PowerBroker Auditor for Active Directory · UsingBuilt-inAuditViews 26 ActiveDirectory 26 GPOAuditing 26 Compliance 27 Exchange 27 General 27 CreatinganAuditView 28 GeneralPage 28

PowerBroker Auditor for Active Directory

User Guide

Version 5.8 – August 2018

Revision/Update Information: August 2018Software Version: PowerBroker Auditor for Active Directory 5.8Revision Number: 0

CORPORATE HEADQUARTERS

5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2018 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.

Contents

Introduction 6

6Contacting Support 6

Privileged Account Management Support 6

Vulnerability Management Support 6

All other Regions 6

Online 6

Support Page 7Support Page Options 7

BeyondTrust Product Name Conventions 7

Product Overview 8

Protector for AD 8Recovery for AD 8

The Active Directory Dashboard 9

Agent Status 9Configuration 9Options 10Recovery for Active Directory 10

Configuring Active Directory Agents 11

Agent Requirements 11Deploying Active Directory Agents 11Managing Agents 14

Uninstalling and Upgrading the Agent 14Troubleshooting Agents 15

Agent Status 16Configuring Agent Monitoring 16

Configuring Active Directory Options 19

Configuring General Options 19Configuring Nested Group Audit Settings 19Configuring Event Archiving 21Viewing Archived Data 21Alerts 21

Configuring Access to Auditor Views 22

Adding Auditor Accounts 22Configuring Open Permissions 23

About Audit Views 24

Audit View Settings 24

Contents

Auditor for AD User Guide 3 © 2018. BeyondTrust Software, Inc.

Using Built-in Audit Views 26

Active Directory 26GPO Auditing 26

Compliance 27Exchange 27General 27

Creating an Audit View 28

General Page 28Who Page 28What Page 30Where Page 31When Page 32Schedule Page 33

Creating a Real-time Policy from an Audit View 35

Password Expiration Alerts 36

Expiry Notification Template 36Report Templates 36Configuring Password Expiration Alerts Rules 37

Working with Reports 39

Deploying Reports 39Viewing Reports 41Built-In Reports 41

Active Directory 41Compliance 42Exchange 42General 42

Creating Custom Reports 42Setting the Layout 43Publishing the Report 45

Working with the Audit Viewer 48

Opening Audit Views 48Using the Audit Viewer Window 48Customizing the Audit Viewer Window 49Using the Auditor Interface 50

PowerBrokerMenu 50Home Tab 50View Tab 51

Changing the Properties for an Audit View 51Who Tab 54What Tab 55Where Tab 56When Tab 57

Contents


Reviewing Event Details 57Using the Rollback Feature 58

Appendix A: Using RSAT Extensions 61

Show Audit Trail 61Show Account Activity 62Show Group Membership Changes 63

Appendix B: Working with Schedules and Rules 65

Creating a Schedule 65Disabling a Schedule 66Deleting a Schedule 67Creating a Rule for a Schedule 68Editing a Rule 74Deleting a Rule 74Linking a Rule to a Schedule 74Clearing Rules from Schedules 75

Appendix C: SIEM Configuration 77

Appendix D: Manual Deployment 78

Agent Deployment Outside of the PowerBroker Management Console 78Manual Uninstall 79Manual Agent Upgrade 79

Contents


IntroductionThis guide provides instructions for using PowerBroker Auditor for Active Directory and information about productfeatures, benefits, functions, unique concepts, and basic procedures.

Contacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

[email protected]

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072

Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other RegionsStandard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

Introduction


Support PagePowerBroker Management Console now contains a Support page. This can be found under the Configuration node.Select the Support node to view the options.

Support Page OptionsBasic Help Tools - A link to the BeyondTrust Support Page.

Generate Support Package - Allows you to generate a support package which gathers logs for troubleshooting. Thiscollects all relevant information quickly and compiles it into a .zip file which can be transferred to TechnicalSupport when you require assistance.

BeyondTrust Product Name ConventionsThis User Guide uses the following naming conventions for BeyondTrust products:

PowerBroker Auditing & Security Suite PBAS SuitePowerBroker Auditor for Active Directory Auditor for ADPowerBroker Auditor for File System Auditor for FSPowerBroker Event Vault for Windows EV for WindowsPowerBroker Auditor for SQL Auditor for SQLPowerBroker ChangeManager for Active Directory Change Manager for ADPowerBroker Privilege Explorer for Active Directory Privilege Explorer for ADPowerBroker Privilege Explorer for File System Privilege Explorer for FSPowerBroker Protector for Active Directory Protector for ADPowerBroker Recovery for Active Directory Recovery for AD

Introduction


Product OverviewREAL-TIME CHANGE TRACKING AND SECURITY COMPLIANCE FOR YOUR ACTIVE DIRECTORIES AND GROUP POLICIES

A single change to Active Directory (AD) and Group Policy configurations can endanger your entire organization;affecting productivity, risking security breaches, and threatening non-compliance. However, built-in ActiveDirectory auditing tools are cumbersome and lack centralized auditing and reporting capabilities. Analysis of nativesecurity logs requires enormous resources and still fails to show the entire scope of AD activity. PowerBrokerAuditor for Active Directory provides a new level of centralized control and ease to AD auditing and compliance.This powerful solution monitors AD and Group Policy in real time—tracking the “WHO, WHAT, WHERE, WHEN” forevery change.

Features of Auditor for Active Directory:

• Real-time AD and GPO change monitoring

• A central audit database for reporting and alerting against all change activity

• An extensive library of security and compliance reports

• Intuitive wizards for custom views and reports

• Ability to track the who, what, when, and where for every change

• Ability to track before/after value for every change

• Provides the originating hostname/IP address for each change

• Intelligent auditing that displays a single entry for every event

• Plain English filtering, searching and reporting at the attribute level

• Audit event analytics for every object

Protector for ADProtector provides real-time protection and automated policy enforcement for Active Directory. For moreinformation regarding Protector, please refer to the Protector for AD User Guide.

Recovery for ADAdvanced Continuous Data Protection (CDP) makes Recovery for Active Directory the most advanced solutionthere is. All changes to the AD are stored in a centralized continuous change log, allowing administratorsunparalleled visibility and change control. For more information regarding Recovery for Active Directory pleaserefer to the Recovery for AD User Guide.

Product Overview


The Active Directory DashboardPowerBroker Auditor for AD allows you to keep up with the status of your Active Directory functions simply byselecting the Active Directory node. Various settings and options can be configured within the following foursections on the Auditor for Active Directory dashboard: Agent Status, Configuration, Options, and Recovery forActive Directory.

Agent StatusThere are several states that the Agent Status will display:

– Red - <DC name> not updating OR <DC name> agent not found

– Yellow - <DC name> newer version available (should be upgraded?)

– Green - All PowerBroker Auditor for Active Directory Agents are running and up to date.

Agents categorized as Yellow can be resolved by right-clicking on the agent and selecting resolve. This will updatethe agent.

ConfigurationThe configuration section of the dashboard displays:

– The accounts configured to view collected audit data

– Link to configure Audit View default settings

– The accounts excluded from auditing

– Link to manage accounts lists and configure the general settings

– Link to configure Nested Group audit settings

The Active Directory Dashboard


OptionsThe Options section of the dashboard displays the current status of the SRS reports, if configured, as well as a quicklink to launch the audit view creation wizard for critical groups.

Recovery for Active DirectoryThe Recovery for Active Directory section allows you to configure settings such as Object and GPO backups andpurging of data and to retain password information when deleting objects.

The Active Directory Dashboard


Configuring Active Directory Agents

Agent Requirements

OverviewWhen you deploy an agent the following SQL server changes will be attempted by the Management Server serviceaccount during deployment:

• Create a server login for the Domain Controllers group by default or the credentials supplied by the user onthe 'Database' page (db_securityadmin).

• Create user login on the PBAS Suite database for the DC group (db_owner).

• Add the user login to the PBAS Suite role (db_securityadmin or db_owner).

Agent Deployment RequirementsThe account will need:

• Administrator access to the target host

• DBO access on the PBAS Suite database

• Remote registry services

• DNS name resolution

Agent Service AccountThe agent runs as Local System.

Deploying Active Directory AgentsAfter the initial installation of PowerBroker Auditor for Active Directory, you must deploy an agent to every domaincontroller (DC) where you want to monitor selected Active Directory objects. The AD agent automatically collectsall changes that occur in Active Directory. The events are tracked as they occur.

Note: We recommend deploying an agent to every DC in your network for full monitoring coverage. Otherwise,not all activity will be monitored. You can deploy an agent to any domain controller, regardless of whatforest the domain controller exists in. RODCs should not have agents deployed to them. Any agentspreviously installed on RODCs should be removed.

1. Open PowerBroker Auditor for Active Directory.2. Expand PowerBroker Auditing & Security Suite.3. Expand Active Directory.4. Right-click Domain Controllers and then select Deploy agent5. In the Deploy Active Directory Agent dialog box, under Domain Controller Selection, select the options as

follows:a. Deploy to all domain controllers in the following domain:

– Click the Browse ( ) button and then select the domain and then click OK.

b. Deploy to the following domain controllers:



– Click the Browse button ( ) and then select the domain and click OK.

– Select the DC(s) from the Domain Controller list.

– To deploy agents to DC's in an external forest, click Change Forest and then provide the server name or IPaddress for the DC, credentials that have read rights to connect to the external forest, and then click OK.

c. Select the Install the TLS 1.2 check box to install the SQL Server Native Client driver.



6. In the Deploy Active Directory Agent dialog box, under Deployment Credentials provide the logon credentialsfor the remote agent deployment. This account must have administrative rights on the destination server.– SelectUse specified credentials and then provide the domain\user name for the account (or click the

Browse button ( ) to search for the user account).

– Enter the password and then click OK.



7. In the Deploy Active Directory Agent dialog box, select Database from the left pane to open the DatabaseAccess page.

Verify authentication using either SQL or Windows authentication. If you choose Windows authentication,access to the database needs to be granted to the agents. If you choose SQL Server, no further authenticationis required. Note that all database activity originating from the destination domain controller will be executedusing the credentials provided on this page.

The Management Server Service Account requires sufficient access on the SQL Server to create logins andusers on the SQL Server. If the Service Account does not have these rights, the AD agents will not have accessto the SQL server and will remain in the "Deployed" or "Starting" status in the Management Console, althoughthe deployment will still be successful.

Managing AgentsFrom the Domain Controllers screen you can view the status of the agent and details of the DC such as OS &version, last update time, and the forest where the DC resides. You can also right-click a DC in the list and reload thesettings, upgrade the agent, remove the agent, view the agent log file, restart, start, and stop the agent, and view itsproperties.

Uninstalling and Upgrading the AgentNote that it is not required that you restart to upgrade or uninstall the agent. However, you must restart the serverto ensure all files are removed after an uninstall.



Troubleshooting AgentsIf the agent's status is not "Running" consider these questions:

• What is the agent's Last Update Time?

• Is the remote machine running and can you log on to it?

• Is the agent service running?

• Does the machine have connectivity to the database and does the service account have permissions to thedatabase?

Generally, there are 2 reasons for why an audit event wouldn't appear in our Audit Views. The agent is not runningOR the agent cannot communicate with the database.

• If the agent is not running:

– What is the status of the agent in the console?

– ‘Offline’ means the agent hasn't updated its Last Update Time in the database in over 10 minutes.

– ‘Error’ status can indicate that an error condition occurred during a deployment or upgrade of an agent.

– A ‘Deployed’ status for an extended period of time might indicate that although the deployment of theagent was successful, the Agent itself was either unable to start/run, or it cannot communicate with theSQL Server (in order to update its status to ‘Running’).

– If an error status occurs during deployment or upgrade, check the deployment log file.

– Is the machine running?

– Is the service running? Try to start it. If the service account / password combination are incorrect, you willreceive an error message. Fix the account and/or password and try again.

• Agent cannot communicate with the database:

– A ‘Deployed’ status for an extended period of time likely indicates that although the deployment of theagent was successful, the agent itself was either unable to start/run, or it cannot communicate with theSQL Server (in order to update its status to ‘Running’).

– Agents send a heartbeat (the ‘last update time’ column) to the database every 10 minutes. If the lastheartbeat is longer than 10 minutes, this can indicate the agent is either offline or has lost connectivitywith the database.

• Troubleshooting communication issues with the SQL Server can be potentially complicated, as there aremultiple factors. High-level ones are:

– Does the agent machine have connectivity to the database server? (firewall issues, DNS, routing, etc..)

– Does the agent computer account have the correct permissions to the database?

Note: You can right-click on agents and choose the Restart option. This may be helpful if your agent doesn'tappear to be running properly or if a change has been made to the SQL Server. Also note that the Updateoption will upgrade all systems with agents. The Update option can be done in groups by selecting multipleDCs.



Agent Status• The Deploying status is written to the database by the PowerBroker server service. It is attempting to copy

agent files to the Domain Controller and setup/start the service.

• The Deployed status is written to the database by the PowerBroker server service. Files were copied andservice work has been done on the Domain Controller.

• The Updating status is written to the database by the PowerBroker server service. It is attempting to copy thenew files to the Domain Controller and setup/start the service.

• The Updated status is written to the database during the upgrade by the PowerBroker server. The file copyand service changes were successful on the Domain Controller.

• The Running status is written to the database by the agent. The service has started properly and hassuccessfully contacted the SQL database.

• The Offline status is written to the database by the PowerBroker server service. It has noticed the agent hasnot updated it's heartbeat in 10-15 minutes.

• The Error status is written to the database by the PowerBroker server service. This status will appear if it cannot complete the task of deploying, updating or removing an agent. If you see a status of "Error" check boththe event logs and the PBAS Suite logs on the PBAS Suite server and Domain Controller.

• The Running, with Queue status is written to the database by the Powerbroker server service. This status willappear if the agent is queueing events due to disk due to SQL connectivity issues.

Configuring Agent MonitoringYou can configure options to control what happens if an agent goes offline.

1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite.3. Select the Active Directory node.4. Click the first quick link in the Configuration section.



5. On the Settings dialog box, under Agent Status select the Enable Agent monitoring check box.

6. Select the options for actions to take if an agent goes offline as follows:– Send an e-mail when an agent goes offline by checking the first box and entering an e-mail address.

– Have an event recorded in the event log when an agent goes offline by checking the second box.



– Send an SNMP message.

– Set a maximum # of alerts per offline events by checking the box and entering the maximum number.

– Set a maximum # of queued events by checking the box and entering the maximum number.

– Turn off alerts by clicking Advanced and then selecting the DC and clicking Disable Monitoring.

7. Click OK in the Settings dialog once you have selected all of your options.



Configuring Active Directory Options

Configuring General OptionsTo change general options for Active Directory collection:

1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite.3. Select the Active Directory node.4. Click the first quick link in the Configuration section.

5. In the Settings dialog set the following options:– Ignore logon events for auditing.

– Send an e-mail when an agent goes offline by checking the first box and entering an e-mail address.

– Have an event recorded in the event log when an agent goes offline by checking the second box.

– Send an SNMP message.

– Set a maximum # of alerts per offline events by checking the box and entering the maximum number.

– Set a maximum # of queued events by checking the box and entering the maximum number.

– Turn off alerts by clicking Advanced and then selecting the DC and clicking Disable Monitoring.

– Configure Event Archiving.

6. Click OK on the Settings dialog after selecting your options.

Configuring Nested Group Audit SettingsNested group audit settings can be configured from the Dashboard. This option generates additional audit eventsfor recursive group membership changes.



Enabling nested group auditing can potentially create a large number of audit events in organizations with frequentand complex group memberships.

If you enable the feature, by default nested group events are generated for all groups.

Alternatively, you can limit the scope of the nested group auditing to only specific groups (for example, criticalgroups such as Domain Admins and Enterprise Admins) by adding only the groups to audit to the list.

1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite node.3. Select the Active Directory node.4. In the Configuration section, click the link to configure nested groups.

5. Select the check box, and then click Add.

6. Click OK.



Configuring Event ArchivingPowerBroker Auditor for Active Directory allows you to archive or purge audit data after a specific period of time.

To configure archiving:

1. Open PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Select the Active Directory node.4. On the dashboard select the first quick link under Configuration.5. Under Event Archiving:

– Select the Archive events older than check box. The default value is 90 days.

– Select the Purge events older than check box to purge events from the database. The default value is 90days.

Note: Your archiving events schedule should always be a shorter time frame than your purge events schedule.You may experience a delay in completion of a purge depending on the amount of data collected.

6. Click OK.

Viewing Archived DataTo see events in the Audit Viewer, the current user must be added to the Auditor Accounts list in the PowerBrokerconsole.

There are two ways to view archived data:

• In the Audit Viewer:

• In the Report Manager:

AlertsYou can create custom email templates to send notifications to a list of recipients.

For information on configuring alerts, refer to PowerBroker Protector for Active Directory User Guide.



Configuring Access to Auditor Views

Adding Auditor AccountsTo see events in the Audit Viewer, the accounts must be configured in the Management console.

By default, no accounts are given audit permission. Therefore, if you try to open an audit view before addingauditor accounts, you will receive an error which states that you do not have access to view audit data.

To resolve this error, follow the steps below to add auditor accounts.

1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite.3. Select the Active Directory node.4. In the Configuration section of the dashboard click the link to manage the list for viewing collected audit data.5. Click Add:

6. Enter the accounts to add and then click OK.



7. Click OK.Note: A user must be a member of a group or explicitly defined in the Auditor Accounts section or they

cannot run the Audit Viewer, even if they have the appropriate permissions to the view.

Configuring Open PermissionsYou can delegate access to control who can open audit views. This is accessed from the Permissions dialog box foreach audit view. By default, Domain Admins and Enterprise Admins have open rights for all views.

To modify who has open access for a particular view:

1. Open Auditor for AD.2. Expand PowerBroker Auditing & Security Suite.3. Expand Active Directory.4. Expand Audit Views and find the view that you want to change permissions for.5. Right-click a view and then select Permissions.6. Use the Permissions dialog to deny Open access to existing accounts.7. If needed, click Add to add accounts.8. Select the users, computers, service accounts, or groups. Click OK.9. Allow or deny Open access for those users.



About Audit Views• An audit view is a query against the database that returns a collection Active Directory events that you want to

monitor.

• When you open an audit view, data is collected based on the search parameters chosen when the view wascreated

Packages I Need to Use This FeatureModule Description License

Required?Server/Console The Server/Console module provides fundamental setup features such

as deploying agents; configuring e-mail accounts; and creatingschedules to associate with collectors, policies, and auditing.

ü

PowerBroker Auditorfor Active Directory

The PowerBroker Auditor for Active Directory tracks changes to ActiveDirectory and GPO objects.

Each audit event includes the 4 W’s (Who, What, Where, When) for allchanges. It also includes before and after values for all attributes.

The Audit Viewer; built-in audits; and creating collector policies are keyfeatures provided by the auditor module.

ü

Audit View SettingsYou can configure your Audit View Defaults using a link on the Active Directory Dashboard. This allows you tochange settings such as Sorting, Grouping, and the number of Events per Audit View for all new views created.

The Maximum number of events set at 5000 by default only applies to new views. While the other options apply toany existing Audit Views.

From the Active Directory Dashboard, you can also control who can view collected audit data and who is excludedfrom auditing.

Note: When accounts are added to the exclusion list, Active Directory activity that they perform will NOT beaudited.

About Audit Views


About Audit Views


Using Built-in Audit ViewsUnder the Audit Views node you will see two folders: Built-in andMy Audit Views. PowerBroker Auditor forActive Directory ships with a complete set of built-in audit views already created for you to use. The folder labeledMy Audit Views is a private user account folder. Any views or sub-folders created under this folder are onlyaccessible by the user who created them.

In the Built-in folder there are a variety of views to choose from to look for specific event changes that havehappened without having built those views yourself. There are over 200 views in this folder. When you select theAudits View node, a field is provided to search for a built-in view using keywords for example: message texts, oraccount enabled.

When you select the Audit Views node, you can also search for an audit view by name using keywords in theSearch box in the right pane.

Active DirectoryThe Active Directory audit views are divided into categories such as computer changes, container changes, GPOchanges, Group Changes, OU changes, User changes, etc.

GPO AuditingPowerBroker Management Console provides the ability to audit Group Policy changes. All data collected onGPO events are viewable in the Audit Viewer using built-in Audit Views.

The Details window includes all relevant information on the GPO change as well as readable setting values wherepossible, such as the User Interface Path of the option within GPEdit.

Settings Audited in AD• Wired Network (IEEE 802.3) Policies

• Windows Firewall with Advanced Security

• Wireless Network (IEEE 802.11) Policies

• IP Security Policies on Active Directory (domain)

Settings Not Currently Audited• Computer Configuration > Policies > Software Settings > Software installation

• Computer Configuration > Policies > Windows Settings > Scripts

• Computer Configuration > Preferences

• User Configuration > Policies > Software Settings > Software installation

• User Configuration > Policies > Windows Settings > Scripts

• User Configuration > Policies > Windows Settings > Folder Redirection

• User Configuration > Preferences

Using Built-in Audit Views


ComplianceThe Compliance audit views provide auditing activity that supports various areas of compliance in today’s corporateenvironments, such as SOX, HIPAA, and FISMA.

ExchangeAuditor for AD provides audit views for Exchange on Administrative Group Changes, Organization Configuration,Server Configuration as well as System Policy Changes made in the last 14 days.

At any time you can choose to right-click on any view and Cut, Copy or Paste any audit view.

GeneralThe audit views in the General folder provide auditing for activities such as all changes, creations, deletions, andGPO changes made in the last day or 7 days.

Using Built-in Audit Views


Creating an Audit ViewIf any of the available templates provided do not suit your requirements, you can customize Audit Views to meetyour specific needs.

1. Open Auditor for AD.2. Expand PowerBroker Auditing & Security Suite.3. Expand Active Directory.4. Right-click Audit Views and then selectNew > Audit View.5. You will see the New Audit View dialog. Each of its options are outlined in the following pages.

– General Page

– Who Page

– What Page

– Where Page

– When Page

– Schedule Page

6. After you have entered your settings, click OK to close the dialog box and save your changes.

General PageOn the General page, provide a name and description for the audit view and then click OK.

Who PageOn the Who page, select the accounts, workstations, and domain controllers that you want to audit.

1. To select specific objects, click Add.2. Select the items, and then click OK.

Creating an Audit View


3. To set an exclusion for a particular account, click Add.Use the Exclusions feature to exclude events for an account. You can add as many exclusions as you need.

If a user account is listed in the include and exclude list, then the exclusion takes precedence.

For example, you want to send an email alert any time a group is created by any user other than DomainAdmins. On the Who page, set the Domain Users on the include list, and the Domain Admins on the excludelist.

Clicking Clear removes all the added objects in the respective list.

4. Click OK.



What Page1. On the What page, choose which events to monitor. Choose Classic or Custom from the filter type.

2. Click Add to bring up the Filter Editor Dialog Box which allows you to search on attribute values within anaudited event.

3. In the Actions field you can choose from the following options:

The Action you choose will change the highlighted fields to only those relevant to the selection. If you havechosenModify you must complete the relevant fields. For all other Actions, only the Object type must bechosen.

4. In the Object type field make your selection from the drop down menu.5. In the Attribute field make your selection from the drop down menu.



6. You can then choose the New value and the Old value from the drop down menus. You do not need tocomplete both fields.

Where PageOn the Where page you can select the objects that you want to filter.

1. Select one of the following options:– Show events for all objects: Select this option to filter actions on every object detected by the domain

controller. (Actions are selected on the What page.)

– Show events for the following object: Select this option to choose a particular container to narrow thescope of the filter.

– Match all objects except: Select this option to make exclusions to the criteria. This is useful when creatingan audit view to alert when a new user is created that is NOT in a designated OU.

2. Click Add and select a Container or an Object from the local forest or an external forest. Multiple objects andcontainers can be added to the list

3. Once your container or object has been added, select one of the following from the Inheritance list:– Object only: Select this option to filter the object only.

– Child objects only: Select this option to filter only children of the selected object.

– This object and all child objects: Select this option to filter the object and all children.



When PageOn the When page, select a date range from the following options:

– Return all logged events: Select this option to display all logged events in the Audit Viewer window.

– Return events between: Select this option then select date ranges from the date lists. This filters the list oflogged events in the Audit Viewer window by date.

– Return events that occurred in the last x days: Select this option and then enter a value in the box. Thisfilters the logged events that occurred in that number of days, minutes, hours, weeks or months.



Schedule PageNote: Scheduled Audit View reports run as the credentials of the Management Server service account. To

ensure the audit view is generated, the Server service account must be added to the Auditor Accounts listand needs write access to the folder specified in File location.

1. On the Schedule page, there is an option to automatically generate the view as a report on a desired schedule.

2. Click the Browse button ( ) to open the Object Selector dialog box.3. Choose the schedule in the Object Selector dialog box. (If you have not yet created a schedule, click the New

Schedule button to create one.)

Note: There is a Clear link that allows you to remove the rule from this view.



4. Select Generate report. You can set the following options:– File format: Choose PDF, XML, CSV, or HTML format.

– File location: Choose the local path or Windows file share to save the report. The PowerBroker Serverservice account will require full control to this location.

– Event limit: Set the maximum number of events to be included in the report.

– Do not generate report if no matching events found: If there is no change in the data collected a report isnot sent.

5. Click OK to save your settings.



Creating a Real-time Policy from an Audit ViewYou can create a Real-time Protection Policy for any audit view by right-clicking the audit view and selecting Createa Real-time Policy from the menu. You will see the New Real-time Protection Policy dialog box. Provide all of theinformation for each page: General, Who, What, Where, and Action to create the policy. Refer to PowerBrokerProtector for Active Directory User Guide for more information on creating and using real-time protection policiesand alerts.

Note that applicable settings from the source Audit View will be automatically preset in the new Real-time Policy.

Creating a Real-time Policy from an Audit View


Password Expiration AlertsPassword Expiry Alerts allow administrators to create rules to configure password expiry notifications. These rulescan specify who received a password expiry, how often they receive the notification and whether or not anadministrator is informed of the up-coming expiry. The information within the rule can also be configured togenerate a report on password expiry.

Note: This feature does not configure password expiry, only notifications alerts on when passwords will expire.

Note: You can access Password Expiry Alerts from the tree under PowerBroker Auditing & Security Suite >Active Directory > Audit Views and also from Configuration > Email Templates.

To utilize this feature, administrators must first create at least one Expiry Notification Template. Create an ExpiryReport Template and a Schedule if you are planning to enable the reporting on password expiry.

Expiry Notification TemplateThe Expiry Notification Template allows you to customize the password expiry notification message sent to theUsers by your Password Expiration Alert Rule.

Note: To create an Expiry Notification Template:

1. Expand Configuration > Email Templates > Password Expiry Alerts.2. Right-click Password Expiry Notifications and then selectNew > Email Template.3. Give the template a name and description and then select Template Preview from the left pane.4. Click Customize.5. On the HTML tab, you can modify the text directly in the window or you can click the Source button to modify

the HTML code. You can also import and export .html files if desired. The Import and Export buttons areenabled when you click on the Source button.

6. Once your change are complete, click OK and then OK again in the New Email Template dialog to save changesand close the dialog.

Leave the Recipients page blank in the Notification Template. Recipients will be automatically specified by the rule.

Report TemplatesReport Templates are configurable and customizable templates which provide a detailed report that can beemailed to a recipient for audit.

To create a Report Template:

1. Expand Configuration > Email Templates > Password Expiry Alerts.2. Right-click Password Expiry Reports and then selectNew > Email Template.3. Give the template a name and description.4. Select Recipients from the left pane.5. Enter the email address of the person(s) you wish to audit the report.6. Select Template Preview from the left pane.7. Click Customize.8. On the HTML tab, you can modify the text directly in the window or you can click the Source button to modify

the HTML code. You can also import and export .html files if desired. The Import and Export buttons areenabled when you click on the Source button.

9. Once your change are complete, click OK and then OK again in the New Email Template dialog to save changesand close the dialog.

Password Expiration Alerts


Configuring Password Expiration Alerts RulesTo configure a password expiration rule:

1. Expand the Active Directory node.2. Right click Password Expiry Alerts and then selectNew > Password Expiration Rule.3. Provide aName and Description for the rule.4. Select Scope from the left pane.5. Click Add and then select your container, group, or user.6. Once your objects have been added, you can choose either Subtree or One Level under the Options column.7. If necessary, select the Exclusions tab to add users you wish to omit from the rule.

8. Select Schedule from the left pane.9. Click Add.10. Configure your shedule settings and then click OK.

You can add multiple schedule rules. On each scheduled notification, the administrator can set a notification tobe sent to a manager. This will CC Managers on the same notification being sent to the users.

11. Select Email Settings from the left pane.12. By default the email attribute is set tomail. However, administrators can override and choose another Active

Directory attribute as an advanced option. Click the browse button to select an AD attribute if required.13. Click the browse button to select an email template.

This template is configured with the information which will be displayed to the notification recipients. ClickDetails to edit the existing template.

14. Select Report from the left pane.The report page allows administrators to configure a summary report to be sent according to the scheduleconfigured on this screen. It will send a report to the person who is specified in the Email template.

15. Check Send summary report to enable the settings on this page.



16. Select a schedule and an email template then click OK.Click Details to edit the template if required.

The initial email of the report will display only the first 30 users. The full report is attached to the email in CSVformat.



Working with Reports

Deploying ReportsPowerBroker Auditor for Active Directory reporting is provided through Microsoft SQL Server Reporting Services(SSRS). SSRS needs to be implemented and configured prior to use. (See Microsoft’s SSRS documentation forinstallation and configuration procedures.)

1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite.3. Select the Active Directory node.4. In the dashboard under Options click the first quick link to launch Reporting Services Configuration.

5. Enter the Web Service URL, Report Manager URL, and the Report Server Instance.The Web Service and Report Manager URLs can be found in the SQL Reporting Services Configuration Managerconsole.

The Report Server Instance name is displayed on the dialog box when you open SQL Server.



6. Select the Deploy Default Reports check box to download SRS built-in reports included with Auditor for AD.The reports are not required to use SRS reporting features.

7. Click Connect.8. Click OKwhen a successful connection is made.

Now the version string will be visible.

9. The Folder field defines where the reports will be deployed on the server. Click the Browse button to changethe location if desired.



10. Click Deploy to upload the reports.11. Click OK in the Success dialog box.

Viewing Reports1. Open the Auditor for AD Viewer.2. Expand Active Directory.3. Expand Audit Views.4. Select an audit view.5. In the Audit View window, click Open Reports on the Home tab.

6. The default browser will open and show the Report Manager URL.7. Click a report.

Note: This is a static URL for all PowerBroker Auditor for Active Directory reports. Bookmark it for quickreference in the future.

8. If prompted, set the report parameters and click View Report.

9. The report will load.

Built-In ReportsThere are over 200 SRS reports available for PowerBroker Auditor for Active Directory. They are divided into 4parent folders, comprised of several child directories.

Active DirectoryThe Active Directory folder contains the following report topics:



• Computer Changes

• Container Changes

• FRS Changes

• GPO Changes

• Group Changes

• Infrastructure Changes

• OU Changes

• Printer Changes

• User Changes

ComplianceThe Compliance folder contains the following report topics:

• FISMA

• HIPPA

• PCI

• SOX

ExchangeThe Exchange folder contains the following report topics:

• Administrative Group

• Organization Configuration

• Server Configuration

GeneralThe general folder contains six reports which you can filter through using the Audit Viewer.

• All Changes in last 1 day

• All Changes in last 7 days

• All Creations in last 7 days

• All Deletions in last 7 days

• All GPO changes in last 7 days

• All Modifications in last 7 days

Creating Custom ReportsThe custom report is based on the settings from the audit view that you created.

Be sure your report server is already configured to use with the PBAS Suite. See Deploying Reports.



Setting the LayoutYou can customize the look of your reports, choosing color palettes, report logo, and report output sizes.

To set up the layout for a report:

1. In the Audit Viewer click Themes Layouts.

2. On the Themes tab click the Create Theme link.

3. Enter a name and description for your theme and optionally set the theme as default.4. Select Images in the left pane and then click Add Custom Image to add your report logo. The maximum image

size is 255x65 pixels.



5. Select Colors in the left pane and then select the color palette for your report display.Click Show Preview to see the changes in a demo report. You can have the Preview page open at the sametime as you select colors from the palette to see the changes dynamically.

6. Click OK in the Theme Manager dialog to save your new theme.7. Select the Layouts tab in the Manage Themes dialog and then click the Create Layout link.

8. Enter a name and description for your layout and optionally set the layout as default.9. Select Report Size from the left pane and then click the Web Display tab to set online viewing properties:

– Select a screen size from the list.



– Alternatively, click the Show Advanced Options to set a custom size width and height for your display.

10. Select the Print Display tab to set print viewing properties.11. Click Next to proceed to the Columns page or select Columns from the left pane.12. Select the columns that you want to display in the report and then click OK.13. In the Manage Themes dialog click Apply to save your new theme and layout.

Publishing the Report1. In the Audit View select an audit view and then click Publish.

The Custom SSRS Report Publisher dialog box opens.



2. On the General page:– Enter a report name and description.

– Select the Sync with Audit View check box to synchronize the audit view and the custom report torepublish the report when the audit view data changes.

– Select a layout and theme if you created custom settings for the report properties. See Setting the Layout.

3. On the Analytics page, select the graph data that you want to see in the report.4. On the Overview page, select the report server.

5. Click the Change Folder link to save the report to an alternate location.



6. Select the Publish print report check box to publish the report to SSRS using the print sizes selected on theLayout page. Click the Change Folder link to set another location in SSRS (if needed).

7. Click Publish.A message is displayed indicating that the report is generated and available in SSRS.

8. After the report is generated, click Open to view the report results in SSRS.



Working with the Audit Viewer

Opening Audit Views1. Open PowerBroker Auditing & Security Suite.2. Expand PowerBroker Auditing & Security Suite.3. Expand Active Directory.4. Select Audit Views.5. To open a default or user-created view, right-click it and click Open. Alternatively, double-click the Audit View6. To open a view in a folder (such as a built-in view), double-click the folder(s) in the main console window, or

navigate through the tree on the left-hand side.7. When you open a view, you will see the Audit Viewer window.

Using the Audit Viewer WindowThe Audit Viewer window displays the following details:

• The data retrieved based on the specifications of the audit view you created.

• The Who,What,Where, andWhen filter information.

• You can change the filter information to display a refined set of results. However, note that groups are notsupported for filtering on “Who” information.

To open the Audit Viewer with full menu, select Start Menu > All Programs > BeyondTrust > Audit Viewer or runthe Program Files\Common Files\Blackbird\AuditViewer.exe file.

There are five main areas of information in the Audit Viewer:

1. Audit Events: Displays the associated audit events based on the view and any applied filter settings.



2. Activity Summary, Account Summary, Event Activity : Shows high level statistics about audit events in theenvironment. Configure the value and time range by selecting the day, hour, or minute link.

3. Details: Shows information for the selected audit event.

Customizing the Audit Viewer WindowThe Audit Viewer can be customized to present the audit information as desired by dragging the windows by theirtitle bars and docking them where desired.

In the example below, the Details pane is being placed at the bottom of the window.

The windows can then also be re-sized to the desired width and height and you can also right-click on the title barto make the window floating or docking or hide it.



Using the Auditor InterfaceThe ribbon area below the title bar provides the following functionality:

PowerBrokerMenu

• Export the current data

• Close the current view

• Exit Audit Viewer

Home Tab

– Refresh: Updates the audit events in the open audit view window.

– Export: Export audit event data to an XML or PDF file.

– Copy: Copy the contents of the highlighted audit event for pasting into a document or e-mail.

– View Filter: Provides a way to refine the returned events to create a subset based on the categories ofinformation that make up an audit view.

– Display Options: Allows you to control how much detail is displayed in the audit event byselecting/deselecting attributes.

– Reset Filter: Undo any filter modifications back to the original properties of the opened audit view.

– Find: Search events for the specified string.

– Maximum Returned Events: Specify the maximum number of events to return.

– Select Data Source: Choose whether to view archived or current data.

– Open Reports: Allows you to view the audit data in a published report, if reporting has been configuredwith Microsoft SQL Server Reporting Services (SSRS).



– Publish:Allows you to generate a report for your audit data and publish to SSRS. Once published, it willthen be available for viewing in SSRS.

– Themes Layouts: Allows you to customize your report themes and layouts (change report logo, reportcolors, select columns, etc.)

– Add to Queue: Add multiple events to the rollback queue and then rollback all events at once.

– Rollback Now: Rollback the changes related to a single event.

– Show Queue: Display the events that are currently in the rollback queue, pending rollback.

View Tab

• Sort by: Specify the column that the events will be sorted by

• Group by: Select the column to provide grouping of the events

• Show:

– Details: Check to display the or Details window in the viewer

– Activity: Check to display the Activity window in the viewer

– Rollback: Check to display the Rollback Queue in the viewer

• Style: You can change the look of the Audit Viewer window using the Style menu on the far right-hand side.

Changing the Properties for an Audit ViewYou can change the properties for an audit view that you had created. When you change the properties on theAudit Viewer window, you can refresh the search results to display the values that now meet the newly selectedcriteria.



Note: Plan your auditing activities. To view relevant data, it is important to know the object types that you wantto monitor and the appropriate attributes for the objects.

1. Open the Audit Viewer:– In the console, right-click an audit view that you created earlier and selectOpen.

OR

– Launch the Audit Viewer from Start > All Programs > BeyondTrust > Audit Viewer and then, right-click aview in the Audit Views pane and click Open.

The executable can be found at: Program Files\Common Files\Blackbird\AuditViewer.exe.

2. Click View Filter to open the Filter Details window and display the values that were configured on the AuditView dialog box.

3. You will see the Filter Details dialog. Each of its options are outlined in the following pages.– Who Tab

– What Tab

– Where Tab

– When Tab



Note: For additional information, see the appropriate page in the Creating an Audit Viewsection.

4. Change the filter values to refine the set of results that are displayed. Each page also has a Reset link that willreturn the view’s settings to what they were when you opened the Filter Details dialog.



5. After you have entered your settings, click OK to close the dialog box and save your changes.If you cannot see the OK and Cancel commands, resize and move the dialog.

The new results will be displayed in the Audit Viewer Window.

Who TabAllows you to select the accounts that change the objects, the workstation where the change was made, and thedomain controller that handled the change.

You can add and remove items. If you select no item, then there will be no filtering based on these criteria.



Note: Remember, groups are not supported.

What Tab1. Change the objects and attributes that you want to view. For modify changes, you can also select certain

attributes. If there are no actions selected, then there is no filtering by event type.2. Similar to the properties on the Audit View dialog box, you can select check boxes for Create,Modify,Move,

Delete, and Rename actions. (By default, all object types are audited.)

3. Click the Browse button ( ) to open the Select Object Types dialog to choose specific object classes for theevent type. Then, click OK in either dialog to return to the Filter Details window.



Where Tab1. Select the containers to view.2. You can filter by a folder in Active Directory or by all items.3. You can also filter by object, only child objects, or by both.



When Tab1. Filter on when a change occurs.2. You can choose all, within a selected date range, in the last x days.

Reviewing Event DetailsWhen viewing an audit view in the Audit Viewer, double-click an event to open its details. The information isdisplayed in the Details pane as shown:

Note: You can review all the details about the event and choose to rollback the event now or add to it therollback queue to rollback at another time, along with other events that are in the queue.



Note: Note: In order to resolve the hostname or IP address of the workstation where the change occurred,native auditing for “Audit account logon events success” must be set. This is enabled by default but if it hasbeen disabled it can be configured through a group policy setting.

Using the Rollback FeatureAudit Viewer provides an ability to rollback certain changes made in Active Directory.

There are two options available:

• Rollback Now: Allows you to rollback the changes related to a single event.

• Add to Rollback Queue: Allows you to add multiple events to the rollback queue and then rollback all events atonce.

Both options are available via the Event Details pane, right-click context menu in the event list, and in the AuditView ribbon buttons.



The Rollback Now option will roll the event back now and a confirmation message is displayed, then a progress barand the results window.

The Add to Rollback Queue option will add the selected event(s) to the rollback queue. Multiselect is supported.

A confirmation message is displayed, then progress bar and the results window.

The events added to the rollback queue are displayed in a new window that shows up under the main event list:

• Rollback All: Rolls back all the events in the queue.

• Remove: Removes the selected event from the queue.

• Run as: Allows you to specify alternative credentials to execute the rollback. By default, the credentials of thecurrent logged on user are used to perform the rollback.

Selecting the Rollback All option will display a progress bar and the Results window:



You can save the rollback results in a csv file.

The events whose rollback failed will stay in the queue window.

Successfully rolled back events will be removed from the queue.

You can hide the rollback queue window by unchecking it on the View ribbon.



Appendix A: Using RSAT ExtensionsYou can deploy extensions that add PowerBroker Auditing & Security Suite features to the Active Directory Usersand Computers MMC snap-in. Each feature is outlined below.

Show Audit TrailRight-click a user, group, or object and click Show Audit Trail:

This will open the Audit Trail dialog box. Choose the date range to view and click OK:

Now, the Audit Trail window will open with the Audit Viewer:

Appendix A: Using RSAT Extensions


You will see a list of audit entries made to the selected object. In this example, it is a user’s account and not changesmade by the user. Click any entry to view more information about the activity.

Show Account ActivityTo show changes made by the selected user, right-click the user and click Show account activity:

Now, select the date range and click OK:



The Audit View window will opens with a list of audit entries. Click an entry to see more information about thatactivity.

Show Group Membership ChangesTo open the Group Membership Changes window, right-click a user account and click “Show group membershipchanges:”

Specify the desired time range to look for changes and click Apply. (If a long period is selected it may take sometime to return the results.) Click OKwhen you are ready. The results will be displayed in the window.



If you would like to export the data, click the Export command. You can then save the data to PDF or XML.



Appendix B: Working with Schedules and RulesSchedules define the timing and frequency of sequenced actions, such as running collectors. A schedule must beassociated with collector policies to control when and how often the collections automatically run.

You can create as many schedules as you like depending on when you want to gather data from your domaincontrollers.

Creating a Schedule1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Configuration node.4. Right-click Schedules, click New, and click Schedule.5. On the General page, provide a name and description for the schedule.

6. On the Details page, select a frequency from the Type list.

Appendix B: Working with Schedules and Rules


Each frequency has different options as outlined below.

– Hourly: Select a start date and time from the Starts on list. Then, enter a number in the Occurs every xhours. (The default value is 1.)

– Daily: Select a start date and time from the Starts on list. Then, enter a number in the Occurs every xdays. (The default value is 1.)

– Weekly: Select a start date and time from the Starts on list. Then, enter a number in the Occurs every xdays. (The default value is 1.) Next, select the check boxes for the days of the week that you want theschedule to run.

– Monthly: Select a start date and time from the Starts on list. Then, from the Months list, select themonths that you want to run the collector. Finally, select the days of the week that you want the collectorto run.

7. Click OK to close the dialog box and save your changes.

Disabling a ScheduleNote: It is recommended that you disable the schedules during a maintenance window.

1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Configuration node.4. Click the Schedules node.5. Right-click the schedule to disable and click Properties.



6. Clear The schedule is enabled check box.

7. Click OK.Note: To re-enable the schedule, re-open this dialog box and select The schedule is enabled check box.

Deleting a Schedule1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Configuration node.4. Select the Schedules node.5. Right-click the schedule and then select Delete.



6. Click Yes to remove the schedule permanently.

Creating a Rule for a ScheduleYou can apply rules to schedules to help you manage them. For example, a rule can be created to send an approvalform to a selected user before a schedule can be modified.

1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Rules node.4. Right-click Schedule Rules, click New, and click Rule.5. On the Triggers page, select the activity that you want to manage:

– When a schedule is created

– When a schedule is modified

– When a schedule is deleted

Note: You can only select one trigger for each rule. The trigger that you select will be displayed in the bottompane of the dialog box.



6. On the Actions page, select the action that you want to occur when the trigger is activated. The availableoptions are:– Prevent action from being committed

– Submit for approval

– Send an e-mail to recipients

– Stop processing rules

Note: You can select more than one action for each rule. The actions that you select will be displayed in thebottom pane of the dialog box.

Here is an overview of the available actions.

a. Prevent action from being committed: Selecting this option will stop the action in progress.

b. Submit for approval: Click the blue “approval” link to open the Approval Configuration dialog box.



Here you can set the following options:

– Number of approval stages: Use the arrows to select the number of stages in the approval process. Stagetabs are added to the dialog as you increase the number of stages. (You can select up to 5 stages. (Thedefault value is 1.)

– Stage tabs (maximum of 5):



a. Click the Add button to open the Select Users or Groups dialog box. The accounts that you select will bethe approvers for the rule. Click OK when you have added the required accounts. (You can also select auser or group in the approvers list and click Remove when the account is no longer required.)

b. Approver must handle the request: Select the number of people that you want to approve the activity.The maximum number of approvers is 3.

c. Require comments when the approver: Select the check box and then choose when comments arerequired:– Denies the request

– Approves the request

– Approves or denies the request



d. Commit: Set details on when to activate the request after it is approved (immediately or a specific time).

c. Send an e-mail to recipients: PowerBroker Auditing & Security Suite can send notifications when the rule istriggered.



a. Click the “recipients” link to open the E-mail Recipients dialog box.

b. Enter the e-mail accounts.c. Click OK.

d. Stop processing rules: Selecting this option will stop any further rules from being processed.

7. On the Summary page of the Rule Actions dialog, provide a name and a description (optional) for the rule.

8. Click OK to commit your changes.



Editing a Rule1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Rules node.4. Right-click the rule in question and then select Properties.

5. Make the necessary changes and then click OK to commit your changes or click Cancel to discard them.

Deleting a Rule1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Rules node.4. Right-click the rule in question and then select Delete.

5. Click Yes to confirm your action.

Linking a Rule to a ScheduleAfter you create a rule you must then link the rule to a schedule. You can apply rules to selected or all schedules.

1. Start PowerBroker Auditing & Security Suite.2. Expand the PowerBroker Auditing & Security Suite node.3. Expand the Configuration node.

– To apply the rule to all schedules, right-click the Schedules node and then select Properties.



– To apply the rule to a particular schedule, right-click the schedule and then select Properties.

4. With either command, you will see a General Information dialog box. Select Rule Links in the left pane andthen click Add.

5. Choose the rule in the Object Selector dialog box. (If you have not yet created a rule, click the New Rule buttonto create one. See Creating a Rule for a Schedule for more information.) Click OK.

6. Click OK in the General Information dialog to save your settings.

Clearing Rules from SchedulesIf rules are applied at a global level (that is, applied to all schedules), then it is displayed on the schedule’s Rule Linkspage but cannot be modified.



In the following image, the “Schedule Creation” rule applies to all schedules. This means that you cannot removethe rule here. Notice how the icon for a global schedule rule is gray, indicating it is inactive. The icon for a ruleapplied to this schedule only is colored, indicating it is active.

To explicitly apply a rule on a schedule or to remove the rule from a schedule:

1. Expand the Schedules node and then select Properties.2. Right-click the Schedule and then select Properties.3. The General Information dialog box will open. Select Rule Links in the left pane.4. Clear the “Include inheritable rules from this object’s parent” check box and then click OK.



Appendix C: SIEM ConfigurationYou can configure syslog event forwarding to send events from Auditor for AD to external SIEM servers. MultipleSIEM receivers can be added to have the same event sent to multiple servers.

1. In the Management Console, expand Configuration and then click General Settings.2. Click Add under SIEM Settings.3. Provide a Connection Name, and enter the Destination Server and Port (UDP).4. Click Test to send a test message to the 3rd party and then click Save once test is complete.

Appendix C: SIEM Configuration


Appendix D: Manual Deployment

Agent Deployment Outside of the PowerBroker Management ConsoleEnsure you have the PowerBroker Management Server installed before you deploy any agents. Once you haveconfirmed the Server is installed:

1. Define the database permissions in SQL. The Domain Controllers computer group must have the PBAS Suitedatabase role on the PBAS Suite database.

2. Copy the following two files to a central distribution point such as a file share, for example:\\server\share\blackbird (file://server/share/blackbird). Both files need to becopied out to all Domain Controllers.

For versions prior to 5.7 or upgrades to 5.7:C:\Program Files\BeyondTrust\PowerBroker Management Suite\Server\BlackbirdServer.installdataC:\Program Files\BeyondTrust\PowerBroker Management Suite\Server\DataHandler\x64\DataHandler.exe

For a new install of version 5.7 or later (not an upgrade):C:\Program Files\BeyondTrust\PowerBroker Auditing & Security Suite\Server\BlackbirdServer.installdataC:\Program Files\BeyondTrust\PowerBroker Auditing & SecuritySuite\Server\DataHandler\x64\DataHandler.exe

3. In the space chosen for distribution, rename the BlackbirdServer.installdata file to DataHandler.installdata.4. Copy the files to each Domain Controller and then run the install and the following configuration steps from

each Domain Controller:

md "c:\program files\common files\BlackBird"copy \\servershare\backbird\*.* "c:\program files\common files\BlackBird""c:\program files\common files\blackbird\datahandler.exe" /installsc config datahandler start= autonet start datahandler

Optionally, use PsExec to call the text file list of Domain Controllers and run the file oneach of them. This will save the effort of running the above command on all individualDomain Controllers. Run command:

psexec @s:\dclist.txt -d -h -u "domain\username" -p "password" cmd /c“\\myserver\myshare\install-pba.bat”

Cross Forest SupportAgent deployment flag for cross forest:/installex

It takes either the install GUID, which can be found in the BlackbirdServer.installdata file (location indicated in step2 above)./installid=<install guid>

OR the database settings can be specified with the following flags:/sqlserver=



/sqldb=

/sqlauth=NT/SQL

/dbuser=

/dbpass=

/dbuser & /dbpass

(Can be either the SQL Authentication credentials, if /sqlauth=SQL, or Windows Domaincredentials, if you leave /sqlauth out.)

Examples:

/sqlauth=SQL /dbuser=sa /dbpass=password or/dbuser=pbms\dbusername /dbpass=password

Then run the following commands:sc config datahandler start= autonet start datahandler

There is validation on invalid parameter combinations; however, this can't be done for some parameters, such as,verifying if the correct SQL server/db/user/password was specified.

Manual UninstallTo uninstall, enter the following two commands:netstop datahandler

c:\program files\common files\blackbird\datahandler.exe" /remove

Manual Agent UpgradeTo manually upgrade an agent to a newer version, simply replace the DataHandler.exe file with the newer one.

1. Enter the command: net stop datahandler2. Replace the Datahandler.exe file with the upgraded one3. Enter command: net start datahandler



Documents

PowerBroker Auditor for Active Directory · UsingBuilt-inAuditViews 26 ActiveDirectory 26 GPOAuditing 26 Compliance 27 Exchange 27 General 27 CreatinganAuditView 28 GeneralPage 28