directory connector:
- Configure all the prerequisites.
- Add a new Active Directory application in the Business Website.
-
Install the relevant services:
- Activity Monitor- This is the activity collection engine, used by all connectors that support activity monitoring.
- Permissions Collector - If you are using EC2 login, the collector should be installed on the EC2 instance.
- Data Classification Collector
Important
Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.
Activity Monitor
File Access Manager Activity Monitor for Active Directory (AD) is based on the native changes auditing capability in AD. AD writes these changes to the various domain controller event logs and the monitor collects them centrally so there is no need to install connectors on domain controllers.
The Activity Monitor service correlates the events and digests them, which makes events possible for people to read.
GPO Auditing
GPO auditing uses a proprietary method with no local connectors on the Domain Controller (DC). The method accesses all GPOs on all DCs through the SYSVOL share, and correlates GPO audit change events with the content of the GPOs.
Domain Controllers
To access the DCs, the Activity Monitor reads the list of all DCs from the domain every hour.
Crawling
Crawling and Permissions Collection work with standard LDAP queries to retrieve all the domain objects and analyze their respective permissions.
The Activity Monitor and Permissions Collector services can be installed on any server, including servers that are NOT members of the monitored domain. An application must be configured in File Access Manager for each monitored domain, with a separate set of Activity Monitor/Permissions Collection services, as described below.
Monitored Actions
Action | Meaning |
---|---|
Create | An object was created in the domain. |
Undelete | An object was restored in the domain. |
Move | An object’s location was changed in the domain. |
Delete | An object was deleted in the domain. |
FSMO Role Change | The owners of the domain FSMO roles were changed. |
Audit Policy Change | The system audit policy was changed. |
Domain Policy Change | The domain security policy was changed. |
Account Lock | An account was locked, which includes the computer that originally caused the lock. |
Account Logout | The account was logged out. |
Reset Password | A user password was reset by another user. |
Kerberos Pre-authentication failure | Kerberos pre-authentication failed. |
Note
The old value will be empty and will not display in the Administrative Client if it was empty before the change. This is also true for the New value, if the attribute’s value was deleted.
Note
The account logon is not monitored by default. Refer to Special Configurations for a description on how to configure the Activity Monitor to collect Account Logon events.