Active Directory Connector Overview

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in Active Directory and do the following:

Analyze the structure of your stored data.
Monitor user activity in the resources.
Classify the data being stored.
Verify user permissions on the resources, and compare them against requirements.
Manage access fulfillment - automated granting and revoking of access according to rules set in File Access Manager.
Identity collector – collect IAM users, groups, roles, and the connections between them.

See the File Access Manager documentation for a full description.

Supported Versions

Activity Monitor - The system supports auditing on domain controllers installed on Windows Server 2008 and above.

Note

The relevant factor is the operating system of the domain controller. Not the domain functionality level.
Permissions Collection and Crawling - Supported for all domain versions, forest versions, and operating systems.

Active Directory Installation Flow Overview

To install the Active Directory connector:

Configure all the prerequisites.
Add a new Active Directory application in the Business Website.
Install the relevant services:
- Activity Monitor- This is the activity collection engine, used by all connectors that support activity monitoring.
- Permissions Collector - If you are using EC2 login, the collector should be installed on the EC2 instance.
- Data Classification Collector

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.

Activity Monitor

File Access Manager Activity Monitor for Active Directory (AD) is based on the native changes auditing capability in AD. AD writes these changes to the various domain controller event logs and the monitor collects them centrally so there is no need to install connectors on domain controllers.

The Activity Monitor service correlates the events and digests them, which makes events possible for people to read.

GPO Auditing

GPO auditing uses a proprietary method with no local connectors on the Domain Controller (DC). The method accesses all GPOs on all DCs through the SYSVOL share, and correlates GPO audit change events with the content of the GPOs.

Domain Controllers

To access the DCs, the Activity Monitor reads the list of all DCs from the domain every hour.

Crawling

Crawling and Permissions Collection work with standard LDAP queries to retrieve all the domain objects and analyze their respective permissions.

The Activity Monitor and Permissions Collector services can be installed on any server, including servers that are NOT members of the monitored domain. An application must be configured in File Access Manager for each monitored domain, with a separate set of Activity Monitor/Permissions Collection services, as described below.

Monitored Actions

Action	Meaning
Create	An object was created in the domain.
Undelete	An object was restored in the domain.
Move	An object’s location was changed in the domain.
Delete	An object was deleted in the domain.
FSMO Role Change	The owners of the domain FSMO roles were changed.
Audit Policy Change	The system audit policy was changed.
Domain Policy Change	The domain security policy was changed.
Account Lock	An account was locked, which includes the computer that originally caused the lock.
Account Logout	The account was logged out.
Reset Password	A user password was reset by another user.
Kerberos Pre-authentication failure	Kerberos pre-authentication failed.

Note

The old value will be empty and will not display in the Administrative Client if it was empty before the change. This is also true for the New value, if the attribute’s value was deleted.

Note

The account logon is not monitored by default. Refer to Special Configurations for a description on how to configure the Activity Monitor to collect Account Logon events.