Quest® Access Manager 2.1 User Guide © 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc. Disclaimer: The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. Patents This product includes patent pending technology. Trademarks Quest, Quest Software, the Quest Software logo, and ActiveRoles are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners. Access Manager User Guide Updated - November 2011 Software Version - 2.1 3 Contents CONTENTS CHAPTER 1 QUEST ACCESS MANAGER OVERVIEW AND DEPLOYMENT. . . . . . . . . 9 QUEST ACCESS MANAGER OVERVIEW . . . . . . . . . . . . . . . . . . .10 KEY COMPONENTS AND CONCEPTS . . . . . . . . . . . . . . . . . . . . .11 PLANNING YOUR DEPLOYMENT . . . . . . . . . . . . . . . . . . . . . . .23 CONFIGURING ACCESS MANAGER . . . . . . . . . . . . . . . . . .24 CONFIGURING THE MANAGEMENT SERVER . . . . . . . . . . . . .24 CONNECT TO THE MANAGEMENT SERVER . . . . . . . . . . . . . .27 DELEGATING ACCESS TO ACCESS MANAGER . . . . . . . . . . . .27 ADD FORESTS, DOMAINS, HOSTS AND AGENTS . . . . . . . . . .30 LICENSE A DOMAIN . . . . . . . . . . . . . . . . . . . . . . . . . . .41 INTEGRATE ACCESS MANAGER WITH ACTIVE DIRECTORY USERS AND COMPUTERS OR QUEST ACTIVEROLES SERVER . . . . . . . . . . . . . . . . . . . .41 MANAGED HOST PROPERTIES . . . . . . . . . . . . . . . . . . . . .46 AGENT PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . .54 SAVING CUSTOMIZED LAYOUTS. . . . . . . . . . . . . . . . . . . .59 GROUPING MANAGED HOSTS USING KEYWORDS . . . . . . . . .60 CONFIGURE AND REPORT ON A GROUP OF MANAGED HOSTS . .60 IDENTIFY AND FIX GROUP RESOLUTION ISSUES . . . . . . . . . .61 CHANGE THE SERVICE ACCOUNT USED TO ACCESS INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 REMOVE FORESTS, DOMAINS AND HOSTS MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . .64 FROM ACCESS MANAGER CLIENT OVERVIEW . . . . . . . . . . . . . . . . . . .64 REMOVING ACCESS MANAGER . . . . . . . . . . . . . . . . . . . . . . .83 CHAPTER 2 HOW TO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 INVESTIGATE RESOURCE ACCESS . . . . . . . . . . . . . . . . . . . . .86 MANAGE NETWORK ACCESS . . . . . . . . . . . . . . . . . . . . . . . . .89 MANAGE ACCESS FOR A USER OR GROUP . . . . . . . . . . . . .89 MANAGE RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . .93 v Quest Access Manager VIEW AND EDIT TRUSTEE PROPERTIES . . . . . . . . . . . . . . .93 EDIT SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 CLONE, REPLACE, AND REMOVE ACCESS FOR A GROUP OF TRUSTEES . . . . . . . . . . . . . . . . . . . . . . . . . .96 FIND AND SECURE A SHARE WITH NO ACCESS CONTROL . . . .97 ADD AND REMOVE RIGHTS . . . . . . . . . . . . . . . . . . . . . .98 ASSIGN BUSINESS OWNERSHIP . . . . . . . . . . . . . . . . . . .99 VIEW GROUP MEMBERSHIP . . . . . . . . . . . . . . . . . . . . . 100 MANAGE MACHINE LOCAL GROUPS . . . . . . . . . . . . . . . . . . . 103 CHAPTER 3 CREATING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 AVAILABLE REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 OWNED RESOURCES REPORT . . . . . . . . . . . . . . . . . . . . 108 PERCEIVED OWNERS REPORT . . . . . . . . . . . . . . . . . . . . 109 TRUSTEE ACCESS REPORT . . . . . . . . . . . . . . . . . . . . . . 110 RESOURCE ACTIVITY REPORT . . . . . . . . . . . . . . . . . . . . 110 TRUSTEE ACTIVITY REPORT . . . . . . . . . . . . . . . . . . . . . 111 GROUP MEMBERS REPORT . . . . . . . . . . . . . . . . . . . . . . 111 GROUP MEMBERS COMPARISON REPORT . . . . . . . . . . . . . 112 MEMBER OF COMPARISON REPORT . . . . . . . . . . . . . . . . 112 MEMBER OF REPORT . . . . . . . . . . . . . . . . . . . . . . . . . 113 RESOURCE ACCESS REPORT . . . . . . . . . . . . . . . . . . . . . 113 LOCAL RIGHTS AND SERVICE IDENTITIES REPORT . . . . . . . 114 CREATING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 SCHEDULING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 CHAPTER 4 UNDERSTANDING ACCESS MANAGER THROUGH SCENARIOS . . . . . 127 PROVISION A USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 DEPROVISION A USER . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 CLEANUP RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 INVESTIGATE USER AND GROUP ACCESS . . . . . . . . . . . . . . . . 131 INVESTIGATE A SPECIFIC TYPE OF USER ACCESS . . . . . . . . . . . 132 INVESTIGATE COMPUTER ACCESS . . . . . . . . . . . . . . . . . . . . 133 vi Contents ASSESS GROUP MEMBERSHIP AND ACCESS . . . . . . . . . . . . . . 133 CHAPTER 5 TROUBLESHOOTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 WHERE ARE THE LOGS? . . . . . . . . . . . . . . . . . . . . . . . . . . 136 WHY IS THE MANAGED HOSTS NODE EMPTY? . . . . . . . . . . . . . 137 WHERE IS MY ACTIVITY DATA? . . . . . . . . . . . . . . . . . . . . . 137 WHERE ARE THE MENUS AND PROPERTY PAGES IN ACTIVE DIRECTORY USERS AND COMPUTERS?. . . . . . . . . . . . . . . . . . 138 WHY IS AN AGENT NOT CONNECTING TO THE ACCESS MANAGER SERVER?. . . . . . . . . . . . . . . . . . . . . 139 WHY ARE GROUPS MISSING FROM THE GROUP MEMBERSHIPS TREEVIEW? . . . . . . . . . . . . . . . . . . . . 140 WHY ARE AGENT LEASES EXPIRING? . . . . . . . . . . . . . . . . . . 140 WHY ARE MY POWERSHELL CMDLETS NOT CONTACTING THE ACCESS MANAGER SERVER? . . . . . . . . . . . . 141 APPENDIX A: CONFIGURING EMC CELERRA . . . . . . . . . . . . . . . 143 CONFIGURING THE CEPA FACILITY . . . . . . . . . . . . . . . . . . . 144 CONFIGURING THE INDIVIDUAL CEPA POOL SERVERS . . . . . . . . 145 CONFIGURING ACCESS MANAGER TO WATCH THE DATA MOVER . . 146 VERIFYING THE STATUS OF THE CEPA FACILITY . . . . . . . . . . . 147 APPENDIX B: POWERSHELL CMDLETS . . . . . . . . . . . . . . . . . . . 149 WHAT IS MICROSOFT WINDOWS POWERSHELL? . . . . . . . . . . . 150 WINDOWS POWERSHELL CMDLETS. . . . . . . . . . . . . . . . . . . . 150 REGISTERING THE POWERSHELL CMDLETS . . . . . . . . . . . . . . . 150 ADDING THE SNAP-IN AUTOMATICALLY TO NEW SESSIONS . . . . . 151 QUEST ACCESS MANAGER CMDLETS . . . . . . . . . . . . . . . . . . . 151 SET-QSERVICECONNECTION . . . . . . . . . . . . . . . . . . . . 152 CHANGE-QDBACCESSACCOUNT . . . . . . . . . . . . . . . . . . 152 EXPORT-QRESOURCEACCESS . . . . . . . . . . . . . . . . . . . . 153 GET-QMANAGEDHOSTS . . . . . . . . . . . . . . . . . . . . . . . 153 GET-QMANAGEDDOMAINS . . . . . . . . . . . . . . . . . . . . . 154 GET-QRESOURCEACCESS . . . . . . . . . . . . . . . . . . . . . . 154 GET-QSERVICEACCOUNTS. . . . . . . . . . . . . . . . . . . . . . 155 GET-QTRUSTEESFORHOST . . . . . . . . . . . . . . . . . . . . . 155 ADD-QMANAGEDHOSTBYACCOUNTNAME . . . . . . . . . . . . . 156 vii Quest Access Manager ADD-QMANAGEDHOSTBYACCOUNTSID . . . . . . . . . . . . . . 157 ADD-QMANAGEDDOMAIN . . . . . . . . . . . . . . . . . . . . . . 158 ADD-QSERVICEACCOUNT . . . . . . . . . . . . . . . . . . . . . . 158 GET-QACCESSIBLEHOSTSFORTRUSTEE . . . . . . . . . . . . . . 159 GET-QTRUSTEEACCESS . . . . . . . . . . . . . . . . . . . . . . . 159 SET-QACCOUNTPASSWORD . . . . . . . . . . . . . . . . . . . . . 160 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . 175 CONTACTING QUEST SUPPORT . . . . . . . . . . . . . . . . . . . 175 THIRD PARTY CONTRIBUTIONS . . . . . . . . . . . . . . . . . . . 176 viii 1 Quest Access Manager Overview and Deployment • Quest Access Manager Overview • Key Components and Concepts • Planning your Deployment • Configuring Access Manager • Access Manager Client Overview • Removing Access Manager Quest Access Manager Quest Access Manager Overview This document has been prepared to assist you in becoming familiar with Quest Access Manager, a Quest Windows Management Suite product. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. The management of computer resources is a complex and time-consuming process. There are numerous manual steps and disconnected management applications that must be leveraged before a resource can be safely deployed and made accessible to the appropriate users. Once deployed, there are concerns that granted access is neither increased nor removed inadvertently. To exacerbate this challenge in many organizations, the content owners have to rely on IT administrators to manage resource access without knowing the implications of their actions. Ultimately, this leaves an organization unable to maintain operational efficiency or sustain continuous compliance. Quest’s Solution Quest Access Manager takes the following approach to meet the challenge: • Unify resource management Access Manager allows you to view and report on overall resource access — both directly applied access and access obtained through group membership. Without this information, visibility is limited and could result in security breaches through inadvertent access. • Evaluate resource access Access Manager provides a real-time view of network resource access, providing an immediate and ongoing ability to modify access to resources. This helps enforce your corporate network access policy. For an example of how to use Access Manager, see “Understanding Access Manager through Scenarios” on page 127. 10 Quest Access Manager Overview and Deployment Key Components and Concepts Access Manager consists of the following components: Figure 1: Access Manager Components Registered Forest To register a forest, add the forest to Access Manager, following the instructions “Add a Forest to the Deployment” on page 31. When you add a forest, you must provide a service account with sufficient permissions to perform all QAM management tasks. If the application needs to resolve a SID or expand group membership from that forest, it will use the associated service account. Once the forest is registered, you have the option of integrating with Active Directory. Adding directory integration points to the forest makes Active Directory Users & Computers extensions and extended rights for delegation available to all domains within this forest. To configure Active Directory extensions, several objects will be added to the forest configuration container during the integration (Extended Rights in the Configuration | Extended Rights container of the forest and Display Specifiers in the Configuration | Display Specifiers container of the forest). 11 Quest Access Manager Once integrated, the Access Manager context menu items and features such as the Group Membership tab will be available within Active Directory Users and Computers. When you add a Managed Domain and the associated Active Directory forest is not yet registered, the Management Server will automatically add the forest and use the domain service account credentials as the forest credentials. Note that you can change the service account credentials at a later time. For more information, see the following: • “Add a Forest to the Deployment” on page 31 • “Change the Service Account Used to Access Information” on page 62 Managed Domain To ensure that the application can install agents successfully, the Management Server needs domain user credentials with sufficient access. Access Manager uses the concept of a Managed Domain, which is an association of service accounts (user credentials) to Active Directory domains. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. This Managed Domain service account is used to install the agents. Local agents run as Local System and remote agents run as the service account specified during their installation. Only domains that have a trust relationship with the Management Servers domain can be managed. Once a domain is managed, the application creates a Service Connection Point (SCP) in the domain that provides server location information so that all agents and clients know where to connect. This is particularly useful if the Management Server is reinstalled on a new computer in that domain. For more information, see the following: 12 • “Add a Domain to the Deployment” on page 31 • “View and Ignore Externally Trusted Domains” on page 32 Quest Access Manager Overview and Deployment Managed Host A Managed Host is essentially any network object that can host resources. Currently supported host resources include Windows computers, Windows clusters, and certain network attached storage (NAS) devices. When the user takes a computer under control (adds a Managed Host), Quest Access Manager deploys an agent to scan that computer. The agent may be installed on the computer (local agent) or it may be installed on another computer (remote agent). Detailed access information is maintained on the agent computer, only sending general access information to the central server. When adding a remote agent, ensure a trust exists between the host and the resource domains. For more information, see the following: • “Add a Managed Host to the Deployment” on page 34 • “Add a Cluster (Managed Host) to the Deployment” on page 40 • “Managed Host Properties” on page 46 • “Saving Customized Layouts” on page 59 Access Manager Agent When a Managed Host is taken under control, an agent is assigned to that computer. The agent may reside on the computer or it may be a remote agent that resides elsewhere. The agent’s primary focus is to index all the direct access points throughout its assigned data roots for subsequent management. The indexing of direct access points only is done for several reasons: • It is the only point from which access control list (ACL) modifications can be made. (For example, you cannot make ACL modifications to an inherited ACL, and once you break the inheritance it becomes a direct access point.) • Indexing every access point would overwhelm the indexing system. • Indexing every access point would overwhelm the user with information that could not be managed. A Managed Host may be scanned by either a local agent or one or more remote agents. Only one local agent can be installed on a Managed Host and a Managed Host with a local agent cannot be scanned by remote agents. 13 Quest Access Manager A local agent does an immediate scan as soon as it is added. Remote agents only scan according to the schedule, but if you want the agent to scan as soon as it is added you can enable the Immediately scan on agent restart or data root change option. This option is cleared by default. To reduce network usage and increase scalability, detailed access information is maintained on the agent computers. To optimize searches for access points, agents send small subsets of detailed access information to the server. This allows clients to quickly determine which hosts to direct detailed access queries to. If you manually install an agent on a computer (for example, it has not been deployed through the Management Server with the Add Managed Host mechanism), the agent will not be able to connect to a server successfully until the management server adds the computer as a Managed Host. Once it has been added, all of the indexed information collected by the agent will be available for use. For more information, see the following: • “Agent Properties” on page 54 • “Add a Managed Host to the Deployment” on page 34 • “Add an Additional Remote Agent to a Managed Host” on page 38 • “Restart Agents” on page 39 • “Update Agents” on page 40 • “Data Roots” on page 14 Data Roots A data root is the root of a directory tree to be scanned by an agent. The data roots available for scanning differ for local and remote agents. Local agents scan all local fixed volumes on their host computer. Limiting a local agent to a subset of these volumes is accomplished through the Data Roots tab of the Managed Host Properties page. For more information, see “Locally Managed Host Properties” on page 49. Remote agents may scan all shares available to agents as well as any user-created shares. The data roots scanned by a remote agent are chosen during the configuration of a new remote agent. The scanned roots may also be changed through the Data Roots tab of the Agent Properties dialog box. For more information, see “Remotely Managed Host Properties” on page 51. 14 Quest Access Manager Overview and Deployment More than one remote agent may be configured to scan a Managed Host provided each agent scans different data roots. A given data root can be scanned by only one agent. If a selected data root has inherited access rights from a parent folder, these access rights will be displayed as explicit rights at the selected data root when indexed. This is done to ensure that these access points are not omitted from the index. Normally, these would be displayed explicitly at the point where they obtained their access, but since this parent folder is above the selected data root, the rights are displayed as explicit at the first point they are encountered by the agent. In the case of inherited access rights, the first point that they are encountered is the data root (the child folder). You can easily see these folders by selecting the Inheritance column from the Column Chooser and adding it to the view. Management Server The Management Server is the central authority that receives and indexes information from agents. It only maintains a subset of information for the computers that are being indexed, which is essentially trustee access to specific resource types on managed computers. Once the user requires detailed access information, the Management Server will attempt to contact the local agent and provide information stored in the local agent index. Management Servers work independently; they cannot share information or work collectively with other Management Servers. For large geographically separate Active Directory forests, we recommend that you install a Management Server and configure a new deployment in each location. This way, data being transferred to the server, and the queries and commands being issued from it, do not have to deal with large network latency. For details, see “Configuring the Management Server” on page 24. For more information, see “Connect to the Management Server” on page 27. Access Manager Client The Access Manager client is the application that the user uses to perform daily operations. The client is capable of connecting to different Management Servers. Once connected to a Management Server, you can perform functions on all the associated Registered Forests, Managed Domains, and Managed Hosts — given you have the appropriate rights to do so. 15 Quest Access Manager For more information, see the following: • “Access Manager Client Overview” on page 64 • “Delegating Access to Access Manager” on page 27 Database Management Servers store all data in the deployment in an SQL Server database, including indexed data received from the agents. The Management Server is the only component in the system that accesses the database. Service Account A service account is a set of credentials provided by the user and is used to perform certain deployment and query operations. Managed Domains Service Account When you take a domain under management, you must provide a service account for the domain. You can only take computers under management that are from Managed Domains. The Managed Domain service account ensures computers from that domain can be taken under control. Each Managed Domain can only have one associated service account at any time, but the same service account can be used for multiple Managed Domains. The service account can be changed through the Managed Domain properties page within the application. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. Active Directory Forests Service Account Although Quest Access Manager does not manage the Active Directory forest, it does associate a service account with it. Active Directory forests are added to the application either explicitly by the user adding the Forest directly and providing a service account credentials or implicitly when the user adds a Managed Domain. When you add a Managed Domain, the associated Active Directory forest is added with the same credentials as the Managed Domain. The Active Directory forest service account is initially used to enumerate the objects within the forest itself so you can perform operations like enumerating domains within that forest. The account is also used to enumerate group membership for trustees you are managing and for resolving SIDs. You can change the service account for the forest later through the Active Directory forest properties page within the application. 16 Quest Access Manager Overview and Deployment Managed Host Service Account When you deploy an agent to a computer for remote indexing, the agent requires a set of credentials to read information from the remote target computer. The credentials provided are referred to as the Managed Host service account and are used only to read information from the remotely targeted computer. Default Service Account The default service account serves as a set of credentials to enumerate trusted forests that have not been explicitly added to the product with an associated service account. The default service account is used for group expansion and SID resolution for Managed Accounts and their group membership. Account Usage Various operations within the Access Manager use different credentials. The following table details when various accounts are being used. Note that although certain actions are performed using elevated privileges, the user must be granted access to the application and granted rights to perform certain operations. ACTIONS MANAGED DOMAIN SERVICE ACCOUNT Agent Deployment and Removal1 Yes Restart Agent Yes Synchronize Agent Service Account Yes Take Domain Under Management Yes ACCOUNTS USED INTERACTIVE USER Modify Resource Security Yes Integrate with ActiveRoles Server Yes Integrate with Active Directory Yes FOREST SERVICE ACCOUNT 17 Quest Access Manager ACTIONS MANAGED DOMAIN SERVICE ACCOUNT ACCOUNTS USED INTERACTIVE USER View Trustee Properties Yes Perform a Quick Search Yes Register a Forest and Enumerate FOREST SERVICE ACCOUNT Yes Manage Trustee Access2 Yes Yes Report on Trustee Access2 Yes Yes Read a Trustee’s Group Membership2 Yes Yes 1: The Managed Domain service account is used to install, upgrade, or remove the agent on the target computer. In the case where the agent is deployed for local indexing, the agent will run as Local System. In the case where an agent is deployed for remote indexing, the Managed Host service account is used to read\index the information from the remote computer. 2: For query operations, the Default service account may also be used in certain cases as described in the Default service account section above. Security of the Service Accounts The service account credentials are maintained in the database in a secure encrypted form. In the event that someone gains access to the database, they would not be able to decrypt any of the credentials provided without the encryption key. Access Manager uses the Advanced Encryption Standard with a 256-bit key to protect secure data. 18 Quest Access Manager Overview and Deployment Deployment A deployment is the collective installation (grouping) of a single Management Server, the associated back-end SQL database, and the associated registered forests, Managed Domains, and Managed Hosts. Currently, Access Manager does not support multiple deployments sharing the same Managed Hosts or agents. You can use the same Managed Domain in multiple deployments, although from an organizational standpoint it is not recommended. (This type of deployment is possible, but it is not recommended as it may cause adverse affects). You can register a forest in multiple deployments with no adverse affects. Deployment Key During configuration, Access Manager creates a set of encryption keys that are used to secure sensitive information, such as the credentials used to access the database and stored service account credentials. During the configuration of Access Manager, you are prompted to store a backup of this key information, encrypted with a passphrase. This backed up key information is required for all upgrades as of version 2.0. The deployment key can be used to connect another Access Manager server to the database, in the event of server failure or another unplanned reconfiguration. It is very important that the backup deployment key file, and its associated passphrase, not be lost as it is required during an upgrade. As of version 1.6.1 of Access Manager, it is possible to connect a server to an existing database without a backup of the deployment key information and its associated passphrase. However, when this operation is performed, all service account password information held in the Access Manager database is lost, and must be re-entered. After re-entering the service account passwords, you must restart the Quest Access Manager Service. Group Membership and Group Expansion When examining and managing the access settings of a user or group, it is necessary to know to which groups they belong. Access Manager provides a comprehensive group membership visualization and reporting system to provide the information required to manage user or group access on the network. The Access Manager group membership tree is displayed as an integral part of the information gathered during access queries. The membership tree allows you to see a list of all groups to which a trustee belongs, taking into account group nesting. While similar to the Member Of information maintained in Active Directory for users and groups (which can be seen using the Active Directory 19 Quest Access Manager Users and Computers MMC snap-in), the information presented in the Access Manager group membership tree is much more complete. In addition to showing group nesting information, it shows domain group membership information, cross-forest group membership and machine local group memberships of Managed Hosts. Figure 2: Group Membership Treeview When interrogating a group that is nested within itself, the circular nesting will be clearly displayed in the membership tree and report. For instance, if group A is in group B, group B is in group C and group C is in group A, then a report interrogating group A will clearly show that A is circularly nested within itself. In Trustee Access reports, the groups to which the report’s focused trustee belongs are presented in a flat list for easy viewing. Within each of these groups, a list of how the root trustee gained membership in a particular group is shown. If group expansion fails on a report for a selected trustee, the report will return an error report indicating the reason that the report failed. Either run the report selecting ’Direct Trustee Access Only’ or resolve the indicated problem. 20 Quest Access Manager Overview and Deployment Detailed View of Group Members Access Manager now provides a hierarchical view of group membership and the recursive list of who is contained in the group. It eliminates the need to navigate through group nesting to identify all group members that ultimately have access to a specific shares, folders, and files. The Users and Groups node contains columns with the full range of information needed to find specific data. You can use the Filter Editor in this node, and Column grouping in the Layout Options to create customized views of groups, group members, and the resources they have access to. You can also use reports to see group membership details and comparisons between groups, to help clean up redundant or erroneous membership. For information about reporting on group membership, see “Creating Reports” on page 107. For more information, see the following: • “Users and Groups Node” on page 73 • “View Group Membership” on page 100 • “Group Members Report” on page 111 • “Group Members Comparison Report” on page 112 • “Member Of Report” on page 113 • “Member Of Comparison Report” on page 112 Resource Security Editing The native Security Editor provided to manipulate the permissions of files, folders, and shares can be confusing due to its simple/advanced Properties approach. Access Manager's Resource Security Editor allows for easy navigation of shares, files, and folder permissions by providing a similar viewing experience to the simple native view, but with the advanced ability to discern inheritance differences. You can quickly view the complete security and easily modify existing access, view a comprehensive Membership display for all users and groups, as well as run comparison reports. In the Resource View, you can open and select a resource and then right-click one or more users or groups in the Security Editor in the lower pane to run a Trustee Access, Trustee Activity, Member Of, Member Of Comparison, Group Members, or Group Members Comparison report, depending on what is selected. Reports are also available by right-clicking the resource itself and selecting Reporting. 21 Quest Access Manager In the Trustee View, you can open and select a resource and then right-click it and select Reporting to run a Trustee Access, Trustee Activity, Member Of, Member Of Comparison, Group Members, or Group Members Comparison report, depending on what is selected. For more information about reporting, see “Creating Reports” on page 115. The new Security Editor enhances all instances of the native security editor on all windows platforms supporting the Quest Access Manager client. It can be accessed through the Access Manager client, as well as through a Windows Explorer extension for files, folders, and shares. To provide a number of enhanced functions, including auditing, and very robust SID resolution capabilities, it is necessary for the Access Manager Security Editor to read and write security information through the Access Manager server, leveraging the Managed Domain/service account structures defined by administrators. Because the Security Editor leverages the Access Manager server’s security manipulation functions, it automatically gains auditing capabilities. Whenever security information is manipulated by the server, difference calculations are performed, and the resulting change information is written to the Access Manager server’s audit logs. These audits can be used to trace security changes. For more information, see “Edit Security” on page 94. Licensing Licensing is based on the number of enabled users and InetOrgPerson accounts per licensed domain in the enterprise. Every Managed Domain is automatically licensed. If you want to turn off the licensing for a domain you first have to remove the domain from management. Licensing has three states: • Managed — Licensed: You are managing computers and users in the domain. • Unmanaged — Licensed: You want to run queries against accounts in a domain though you are not managing any computers in. • Unmanaged — Unlicensed: You want to ensure group expansion enumerates groups in the domain, although you will not be running any access queries. For more information, see “Remove Forests, Domains and Hosts from Management” on page 64. 22 Quest Access Manager Overview and Deployment Service Connection Point (SCP) Service Connection Points are a standard Active Directory object used by applications to locate applicable services available on the network. Access Manager creates a Service Connection Point within each managed domain so that agents, clients, and third party applications can locate the Access Manager Management Server. Access to the Application After installation, the only user or group who will have access to the Management Server are members of the computer’s local Administrators group where the Management Server is installed. You can add other user or groups or alter the access the Administrators group has to the server. For more information, see “Delegating Access to Access Manager” on page 27. Planning your Deployment To deploy Access Manager you must have the following in place: Server Installation • The server is the central hub for communication and therefore should be installed on a reliable and secured computer. It is important that the Administrators group on the Management Server be very secure to ensure the protection of the encryption key. Server Configuration/Database Creation • Be sure to install QAM using an account with SysAdmin rights across the network, including the domain controller and the SQL server. If you use an account without full SysAdmin rights on the key system components, you will not be able to successfully configure QAM. • Before the server is operational, an SQL database must be created for its use. 23 Quest Access Manager Domain Identification and Service Account Credentials • Before you can start managing resources, you must first identify the domains in which those resources reside (Managed Domains), and provide the credentials (service account) that can perform operations on those resources. You will be prompted to register a domain and service account with Access Manager when you initially configure an Access Manager deployment during the installation. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. Computer Identification • Before you can start managing resources, you must add computers (Managed Hosts) to the deployment. For details, see “Add a Managed Host to the Deployment” on page 34. Client Installation Once the Client and Server are installed and configured, domains have been added, computers have been added, and access has been delegated, users can start gathering security information on the enterprise resources. To use the Access Manager MMC client to access the application, the user must be delegated access through deployment security. For more information, see “Delegating Access to Access Manager” on page 27. Configuring Access Manager The key to getting the most from Quest Access Manager is in tailoring it to your particular needs. In this section, you will learn about the various parameters you can set and views you can establish, to monitor your particular agents and processes. Configuring the Management Server You can accomplish all of your server configuration steps by using the Configuration Wizard. 24 Quest Access Manager Overview and Deployment Setup a Management Server in a New Deployment For large geographically separate Active Directory forests, Quest recommends that you install a Management Server and configure a new deployment in each location so that data being transferred to the server, and the queries and commands being issued from it, do not have to deal with large network latency. To setup a Management Server in a new deployment 1. From the Autorun, select the Quest Access Manager tab, click Quest Access Manager Server to open the install wizard, then follow the installation instructions. 2. Click Next. 3. Read and accept the license information and click Next. 4. Enter a location for the install and click Next. 5. Click Install. 6. Click Finish. The Quest Access Manager client opens. 7. Enter the name of the Management Server, confirm that the port number is 8722, and click Connect. The default port is 8722 and should not be changed. If you need to alter the port number, contact Quest Support for more information. A dialog box indicating that the Management Server is not configured opens. 8. Click Yes. The Configuration Wizard opens to guide you through the Management Server setup. 9. Specify a valid license and click Next. 10. Specify the database server, database name, enter the database access credentials, and click Next. These credentials are used both for database creation and subsequent access. 11. Enter the Deployment name and the required Deployment Key information and click Next. 12. Enter the initial Managed Domain (a domain that has an associated service account, in which you can manage resources), the service account credentials, and click Next. 25 Quest Access Manager The service account information is used by the server to take actions within the domain. The service account credentials should have Administrative access to the Managed Domain. When you add this service account, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. 13. Review the Summary page, and click Finish. Replace or Rejoin an Access Manager Server While Access Manager uses only a single server per deployment, this server can be replaced or rejoined in the event of hardware failure or other unplanned reconfiguration. This functionality allows an existing server to be rejoined to a deployment or a new server to connect to an existing Access Manager database, and assume all a decommissioned server’s functionality. To replace or rejoin an Access Manager server 1. Ensure that the original server is not operational (if replacing). Only one server at a time is permitted to connect to an Access Manager database. 2. Install the Quest Access Manager server components on the new system (if replacing). 3. During the configuration of the server, enter the database server and name used for the deployment. 4. At the prompt for deployment key backup information, select the original deployment’s backup key information, as well as the passphrase associated with the backup. If you do not have the original deployment key backup information, specify a new backup location and passphrase. Upon completing the Configuration wizard, you must re-enter all service account password information. 26 Quest Access Manager Overview and Deployment Connect to the Management Server Management Servers coordinate communication between clients and agents and perform management tasks on user’s behalf. To connect to a server 1. From the Access Manager client, right-click the Quest Access Manager node and select Connect to Server. 2. Enter the server name. – OR – Click the Browse button to select a server, and enter the port information. The server will be validated to ensure that it has been configured. This port will be used by clients to connect to the Management Server, and should allow incoming connections. The default port is 8722 and should not be changed. If you need to alter the port number, contact Quest Support for more information. Delegating Access to Access Manager Quest Access Manager permissions are controlled through a combination of permissions over the Access Manager deployment and permissions applied to Active Directory objects. By default, Access Manager maintains a set of permissions over the Access Manager deployment itself. These control access to the application. Additionally, when a forest is marked as integrated within the Access Manager console, a set of extended Active Directory rights are added to the forest that allow for fine delegation over individual objects within Active Directory. By default, the BUILTIN\Administrators group of the computer hosting the Management Server have full access to the Access Manager deployment. 27 Quest Access Manager Access Manager Deployment Permissions PERMISSION DESCRIPTION Application Access This permission allows users basic read access to Access Manager. This is the base permission required to use Access Manager that all users must possess. With this permission, a user can connect to an Access Manager server with a client, view configuration information, perform queries, and run reports, provided they have either the QAM Query Trustee Access right over the appropriate target objects or the Bypass Active Directory Delegation permission. Manage Configuration This permission allows users to modify the configuration of Access Manager. With this permission, a user can modify all elements of the configuration of Access Manager including adding service accounts, Managed Hosts, Managed Domains, and delegated Access Manager permissions. This right should only be granted to highly trusted accounts. Bypass Active Directory Delegation This permission allow users to bypass all delegation through Active Directory and grant full access to the application. This includes querying trustee access, and local group management features. In cases where a domain cannot be integrated with Active Directory, this permission must be granted to all Access Manager users to allow them to use the query and local group management features. Allow Directory Browsing This permission allows users to browse licensed domains for trustees to be added to machine local groups. Without this right, a user cannot browse for trustees to add to machine local groups through the Access Manager client. 28 Quest Access Manager Overview and Deployment PERMISSION DESCRIPTION Manage Resource Auditing Settings This permission is required for client users to make changes to the SACLs of resources. With this right, client users are permitted to make changes to object SACLs on any managed hosts, so long as they have the Change Permissions right on the target resources. Note that this is subtly different than what is enforced natively, where a client user would require the "Manage auditing and security log" right on the target computer. Note: With this Access Manager deployment permission, a client user will not require this native privilege, so care should be taken in delegating this deployment permission. Self-Service Access This permission allows trustees to use Quest Access Manager Self-Service functionality. Resource Security Query Access This permission allows the user to run resource security reports such as Resource Access and Local Rights and Service Identities. This right should only be granted to highly trusted accounts. Active Directory Permissions When a domain is marked as integrated, Access Manager adds extended right objects to the forest to which the domain belongs. This allows the delegation of rights over various Access Manager operations using native Active Directory delegation. If a user has the "Bypass Active Directory Delegation" permission, then they will not be subjected to any Active Directory access checks; any access delegations made in Active Directory are ignored. The following rights are added to each domain in an integrated forest: PERMISSION DESCRIPTION QAM Query Trustee Access This permission is available to users, INetOrgPerson, groups, and computers. If a user has this permission with respect to a user, group, or InetOrgPerson, they will be permitted to see the full access information related to that user or group. If a user does not have this permission, any access information for this user will be filtered from the results. If a user has this permission on a computer, then the user may see the access on that particular computer from any built-in account, local user or group, or well-known security principal. 29 Quest Access Manager PERMISSION DESCRIPTION QAM Manage Machine Local Groups This permission is available on computers. Access Manager users are permitted to manage the machine local groups of any computer over which they have been granted this permission. Users granted this permission do not need to be in any of the groups on the target computer that would generally allow them to manage machine local groups (Server Operators, Administrators, and others), provided changes to machine local group management is performed through Access Manager. QAM Read Local Groups This permission is available on computers. Access Manager users are permitted to enumerate and view the memberships of computers over which they have been granted this right without being able to natively view those groups. QAM Manage Machine Local Admins Group This permission allows management of all local groups on the computer except the Administrators group. To manage the Administrators group, the Manage Machine Local Admins Group permission is required. For ActiveRoles Server integration you must have Read access in Access Manager and the running account must have the proper rights in ActiveRoles Server. No actual changes are made within Access Manager for the integration; all changes are made within ActiveRoles Server. To set the level of access to the Access Manager deployment 1. Right-click the Quest Access Manager node and select Deployment Security. 2. Add and remove users and groups as required and click OK. Add Forests, Domains, Hosts and Agents Before you can gather security information on the resources in your enterprise, you must add the required forests, domains, and computers to the Access Manager deployment and provide credentials that can access those resources. 30 Quest Access Manager Overview and Deployment Add a Forest to the Deployment When you add a Managed Domain and its forest is not already added, Access Manager will automatically register it using the service account provided for the domain. You also have the option of registering the forest and providing its own service account. To add a forest 1. Expand Quest Access Manager, Configuration, and select Managed Domains. 2. Click in the right-pane, right-click the Managed Domain node, and select Add Forest. 3. Enter the DNS Name, select a service account, and select Add. – OR – Click New to create a new service account. 4. Click Next. The service account must have sufficient access required to query group membership within the forest. You can right-click a Managed Forest in the right pane to view its properties and change the associated service account. 5. Click Finish. Add a Domain to the Deployment Adding domains allows you to register Managed Hosts (computers that you want to query) from those domains. If a domain is not managed, it cannot have Managed Hosts. When a domain is brought under management, an operation is performed to ensure Access Manager can function properly with resources from that domain. An Access Manager container is created in the domain’s System container. This container holds a set of Service Connection Point objects, which are used by the components of Access Manager to find one another. 31 Quest Access Manager Agents and clients use this information to determine where the Management Server they should connect to exists. Only domains that have a trust relationship with the Management Server’s domain can be managed. To add a domain 1. Expand Quest Access Manager, Configuration, and select Managed Domains. 2. Click in the right-pane, right-click the Managed Domain node, and select Add Managed Domain. 3. Enter the domain DNS name, select an existing service account to associate with the domain, and click Finish. – OR – Enter the domain DNS name, click New to create a new service account to associate with the domain, enter the account name and credential, and click Finish. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. If required at a later date, you can easily associate a different service account. For information, see “Change the Service Account Used to Access Information” on page 62. You can right-click a managed domain in the right pane to view its properties and change the associated service account. When a managed domain service account is changed, remote agents in that domain will have their service accounts updated by the Management Server. The agents will be restarted. View and Ignore Externally Trusted Domains Access Manager determines group membership (member of) through all of the groups to which the user belongs in their home forest, any groups they are in by virtue of forest trusts, or any groups they are in by virtue of incoming external trusts with the domain in which they reside. Managed domains can have child trusts, forest trusts, and external outgoing one-way trusts that allow principals from other domains to have access to the managed domain. As such, the group resolution picture or security picture would not be complete without understanding the membership from these domains. 32 Quest Access Manager Overview and Deployment If you do not want to query a domain, for group resolution purposes, you can mark a domain such that Access Manager will no longer contact it. The Group Resolution Status column indicates whether or not it is ignored. The possible values include: • Unknown: Not yet contacted for group resolution • OK: Available for group resolution • Disabled: Disabled for group resolution The External Trust Type column, displays whether the trust is incoming, outgoing, or bi-directional. You cannot select to ignore a managed domain. To view external trusts and ignore a domain 1. Expand Quest Access Manager, Configuration, and select Managed Domains. 2. Right-click a Managed Domain, and select Properties. 3. Click the External Trusts tab. All externally trusted domains are displayed. From here, you can choose to ignore those that you are not interested in. 4. Right-click a trusted domain, and select Ignore Domain. If you select to ignore a domain, it will not be contacted and any principals from this domain will not be considered in queries. – OR – Right-click and select Resolve Domain. When you select to resolve the domain, it is no longer excluded from “Group Member Of” and “Group Member” operations. As such, users and groups from this domain will be included in query results. If the domain is down, however, due to network access or any other issue, the only artifact will be log entries and issues within the issue list for the problem encountered. To mark an child domain as ignored, right-click an unmanaged domain in the Managed Domains view and select Ignore Domain. 33 Quest Access Manager Add a Managed Host to the Deployment When you add a managed host, you have the option of installing a local agent on the same computer or configuring a remote agent installed on another computer. If you install a locally managed host, you have the option of automatically installing the agent with the host, or manually installing the agent later. Only computers in domains that are managed can be added as Managed Hosts. To add a domain, other than the domain specified during installation, see “Add a Domain to the Deployment” on page 31. If you choose to add a remote agent to a Managed Host, the first remote agent must be configured during the deployment of the Managed Host. You can add more remote agents later, if needed. More than one remote agent may be used to scan a Managed Host. This is particularly useful if the host has a large set of data roots. Multiple agents may not scan the same data root. For more information about remote and local agents, see “Access Manager Agent” on page 13. Network Attached Storage Devices You can add Network Attached Storage (NAS) devices as managed hosts, with remote agents. You can enable both real-time file system updates and resource activity tracking on these devices. For details on compatible NAS devices, see the Quick Start Guide. Enabling resource activity allows collection of usage information. For details, see “Tracking Resource Activity” on page 50. When enabling resource activity for a NetApp filer, Access Manager creates and enables an FPolicy on the target host responsible for monitoring file activity for the specified data roots. The FPolicy is named after the agent instance, such as BW_30d83dc5882449f28d49059b948647 c1. To view an FPolicy, establish a Telnet or SSH connection to the filer device, login and type: “fpolicy”. Do not use the computer hosting a remote agent watching a NetApp filer to perform actions on that NetApp filer (reads, writes, and so on). If you do, the agent will not record the activity data. 34 Quest Access Manager Overview and Deployment When you remove an agent, the FPolicy is deleted. For information about configuring an EMC Celerra device, see “Appendix A: Configuring EMC Celerra” on page 143. Agent Deployment Agent Deployment Best Practice When deploying Access Manager agents, local agents are generally preferable to remote agents. Local agents reduce network bandwidth and increase responsiveness. In cases where it is not possible to deploy local agents to a system (such as when using a network attached storage device, or a virtual cluster node), the following best practices should be considered: • When deploying multiple remote agents to a hosting computer, limit the number of agents to 20. Too many agents, especially those for whom remote real-time file system indexing is enabled, can use more resources than are available, causing intermittent failures in indexing operations. • When deploying agents to remotely index, ensure that the agents are hosted on computers that have low latency, high bandwidth connections to their targets. This ensures that agents that have real-time remote file system indexing enabled will not suffer from periodic watch failures. • Avoid deploying more than 5 agents to the computer hosting the Access Manager server itself. The Access Manager server requires significant network resources to perform its various operations. When agents are deployed to this system, they compete for these network resources. Leaving the server with as few agents as possible ensures that it will not suffer performance degradation due to resource scarcity. Adding a Managed Host with a Local Agent To add a managed host with a local agent 1. Expand Quest Access Manager, right-click the Managed Hosts node, and select Add Managed Host. 2. In the Select Management Method, select Locally managed through a locally installed agent, and click Next. When you add a Managed Host, you can choose to automatically install an agent or choose manual installation to defer the agent installation to a later date. 3. In the Agent Deployment box, choose between Automatic installation from the Management Server or Manual installation, and click Next. An agent must be configured for the computer to communicate with the server and gather resource information. Until this is done, no resource access will be reported for this computer. 35 Quest Access Manager 4. Select the domain in which the host resides, select the host, and click Add. Only computers with Windows 2000 Server operating systems or later, and certain NAS devices will be displayed while adding computers to be managed by Quest Access Manager. For details on compatible NAS devices, see the Quick Start Guide. 5. If you have chosen the manual agent installation, the task of adding a managed host is now complete. If you are installing the agent automatically with the managed host, you must now decide if you want to enable resource activity tracking for the agent. Resource activity tracking is used to collect data on identities, reads, writes, creates, moves, renames and security changes on files and folders. This information is required for several report types, including the Resource Activity report. For more information, see “Creating Reports” on page 107. Resource activity tracking is not supported with MS SQL Express. You must use SQL Server Standard or Enterprise Edition with this feature. 6. In the Settings box, set the Granularity for the resource activity tracking. Granularity specifies how often resource activity data is aggregated. As an example, if the time is set to an hour, the aggregation for all activity for a given user on a given resource in that hour is 1. The time stamps for resource activity are based on the agent local time. 7. To limit network traffic, select Synchronize only between these times and set the From and To values. This setting specifies when the agent sends the resource activity data to the management server. 8. To change the identities, files, or folders that are excluded from tracking, click the Manage Exclusions button and select the objects to exclude. Certain administrative identities, file extensions, and folders are excluded by default. You can see the full list by clicking the Manage Exclusions button. If the list is empty, click Default to populate the exclusions with default values. 36 Quest Access Manager Overview and Deployment Use the Export and Import buttons on their respective tabs to export and import a list of SIDs, file types, or folders to exclude. For information on the file syntaxes, see the parameter descriptions in “Add-QManagedHostByAccountName” on page 156. For folders, you can also drag and drop from Windows explorer. 9. Click Finish. 10. Select Refresh to update the view. The agent will now be installed on the selected computers. It takes a few minutes for the agent to start collecting data for the new managed host. As the state changes, a regular refresh will allow you to see the changes. For more information on Managed Host properties and changing the associated service account, see “Locally Managed Host Properties” on page 49. You can remove computers from the deployment, by selecting the Managed Host node, right-clicking the required computer, and selecting Remove. Adding a Managed Host with a Remote Agent To add a managed host with a remote agent 1. Expand Quest Access Manager, right-click the Managed Hosts node, and select Add Managed Host. 2. In the Select Management Method box, select Remotely managed through an agent on another computer, and click Next. For remotely managed hosts, the first remote agent must be added during the host’s initial deployment. You can manually add more remote agents later, if needed. For information about agents, see “Access Manager Agent” on page 13. 3. Select a Host Computer (on which to install the agent) from within the same forest as the target computer, and select a service account with sufficient permissions to access the target computer. 4. Define a schedule for the agent to scan the target computer, and select the required real-time file system updates setting. For information about the real-time file system updates settings, see “Remote Agent Settings” on page 57. 5. Select the data roots that will be indexed by this agent, and click Finish. Only one agent can scan a given data root. 37 Quest Access Manager The agent will now be installed on the selected computer. 6. To view the users and groups associated with the new managed host, select the Refresh menu option. For more information, see the following: • “Remotely Managed Host Properties” on page 51 • “Agent Properties” on page 54 • “Change the Service Account Used to Access Information” on page 62 Add an Additional Remote Agent to a Managed Host If you added a remote agent when deploying a Managed Host, you can manually add more remote agents to that host. When adding a remote agent, ensure a trust exists between the host and the resource domains. To add an additional remote agent 1. Expand Quest Access Manager and select Managed Hosts. 2. Right-click the Managed Host to which you want to add the remote agent and select Add Agent. 3. Select a host cluster, net application filter, or windows host from within the same forest as the target host. 4. Select a service account with sufficient permissions to access the target host. 5. Define a schedule for the agent to scan the target computer, and select the required real-time file system updates settings, and click Next. For information about the real-time file system updates settings, see “Remote Agent Settings” on page 57. 6. Select the data roots that will be indexed by this agent and click Finish. The agent cannot scan a data root that is already being scanned by another agent. The agent will now be installed on the selected computer. To view the users and groups associated with the Managed Host, select the Refresh menu option. 38 Quest Access Manager Overview and Deployment Automatic Agent Safety Check If an Agent store hosting volume has fewer than 2 GB of available space on a volume hosting an agent store, the agent service will automatically shut down. This is a safeguard to prevent disruption of other services hosted on the computer, allowing you time to add a volume or reallocate space. This is just one of the reasons why an agent might have stopped. To determine if low space on the host volume was the cause, check the Events tab in the agent properties. For more information, see “Agent Properties” on page 54. Agent List View You can view the remote agents on a given Managed Host by selecting the host in the right window and right-clicking to bring up the Properties panel. Clicking the Agent tab lists all remote agents for that host. Restart Agents You must restart an agent when: • A new storage volume is added to the system. • The agent computer’s network or firewall configuration renders it unable to contact the server. When an Access Manager agent is restarted, it re-creates all information within its local index. The server index is updated when the full scan completes. A full scan occurs with a restart if you have enabled this option in the agent’s Properties. To determine whether data in the client is the most current from the agent, ensure that the data state of the managed host being examined is marked as “Data Available.” To restart an Agent 1. Expand the Managed Host node and select the required Managed Host. 2. Right-click and select Restart Agent. You can select the number of Agents you want to restart, either by using Ctrl + click to select multiple items, or Shift + click at the top and bottom of a contiguous series of items to select them all. You can also restart the Agent through Managed Host properties. 39 Quest Access Manager Update Agents If the agent version that you are running is older than the current installed Management Server, you can update the agent from the Access Manager console. When an upgrade is available for an agent, the status of the Managed Host will display as Agent Update Required. To update an agent • Right-click the Managed Host, and select Upgrade Agent. When you upgrade a Remotely Managed Host, the agent settings for real-time file system updates will be disabled by default. You can select the number of Agents you want to update, either by using Ctrl + click to select multiple items, or Shift + click at the top and bottom of a contiguous series of items to select them all. You can also update the Agent through Managed Host Properties. Add a Cluster (Managed Host) to the Deployment Once installed, a managed cluster is functionally identical to a remotely Managed Host. However, the nature of clusters require that they only be managed remotely. Additionally, the remote agent must be configured after the cluster has been added to the deployment as a Managed Host. Only Windows failover cluster configurations are supported. To add a cluster 1. Expand Quest Access Manager and select Managed Hosts. 2. Right-click and select Add Cluster Host. 3. Select the Managed Domain containing the cluster from the list. Once the domain has been selected, the wizard enumerates the clusters available in the domain. 4. Select the cluster to be added to the Managed Domain and click Finish. The managed cluster has been added to the Managed Domain. However, no agents have been deployed to the managed cluster. To add an agent to the managed cluster, see “Add an Additional Remote Agent to a Managed Host” on page 38. 40 Quest Access Manager Overview and Deployment License a Domain Once a domain is added to the deployment it is automatically licensed for use and only users, groups, and computers within these domains are available to manage. When a forest is added all domains in the forest are automatically licensed. When the number of enabled users in registered domains exceeds the number of licensed users, you will be notified of the license violation. To correct this violation, contact Quest Sales, and purchase additional licenses, or remove domains from being licensed. Because the license agreement is calculated on the number of licensed users, you can remove the license on those domains that you do not want to query for access information. Only domains that are not managed (for example, external domains that do not have agents deployed or Managed Hosts) can be unlicensed. To remove the license for a specific domain 1. Expand Quest Access Manager, Configuration, and select the Managed Domains node. 2. Right-click the domain, and select Remove License. To license a domain • Expand the Managed Domain node, select an unlicensed domain, right-click and select License. Integrate Access Manager with Active Directory Users and Computers or Quest ActiveRoles Server You can manage resources from the Access Manager console, from Active Directory Users and Computers, and from Quest ActiveRoles Server once they have been integrated. Users or groups with Read access can integrate with ActiveRoles Server. However, to integrate with Active Directory, users must be delegated Write access. For more information, see “Delegating Access to Access Manager” on page 27. 41 Quest Access Manager Active Directory Users and Computers To use Access Manager functionality from Active Directory Users and Computers, you must have the Client installed on the computer and register the computer’s Active Directory forest within Quest Access Manager. Only forests that are added to the deployment can be registered for Active Directory integration. For more information, see “Add a Forest to the Deployment” on page 31. When integrating with Active Directory, Access Manager uses the credentials of the user running the Client. The user must have the required permission to modify the contents of the Display Specifiers container in the forest’s configuration partition. This is usually limited to users in the Enterprise Administrators group. To integrate with Active Directory Users and Computers 1. Expand Quest Access Manager, Configuration and select the Managed Domains node. 2. Right-click the forest where the Access Manager extensions will be registered, select Integrate with Active Directory, and click Finish. Quest ActiveRoles Server Once you have integrated with ActiveRoles Server, you can easily manage resources with Access Manager. ActiveRoles Server Web Integration The web integration allows you to use Access Manager and detailed resource security information directly from ActiveRoles Server. You can view access on selected resources from both the ActiveRoles Server MMC Client and from the Web client. When extending the ActiveRoles Server Web Interface, you must install the Access Manager Web Integration package, ARSWebIntegration.msi, on all IIS servers hosting the ActiveRoles Server Web Interface. Once the web integration has been installed and configured, you can view user and group access to files, folders, and shares. 42 Quest Access Manager Overview and Deployment To integrate Access Manager with ActiveRoles Server MMC Console and Web Client For ActiveRoles Server integration you must have Read access in Access Manager and the running account must have the proper rights in ActiveRoles Server. No actual changes are made within Access Manager for the integration; all changes are made within ActiveRoles Server. For more information, see “Delegating Access to Access Manager” on page 27. 1. Expand Quest Access Manager, and select the Applications node. 2. Right-click ActiveRoles Server, and select ActiveRoles Server Integration. You have the option of integrating Access Manager capabilities with both the ActiveRoles Server MMC Console and the Web Client. 3. Select the appropriate options and click Apply. For the Access Manager management options to display in the MMC Console, you must have the Access Manager client installed and you will need to restart the Quest ActiveRoles Server service. For the Access Manager options to display in the Web Client, you will need to select Customization | Reload from within the Web Client. Once you have finished the integration, you will be able to view access either through the MMC Console or the Web Client by selecting a user or group and choosing to Show Access. After upgrading your ActiveRoles Server web components, you must uninstall and re-install the Quest Access Manager Web Integration Pack on all upgraded web servers. To view user and group access through the ActiveRoles Server Web Client 1. Select the Directory Management option in the ActiveRoles Server web client. 2. Select the Menu tab, and the required user or group. 3. Select Show Access. You will see the resources to which the selected user or group has access. As you browse through the access, you will see all the specifics such as whether the access is obtained directly through the ACL or indirectly through group membership, the resource and trustee name, the rights over the resource, and how inheritance has been applied. 43 Quest Access Manager 4. Right-click to filter the results to remove common built-ins (built-in Administrators and Users groups) and those resources where access is obtained indirectly through group membership. You have the option of customizing the way that the web client displays and sorts the information. Specifically, you can change the order that the information is displayed, select the columns to display, and group the information by the column that suits your needs. 5. You can also: a) Click the column header and sort in ascending/descending order. b) Group the results by a specific column by dragging the column header to the group by option. c) Select the drop-down arrow to filter the results based on the column contents. d) Select the key icon to filter the results based on the following: Begins with, Contains, Ends with, Equals, Doesn’t equal, Is less than, Is less than or equal to, Is greater than, Is greater than or equal to). e) Right-click the columns and Show Customization Window to select the fields to display. Access Manager Self-Service Request Client The Access Manager Self-Service Request client allows users to request access to resources while maintaining the approval process included in ActiveRoles Server. To allow users to use the Self-Service Access Request client, the Access Manager Self-Service package (QuestAccessManager_SelfServiceClient_x86.msi or QuestAccessManager_SelfServiceClient_x64.msi) must be deployed. You must also configure its options, and delegate the Self-Service Access right. For details, see “Delegating Access to Access Manager” on page 27. For a user to make use of the Access Manager Self-Service functionality, they must be from a forest that is registered in the Managed Domains view, in addition to being granted the right to access self-service on the deployment. To configure the Self-Service Client 44 1. Expand Quest Access Manager, and select the Applications node. 2. Right-click ActiveRoles Server, and select Access Manager Self-Service Configuration. 3. Select to allow users to request access to resources, and enter the ActiveRoles server that will be used to satisfy self-service requests. Quest Access Manager Overview and Deployment 4. Select to allow groups that have not been published on the ActiveRoles server. Allowing non-published groups If this option is selected, groups that have not been marked as published within ActiveRoles Server can be included in the list of groups to which a user can request access. When these groups are encountered, the requesting users rights are checked, and the group is only included in their list of available selections if one of the following two criteria is met: • The requesting user has the ability to modify the membership of the group. • The requesting user has the right to add themselves to the membership of the group granted through ActiveRoles Server. If either of these two rights is held by the user, the group will be presented as a valid option for requesting access. For groups meeting this criteria, if the user has the right through ActiveRoles Server to add themselves to the group, the operation will be attempted, and subjected to any membership modification workflows specified by ActiveRoles Server. If no workflows have been defined, and the user is permitted to modify the membership of the group, they will be automatically added to its membership list. 5. Enter the Help Desk Information that will be displayed to the users. (Help message, Help Desk phone number and email address, email subject, and email body.) 6. Click Apply. To use the Self-Service feature 1. 2. A user right-clicks a folder and selects Request Access. They select either Read or Contribute access. A list of groups that will grant the user the requested access to the resource will be displayed. Quest Access Manager uses a variety of criteria to determine suitability for group selection, based on Microsoft’s best practices for setting file and folder security in a distributed environment. Under certain conditions, a security group that would give users their requested access may be deemed to be inappropriate and therefore the group will not be displayed as an available option. Please consult Microsoft’s documentation for more information. 3. The user simply clicks the required group, enters a reason to join the group, and clicks OK to send a request to join the group. Should any questions or issues arise, users have the ability to contact the Help Desk for support if an email application has been configured on the client. 45 Quest Access Manager Explicit Exclusion of Groups You may want to mark certain groups as being ineligible for self-service requests, especially when Access Manager is configured to allow for non-published groups to be presented. In this case, it is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests. To exclude groups Modifying the registry can cause serious issues. Ensure that when making these changes, only the described keys are modified. 1. On the Access Manager server, navigate to the following registry key using regedit.exe: HKEY_LOCAL_MACHINE\Software\Quest Software\Broadway\Server\DeploymentData\SelfServe \ExclusionByDN The “DeploymentData” and “ExclusionByDN” subkeys may not exist. If these keys are not present, they should be created. 2. Beneath the ExclusionByDN key, create string values whose names match the Distinguished Name of the groups that are to be excluded If you want to exclude an entire container of groups, specify the Distinguished name of the container, with an asterisk ("*") prefix. For example to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com". Managed Host Properties When you select the Managed Hosts node, you get a series of columns in the right pane, giving details about all hosts managed by Access Manager. Agent Events During normal operation, Access Manager agents sometimes encounter issues that cause normal indexing operations to be interrupted. When these events, along with any other events of significant importance, occur, they are written to the Agent Events list. This list is viewable through the Access Manager MMC console, and can help diagnose problems. 46 Quest Access Manager Overview and Deployment For managed hosts that host local agents, the Agent Events tab can be found on the Managed Host Properties dialog box. For more information on how to access the properties dialog box, see “Specific Managed Hosts” on page 80. For managed hosts being remotely managed, the properties dialog box for each agent has its own Events tab. Managed Host Data State Descriptions DATA STATE DESCRIPTION A scanner error has occurred A scanner error has occurred with one or more of the agent scanners for this host. Data Available Agents deployed to this host have completed their initial scans and returned their data. Performing an initial scan Agents deployed to this host report that the scanners have begun their initial scans. Waiting for scanner status Agents have been deployed for this host but they have not yet reported their scanner status to the server. Waiting for scanners to start Agents for this host have reported back to the server but not all of the scanners have started up. 47 Quest Access Manager Managed Host Status Descriptions STATUS DESCRIPTION Agent Issue One or more agents for this Managed Host are in an error state. View the Agent tab in Managed Host properties for detailed information. Agent Registration Failed An error occurred while the agent was attempting to register with the server. Agent Unregistered The agent for this Managed Host has unregistered. Deleting The Managed Host is being deleted. Deleting And Uninstalling The Managed Host is being deleted and the agent is being removed. Deploying Agent An agent for this Managed Host is being installed. Incompatible Agent Version An unsupported agent version has attempted to register with the server. Install Failed An automatic agent install has failed. The Configuration Message property will contain detailed information regarding the failure. Install In Progress An automatic agent installation is in progress. Lease Expired The lease for the agent on this Managed Host has expired. A communications issue has occurred between the agent and the server, or the agent is no longer running. Ensure that the agent is capable of communicating with the server. If an agent stays in this state for too long, the data state will be switched to suspect, and ultimately to stale, due to the absence of updates. No Agent for host There are no agents associated with this managed host. OK The agent is communicating with the server. Resolved The Managed Host’s information has been resolved, but it has not yet been configured for management. This is a temporary state. Resolving Agent The server is resolving the agent computer for this Managed Host. Undeploying Agent Agent for this Managed Host is being uninstalled. Uninstall In Progress An automatic uninstall of the agent is in progress. 48 Quest Access Manager Overview and Deployment STATUS DESCRIPTION Uninstalling Agents Failed An automatic uninstall of the agent failed. The Configuration Message property will contain more detailed information regarding the failure. Unresolvable A Managed Host was added, but the computer information could not be verified. Managed Hosts in this state are not functional. Unresolved The agent computer has not yet been resolved. Waiting for Agent First Connect The Managed Host has been configured, and is waiting for an agent to register. Note: If a Managed Host stays in this state for a long period of time, it could indicate a communications issue between the agent and the server. Locally Managed Host Properties The locally managed host properties presents the following: General This read-only tab displays the name of the computer being managed, the management method (local), and any keywords added for the host. Keywords can be used to configure several hosts together by using one or more keywords to group them. For more information, see the following: • “Saving Customized Layouts” on page 59 • “Configure and Report on a Group of Managed Hosts” on page 60 Data Roots This tab presents the folder structures scanned by the agent. The agent will default to a full scan of the computer. To scan specific data roots 1. Right-click the required Managed Host and select Managed Host Properties. 2. Select the Data Roots tab. 3. Select the data roots to be scanned, and click OK. For more information, see “Data Roots” on page 14. 49 Quest Access Manager Agent Details This read-only tab displays agent status and configuration data for the local agent. For more information, see the following: • “Agent Properties” on page 54 • “Access Manager Agent” on page 13 • “Add a Managed Host to the Deployment” on page 34 • “Restart Agents” on page 39 • “Update Agents” on page 40 Tracking Resource Activity With Resource Activity Tracking, you can track actions, such as file access, performed on the target computer. Several report types make use of this information, including the Resource Activity report. All resource activity time settings reflect local agent time. For information about reports, see “Creating Reports” on page 107. This setting is available for agents on locally managed hosts (Windows computers), and on supported NAS devices (remotely managed). For a complete list of supported platforms, see the Quick Start Guide. You cannot use resource activity tracking with MS SQL Express, you must use SQL Server Standard or Enterprise Edition. For more information about NAS devices, see “Network Attached Storage Devices” on page 34. In some cases, Access Manager breaks actions down. For example, a rename may be represented as a delete and a create. There may be variations in how actions are represented depending on the system or the application that has modified the resources. To enable resource activity tracking 50 1. Right-click the required Managed Host and select Managed Host Properties. 2. Select the Resource Activity tab. 3. Select the Enable resource activity tracking check box. Quest Access Manager Overview and Deployment 4. Select the Granularity for the resource activity tracking. Granularity specifies how often resource activity data is captured. The time stamps for resource activity are based on the agent local time. 5. To limit network traffic, select Synchronize only between these times and set the From and To time values, bearing in mind that all resource activity time settings reflect local agent time. 6. o change the identities and objects, that are excluded from tracking, click the Manage Exclusions button and select the objects, file extensions and folders to exclude. 7. To return the exclusions list to the standard list, click Default. 8. To group excluded file extensions, enter a Category name to the exclusions list. 9. To Import or Export a list of SIDs, file types, or folders to exclude, use the Export and Import buttons on their respective tabs. 10. Click OK to close the Exclusions dialog box. 11. Click OK to close the Properties dialog box. For information on the file syntaxes, see the parameter descriptions in “Add-QManagedHostByAccountName” on page 156. For folders, you can also drag and drop from Windows Explorer. Local Groups This tab presents the list of local groups found on the Managed Host. The list is subdivided into Built-in Groups and other groups created by users or software. From here, you can right-click and select to • View the group properties • Create or delete the group • Manage the group access • View trustee properties • View the group members and manage their access • Run a group members or trustee access report Remotely Managed Host Properties The Remotely Managed Host Properties dialog box presents three tabs: • General • Agents • Local Groups 51 Quest Access Manager General This read-only tab displays the name of the computer being managed, the management method (remote), and any keywords added for the host. Keywords can be used to configure and report on several hosts at once by using a keyword to group them. For more information, see the following: • “Saving Customized Layouts” on page 59 • “Configure and Report on a Group of Managed Hosts” on page 60 Agents This tab presents the list of remote agents configured to scan this host. From the context menu you can also: MENU DESCRIPTION Add Agent Allows you to add another remote agent to scan another part of the target computer. Remove Agent Allows you to remove the remote agent. Note that the information will no longer be indexed and all stored access information collected by that agent is removed as well. Restart an Agent Allows you to remotely restart the agent. Synchronize with Service Account Updates the credentials used by the selected agent to match those maintained by Quest Access Manager. This is useful in the event of a password change for an account being used on a remote agent, or if someone has inadvertently changed the account on an agent directly through Microsoft Windows Service Control Manager. Agent Properties Displays detailed information in 4 tabs as described in the table below. Show Layout Options Shows the layout menu bar that you can use to save layouts. Show Group By Box Shows the group by menu box that you can use to drag a column into and group the layout by that column. Column Chooser Opens the Customization box that you can use to add, remove, and rearrange columns in the layout. 52 Quest Access Manager Overview and Deployment MENU DESCRIPTION AGENT PROPERTIES Displays the computer name hosting the agent and the agent’s credentials. It also presents the schedule used to index the target computer and real-time file system update settings. Note: When selecting to "Run On An Interval," it is possible to choose a frequency such that the agent is still busy completing the last scan when the next scan should start. In this case, the scan that could not start on time will be skipped and the next scan will be started as normal. Settings For information about using the File System Scanning Schedule and the Real-time File System Updates settings, see “Agent Status Descriptions” on page 56. This tab presents the folder structures being scanned. To change the selected data roots Data Roots 1. Click Edit. 2. Select the data roots to be scanned and remove those that should not be scanned. 3. Click OK. Agent Details This read-only tab displays agent status and configuration information. Refresh Refreshes the information presented in the user interface Remember that it is not possible to have multiple agents scan the same data root on a target computer. It is also not possible to have multiple agents on a host computer scan the same target computer. For more information, see the following: • “Access Manager Agent” on page 13 • “Agent Properties” on page 54 • “Add a Managed Host to the Deployment” on page 34 • “Restart Agents” on page 39 • “Update Agents” on page 40 53 Quest Access Manager Local Groups This tab presents the list of local groups found on the Managed Host. The list is subdivided into Built-in Groups and Custom Local Groups created by users or software. From here, you can right-click and: • View the group properties • Create or delete the group • Manage the group access • Run a trustee access report • View trustee properties • View the group members and manage their access Agent Properties Both remote and local agents share attributes presented in the Details tab of the Properties dialog box. To view Agent Properties for a local agent 1. Right-click a host and select Managed Host Properties. 2. Select the Agent Metrics or the Agent Details tab. To view Agent Properties for a remote agent 1. Right-click a host and select Managed Host Properties. 2. Select the Agents tab. 3. Right-click the Agent Computer and select Agent Properties. Resource Activity Tracking Resource activity tracking is used to collect data on identities, reads, writes, creates, and other actions performed on the target computer. This information is required for several report types, including the Resource Activity report. For more information, see “Creating Reports” on page 107. This setting is available for agents on locally managed hosts (Windows computers), and on supported NAS devices (remotely managed). For a complete list of supported platforms, see the Quick Start Guide. 54 Quest Access Manager Overview and Deployment For more information about using resource activity tracking, see “Tracking Resource Activity” on page 50. You cannot use resource activity tracking with MS SQL Express, you must use SQL Server Standard or Enterprise Edition. Properties Common to all Agents Data Roots The Data Roots tab displays the data roots scanned by the agent. Clicking Edit allows the addition and deletion of data root targets for this agent. For more information, see “Data Roots” on page 14. Events The Events tab displays errors that have occurred related to an agent. Errors such as those generated during file system scans, remote file system monitoring, and service account synchronizations are displayed in this list. This list is periodically truncated as new items are added. Agent Details The Agent Details tab is a read-only display of the configuration settings of the selected agent. This tab displays the following information: • Status • Mode • Agent Port • Agent Version • Whether an upgrade for the agent is available • The last recorded activity from this agent • The ID, Display Name, and service name of the Agent Service 55 Quest Access Manager Agent Status Descriptions The following table details the possible entries in the Status field: AGENT STATES DESCRIPTION Agent Unregistered Agent has unregistered. Configuration Failed An error has occurred while creating the agent service on the agent host computer. Configuration in Progress Agent service is being configured. Deconfiguration Failed An error occurred while removing the agent from the agent host computer. Deconfiguration in Progress The agent service is being removed. Deleting The agent is being deleted. Deleting and Uninstalling The agent software is being uninstalled. Expired Lease The agent has failed to renew its lease. This is often an indication of an error on the agent computer. Ensure that the agent is capable of communicating with the server. Incompatible Agent Version An unsupported agent version has attempted to register with the server. Install Failed An error occurred while installing the agent. Install in Progress The agent installation is in progress. OK The agent is in a good state and not experiencing any problems. Registration Failed An error occurred while the agent was attempting to register with the server. Resolved The agent computer has been resolved. This is a temporary state. Uninstall in Progress The agent is being uninstalled. Uninstalled The uninstall has finished. This is a temporary state. Unresolvable The agent computer has not yet been resolved. Upgrading Agents The agents for this host are being upgraded to a newer software version. 56 Quest Access Manager Overview and Deployment AGENT STATES DESCRIPTION Waiting for Agent First Connection The management server is waiting for the agent to register with the server for the first time. Properties Specific to Remote Agents Remote agents have additional properties that are not in common with local agents, shown on the Settings tab. Remote Agent Settings Agents managing computers remotely can be configured to watch for changes to the structure and security of file systems. However, there is a chance of errors occurring during the watch due to the introduction of the network. For example, network connections can be severed, watch roots can be deleted, or permissions can deny the ability to watch for change. Because of this, two things are required of the user: a scan schedule must be specified, and the rescan immediately if changes are missed option must be configured. File System Scanning Schedule The Settings tab allows you to set the time and frequency with which the agent scans the target computer. This tab also displays the host computer where the agent resides and the service account that the agent uses to access the target computer. When selecting to "Run On An Interval," it is possible to choose a frequency such that the agent is still busy completing the last scan when the next scan should start. In this case, the scan that could not start on time will be skipped and the next scan will be started as normal. For remote agents, you must enable the Immediately scan on agent restart or data root change option if you want the agent to scan immediately when it is added. This option is cleared by default. Real-time File System Updates Selecting the Enable remote real-time file system updates option causes the agent to watch for file or access changes, including change of ownership, on the file system of the target managed host. When this setting changes, the agent starts watching for the change during and following the next scheduled full scan. 57 Quest Access Manager You can also restart the agent to force a full scan, if the Immediately scan on agent restart or data root change option is enabled. The time stamps for real-time file system updates are based on the agent local time. If network errors occur, the system will need to perform a full scan. If the rescan immediately if changes are missed option is enabled, the agent will immediately attempt to fully rescan the configured root objects. If it is not set, the agent will wait until the next scheduled scan time to perform a full scan, leaving the index in a stale state until that time. Some NAS devices may not provide reliable remote change detection. Enabling the remote change detection feature on these agents may lead to frequent complete scans. Grouping, Sorting and Filtering Views Any time you see a view with column headers, such as the properties of your server, or a list of rules or risks, you can work with it to present the information in a useful way. Adding and Removing Columns To add a column to the display 1. Right-click any column header. 2. Select Column Chooser. 3. Drag the field to the desired location on the column header. Some lists have more columns available than shown in the default view. 4. Close the Customization dialog box by clicking the X in the top right-hand corner. To change the order of the columns 1. Click and drag the column header to its new location. To remove a column from the display 1. 58 Click and drag the column header until an X appears. Quest Access Manager Overview and Deployment Grouping Information To group the information to suit your needs 1. Select the Group Panel option and drag and drop the column headers in the required order. To filter the information 1. Hover over the column header on which you want to filter. 2. Click the filter icon that appears. 3. Select a value. To filter risks and verifications by severity 1. From the Severity Filter option, select the minimum level that you want to show in the report. You can choose between Information, Low, Medium, High, or Critical. The default severity filter is set to Information, which shows all levels of risk. To sort the information 1. Click the column header to sort on that field. If you want to sort in the opposite order, click the column header again. Saving Customized Layouts Once you have the results displayed in a manner that suits your needs, you can save the layout for future use. To use layout options 1. Right-click the list view for Managed Hosts or Users and Groups node, and select Show Layout Options. This option is also available from the Quick Search node. 2. Select from the list of layouts provided to change the view. – OR – Create your own layout by dragging the required column headers above the list view. Select Save Layout As, enter a name for the layout, and click OK. 59 Quest Access Manager Grouping Managed Hosts Using Keywords You can use the Keywords box in the Managed Host Properties (General tab) to filter and group hosts that share the same keyword. This enables you organize computers into groupings to set the configuration options and run reports for a group of managed hosts all at once. To add keywords to managed hosts 1. Expand Quest Access Manager, and select the Managed Hosts node. 2. Select all the hosts to which you want to add a keyword. You can use the Filter Editor to search for hosts with specific attributes, for example search by attributes such as name, ID, or status. For information, see “Grouping, Sorting and Filtering Views” on page 58. 3. Right-click and select Managed Host Properties. 4. In the Keywords box, enter one or more meaningful keywords you can use to filter, sort, and group managed hosts. For example, to group by function or region, you might enter the keywords "Sales Canada." 5. Once you have added keywords to a group of hosts, you can make the hosts easily accessible by doing the following: a) Filter and Sort Information - from the Managed Hosts node, group and sort using the keywords column and use the Filter Editor to search for hosts based on one or more keyword strings. For example, filter on either "Sales" or "Canada." You can also use sub-grouping to further sort the layout. b) Save Customized Layouts - once you have filtered and grouped hosts by keyword, save the layout. For information, see “Saving Customized Layouts” on page 59. Configure and Report on a Group of Managed Hosts After you have grouped some managed hosts using column grouping, filtering, or keywords, you can easily perform several configuration and reporting actions for the whole group at once: 60 Quest Access Manager Overview and Deployment • Set the Managed Host Properties For information, see “Managed Host Properties” on page 46. • Remove the hosts For information, see “Remove Forests, Domains and Hosts from Management” on page 64. • Reinstall agents For information, see “Access Manager Agent” on page 13. • Run reports For information, see “Creating Reports” on page 107. To configure and report on a group of managed hosts 1. Expand Quest Access Manager, and select the Managed Hosts node. You can customize your view to get the information you need. For more information, see “Grouping, Sorting and Filtering Views” on page 58. 2. If your layout has been saved, select the layout that displays your grouped managed hosts. For information, see “Saving Customized Layouts” on page 59. 3. After you have selected the group of managed hosts, right-click and select the action you want to perform. For reports, you can run the Trustee Access and Resource Activity reports for a group of managed hosts. For more information, see “Creating Reports” on page 107. There are several ways you can group your managed hosts. For information, see the following: • “Grouping, Sorting and Filtering Views” on page 58 • “Saving Customized Layouts” on page 59 Identify and Fix Group Resolution Issues If there are any issues with group membership query operations in the domain, the data may not present a complete representation of access for a specified trustee type. 61 Quest Access Manager To view issues 1. If you have integrated Access Manager with Active Directory, you can right-click a user or group from within Active Directory Users and Computers, and select Manage Access. – OR – From the Access Manager console, use the Quick Search to find the required user or group, right-click, and select Manage Access. The Access Manager console displays the computers and resource types where the user or group explicitly has access. If there have been any issues with the retrieval of group membership information, you will be able to review a list of issues and take the required corrective actions. 2. Click the Click to see a list of issues link. The group resolution issues will be displayed along with guidance on how to resolve the specific issue. Once you have expanded the list, you can right-click and select to hide the details pane. Change the Service Account Used to Access Information At any time, you can change the account being used to access the information from Managed Domains and computers. To select a new service account 1. 2. Expand Quest Access Manager, Configuration, and select the Managed Domains node. Right-click a forest, and select Properties. When the application needs to resolve a SID from this forest or expand group membership it will use the associated service account. – OR – Right-click a domain, and select Properties. 3. Select an existing service account. – OR – 62 Quest Access Manager Overview and Deployment Click New to enter the credentials for a new service account. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server. The Managed Domain service account is used to install the agents on the Managed Hosts and not for the ongoing running of the agents. Manage Service Account Properties From the service account properties you can view the account name, change the password and description, view the status and whether the account can be used to manage domains. You can also change the default service account, by checking the box on the property page for an account that is not already set as the default. The default service account is the single account that will be tried when enumerating a domain that is not managed. The service account must have Administrative rights to the domain that you want to access. STATUS DESCRIPTION Account Not Found The Active Directory account represented by the service account has been deleted or moved. To resolve this, change the name information of the service account to match the new name of the Active Directory account. Account Not Resolvable The Active Directory could not be contacted to determine whether the service account information is valid. To resolve this, ensure that the user name and password are correct. Network Issue The Active Directory domain containing the service account could not be contacted, and the account could not be logged on. OK The service account is functioning properly. 63 Quest Access Manager Remove Forests, Domains and Hosts from Management To remove a forest • From the Managed Domains node, select the required forest, right-click, and select Remove. To remove forests, you must first remove all Managed Domains. To remove Managed Domains • From the Managed Domains node, select the required domain, right-click, and select Remove from Management. To remove Managed Domains, you must first remove all Managed Hosts. To remove Managed Hosts • From the Managed Hosts node, select the required computer, right-click, and select Remove. Access Manager Client Overview The Access Manager client quickly provides resource security information. Quest Access Manager Node The specific actions that you can perform within Access Manager are determined by how the administrator has delegated responsibilities. For more information, see “Delegating Access to Access Manager” on page 27. From the Quest Access Manager node you can view the status of current Access Manager deployments within your organization. From here you can also: • 64 Quickly locate users, groups, and computers on the network by entering the user, group, or computer and selecting Start Search. Quest Access Manager Overview and Deployment • Add computers to the Access Manager deployment so that you can manage its resources by selecting Add Managed Host. Only computers in domains that are managed can be added as Managed Hosts and have their security information gathered. • View currently Managed Domains and add new domains to the Access Manager deployment by selecting Add Managed Domain. • View the deployment information and connect to a new Management Server by opening the Deployment item and selecting Change Server. • View the license information and update the license by selecting Update License. • Set the access to Access Manager by right-clicking and selecting Deployment Security. Configuration Node From this node you can access and configure the service account used to manage agent deployments, group expansion queries, and SID resolution. From this node you can also access the Managed Domains node, which is used to configure licensing, service account, and Active Directory Integration for Managed Domains and Managed Forests. For more detailed information, see “Service Account Node” on page 65 and “Managed Domains Node” on page 68. Service Account Node A service account is associated with Managed Domains and represents the credentials used to access and manage resources. You can specify these credentials for an entire forest or on a per domain basis. From the service account node, you can: • Add a new service account • Access the service account properties From the Service Account node, you can access the following information: COLUMN DESCRIPTION User Name The Account being used to access the information on the Managed Domain. 65 Quest Access Manager COLUMN DESCRIPTION Description The description provided when the service account was created. UPN The User Principle Name of the user in Active Directory. Default Indicates whether the service account is the default account Access Manager uses when contacting forests and domains without a defined service account. Note: Only one service account can be marked as the default. Can Manage Domains Indicates whether the service account can be used when configuring a Managed Domain. The service account must meet the following criteria: • It must have valid credentials specified. • It must have the right to log on locally to the Management Server. This right is configured automatically when you add a new service account to a domain. If these criteria are met, this column will have a value of “True,” and the service account will be available for association with a Managed Domain from its Property page. If the service account cannot log onto the Management Server, this value will be “False.” Note: service accounts that cannot log onto the Management Server are still available for use in domains and forests that are not managed, but are not contacted for group membership information. Status Account Not Found: The Active Directory account represented by the service account has been deleted or moved. To resolve this, change the name information of the service account to match the new name of the Active Directory account. Account Not Resolvable: The Active Directory could not be contacted to determine whether the service account information is valid. To resolve this, ensure that the user name and password are correct. Network Issue: The Active Directory domain containing the service account could not be contacted, and the account could not be logged on. OK: The service account is functioning properly. 66 Quest Access Manager Overview and Deployment Service accounts are capable of the following tasks: SERVICE ACCOUNT Interactive Client TASK • Perform a quick search • View Trustee Properties • Integrate with Active Directory • Integrate with ActiveRoles Server • Modify Resource Security Default Service Account • Manage Trustee Access (*) • Report on Trustee Access (*) • Read Trustee’s Group Membership Information (*) Forest Service Account • Manage Trustee Access (*) • Report on Trustee Access (*) • Register a Forest • Read Trustee’s Group Membership Information (*) • Browsing for Machine Local Groups (**) Managed Domain Service Account • Manage Trustee Access • Report on Trustee Access • Manage a Domain • Read Trustee’s Group Membership Information (*) • Deploy an Agent • Remove an Agent • Synchronize Agent Service Accounts • Restart an Agent • Manage Machine Local Groups • Browsing for Machine Local Groups (**) Agent Service Account • Remotely Indexed Security Information * These accounts are used only to read the membership information of groups to which the target trustee belongs. ** Because high-access service accounts are used to browse for members to add to machine local groups, users must be delegated Browse Active Directory permissions on the Access Manager deployment. 67 Quest Access Manager For more information, see “Change the Service Account Used to Access Information” on page 62 and “Manage Service Account Properties” on page 63. Managed Domains Node From the Managed Domains node, you can see a forest-based representation of the entire enterprise, the status of the various domains within the enterprise (all the forests and domains that have been registered with Access Manager). From here you can also: • Add and remove forests and domains from management. For information, see “Add a Forest to the Deployment” on page 31 and “Add a Domain to the Deployment” on page 31. • Register additional forests to manage their resources with Active Directory Users and Computers. For more information, see “Active Directory Users and Computers” on page 42. • Change the service account credentials for the Management Server for an entire forest or on a per domain basis through its Properties page. For details, see “Change the Service Account Used to Access Information” on page 62. You can also quickly assess the following information: COLUMN DESCRIPTION If the domain has been registered with Access Manager, the state will display as Managed. If this column is empty, the domain is not managed, and computers in it cannot be added as Managed Hosts. Managed State Note: Only computers in domains that are managed can be added as Managed Hosts and have their security information gathered. To register a domain with Access Manager, see “Add a Domain to the Deployment” on page 31. From here you can also remove a domain by right-clicking, and selecting Remove from Management. 68 Quest Access Manager Overview and Deployment COLUMN DESCRIPTION For Managed Domains, this account is used to read Active Directory information and perform agent maintenance tasks. Service Account Note: If the domain is managed, then the service account must be able to log onto the Management Server. When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Access Manager Management Server. If the domain is not managed, then this account is only used for reading information from Active Directory. Identifies if there are any problems with group membership query operations in the domain. Group Resolution Status OK: There are no known issues with connecting to and reading information from the domain. Network Issue: There is a network connectivity issue that is preventing Access Manager from performing group membership queries. 69 Quest Access Manager COLUMN DESCRIPTION Management Status The status indicates whether Access Manager has encountered any issues with management operations in the domain. OK: There are no known issues with connecting to and managing resources in the domain. Network Issue: There is a network connectivity issue that is preventing the Access Manager server from contacting any domain controllers in the domain. Access Denied: The service account registered does not have sufficient rights to read required information from Active Directory. A Managed Domain’s service account should at least have Read access to both the domain and configuration partitions of the domain. Service Account Logon\Impersonation Failure: The service account registered for the domain cannot log onto the Management Server. This can be caused by a number of circumstances: • The service account does not have Log on Locally rights to the computer hosting the Management Server. To fix this, ensure that the identified service account has this right. • The service account’s name has been changed. To fix this, create a new service account with the new name, and change the service account being used to it. • The service account is locked out/disabled. To fix this, unlock or re-enable the service account. • The service account’s password has changed. To fix this, update the service account in Access Manager with the new password from the Service Accounts node. Directory Integration Forest and associated domains registered with Active Directory Users and Computers, will have a Yes status. If the status is No, and you want to have the Access Manager functionality available from within Active Directory Users and Computers, right-click the forest and select "Integrate with Active Directory". 70 Quest Access Manager Overview and Deployment Applications Node From the Applications node, you can register resources with Quest ActiveRoles Server MMC console and Web Client and configure the Access Manager Self-service Request client. For more information, see “Quest ActiveRoles Server” on page 42. Quick Search Node From the Quick Search node, you can quickly locate resources within the entire enterprise or a specific forest for computers, users, or groups and manage the resource access. You can search based on a number of parameters, as follows: • Asterisk characters (*) to specify wildcards to support partial searches • First Name, Last Name, SAM Account Name, and Display Name attributes • Description — Searches the description attribute • First Name — Searches the First Name field • Last Name — Searches the Last Name field • Custom LDAP Query — Allows the specification of a custom LDAP query to use for searches. LDAP Query Notes Only attributes that are included in the global catalog can be searched. In the Custom LDAP query string, do not include the objectClass clause, because Quest Access Manager already searches classes based on your selection in the user interface (Users, Groups, or Computers). For information see http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx After you have located the required user or group, you can right-click to begin to manage their access. You can also right-click a trustee or resource and select a reporting option to create a report. For more information, see “Creating Reports” on page 115. 71 Quest Access Manager Columns Available in Quick Search COLUMN TITLE INFORMATION PROVIDED Name The name of the object returned by Quick Search. Type The type of item it is. This could be Computer, Builtin Group, Domain Local Group, Global Group, Universal group, or User. Location The UNC location of the object. Right-click in the right pane and select Column Chooser to select extra columns to display. To include them in the view, simply drag and drop onto the Title Menu Bar. For more information on customizing your view, see “Grouping, Sorting and Filtering Views” on page 58. EXTRA COLUMN TITLE INFORMATION PROVIDED Class Whether the item is a user, group, or computer. Description A verbose explanation of the item. For instance, Print Operators group might have "Members can administer domain printers". Distinguished Name This is a unique Identifier created by QAM to ensure a one-and-only-one relationship to the item. Managed This is either set to Yes or No and details whether the object is managed by QAM. Operating System The type of platform the system is running (such as Windows Server 2008) Pre Windows 2000 Name The pre Windows 200 long identifier. Sid The system identifier. For more information see the following: 72 • “Grouping, Sorting and Filtering Views” on page 58 • “Understanding Access Manager through Scenarios” on page 127 • “Saving Customized Layouts” on page 59 Quest Access Manager Overview and Deployment To search the enterprise for a specific resource 1. From the Access Manager console, select Quick Search. 2. From the Search In drop-down list, select a scope for your search, and select the check box beside the types of objects you want to search (Users, Groups, and/or Computers). 3. From the Search For drop-down list, select the criteria by which you want to search - Names, Description, First Name, Last Name, or Custom LDAP Query. 4. Enter a search string in the edit box and click Search to run your query. Remember to use an asterisk for partial searches. 5. Right-click a user or group and select to manage resource access, view their group memberships, run a report, or view their properties. – OR – Right-click a computer to restart an agent, remove the computer from management, or view the computer properties. Users and Groups Node From the Users and Groups node, you can see all trustees with resource access on computers being managed by Access Manager, as well as users and groups who are members of machine local groups, and unknown SIDs. From this view, you can edit the user or group security and quickly perform network investigation and cleanup by removing (if appropriate) the unknown SIDS. For more information, see “Manage Access for a User or Group” on page 89. Reporting You can run reports from the Users and Groups node for one or more trustees. To run a report 1. Select one or more trustees, right-click and select Reporting. 2. Choose from one of the available reports: Trustee Access, Trustee Activity, Member Of, Member Of Comparison, Group Members, Group Members Comparison. The type of report you can choose depends on the number and type of users or groups you have selected. – OR – 73 Quest Access Manager Alternatively, you can right-click a trustee and select Manage Access, open a resource, and then run a report. For more information, see “Creating Reports” on page 107. Layouts, Filtering, Grouping, and Sorting You can use Layout Options in the Users and Groups node. There are several pre-defined layouts you can choose from to view your security index in different ways. The Default layout is grouped by Resource Type and shows the Trustee Name, Host Name, Trustee Type, and Keyword columns by default. Other pre-defined layouts include: • Domain-level Trustees Only • Exclude Built-in, Well Known, and Special Trustees • Grouped by Host • Grouped by Resource Type • Grouped by Trustee Create your own filters, group and sort the data, and then save your custom layouts to have instant access to the views you need to understand and manage your security data. For example, add a filter such as [Service Identities][=][Unknown] to clean up old unused SIDs. For more information see the following: • “Grouping, Sorting and Filtering Views” on page 58 • “Understanding Access Manager through Scenarios” on page 127 • “Saving Customized Layouts” on page 59 Special Trustee Types In a Windows environment, sometimes files, folders, and share security is configured without actually referencing users or groups. Shares on Windows 2000, for example, use a null security descriptor to grant everyone full control by default. Some applications will define empty discretionary access control lists on files or folders to ensure no access except by backup and restore operators. 74 Quest Access Manager Overview and Deployment Access Manager reports these cases by using special alias trustees. The following cases are treated as special trustee types: TRUSTEE TYPE DESCRIPTION Null Security Descriptor Resources configured with this value are treated as Everyone having Full Control. Null Discretionary Access Control List Resources configured with this value are treated as Everyone having Full Control. Empty Discretionary Access Control List Resources configured with this value are treated as having no users with any access. Administrative Share When an Administrative Share is encountered by Access Manager, it is reported as the alias “Administrative Share Security Descriptor Alias.” Generally, only administrators of the hosting computer have access to administrative shares. Managed Hosts Node When you select the Managed Host node, you will be able to see at a glance all the hosts registered with Access Manager. At the Manage Hosts node level, you can choose between Managed Hosts View and Agents View. The Managed Hosts View is the default view. From here you can add or remove computers for management. The Agents View provides useful information about the performance and activity of the agents. For details, see “Add a Managed Host to the Deployment” on page 34 and “Add a Cluster (Managed Host) to the Deployment” on page 40. Managed Hosts View When you select the node labelled "Managed Hosts", you are already at the Managed Hosts view. To display Managed Hosts View 1. In the treeview, select Managed Hosts. 2. Right-click and select Managed Hosts View. The columns in the right pane will now reflect the default view. 75 Quest Access Manager Columns Available in Managed Hosts View COLUMN TITLE INFORMATION PROVIDED Host Name The host on which data is being collected. Keywords Any keywords that have been entered in the Managed Host’s properties. Status What the Managed Host is doing at the moment. For details of Status, see “Managed Host Status Descriptions” on page 48. Management Method Indicates whether the host is managed using a local or remote agent. Domain The domain in which the host belongs. Data State The current state of the data from this host. For details of Data State, see “Managed Host Data State Descriptions” on page 47. Right-click in the right pane and select Column Chooser to select extra columns to display. To include them in the view, simply drag and drop onto the Title Menu Bar. For more information on customizing your view, see “Grouping, Sorting and Filtering Views” on page 58. EXTRA COLUMN TITLE INFORMATION PROVIDED Forest DNS Name Domain Name of the Forest containing the Managed Host Node. Host DNS Name Domain Name of the Managed Host. Managed Host Type The physical configuration of the Host (such as Windows Computer) Managed Host ID Displays a unique ID assigned to this host and stored in the database. Most Recent Activity Displays the date and time of the last communication received from the agent in UTC format. Starts With Displays the first letter of the Host name. 76 Quest Access Manager Overview and Deployment Agents View To display Agents View 1. In the treeview, select Managed Hosts. 2. Right-click and select Agents View. The columns in the right pane will now reflect the Agents View. Columns Available in Agents View COLUMN TITLE INFORMATION PROVIDED Agent Host The name of the host running the agent software. Managed Host The name of the computer being managed. It is the same as the Agent Host for locally managed hosts, but different for remotely managed hosts. Agent Store Size The total size of all files related to an agent instance on its hosting system. Items Scanned The number of file system items scanned by the agent during its last full file system scan. Indexing Performance (Items/sec) The average rate of file system items indexed during the last full file system scan. An average performance of less than 1000 items\second can be indicative of a poor network connection between the agent and its target managed host. Total File System Operations The total number of file system operations encountered by the agent since change watching started. File System Scan Time The duration of the last full file system scan. Note that this value will not be filled in until at least one full scan has been completed. Agent Status The current status of the agent. For details on Agent Status, see “Agent Status Descriptions” on page 56. Agent Version The version of the Access Manager agent software on its hosting computer. Agent Host Type Indicates whether the agent is local (indexing the local computer), or remote (indexing a remotely managed host.) Items Stored The total number of items stored for this Agent since the last full scan. 77 Quest Access Manager Right-click in the right pane and select Column Chooser to select extra columns to display. To include them in the view, simply drag and drop onto the Title Menu Bar. For more information on customizing your view, see “Grouping, Sorting and Filtering Views” on page 58. EXTRA COLUMN TITLE INFORMATION PROVIDED Activity Enabled Indicates whether resource activity tracking has been enabled on the agent. Activity File Size The total size of all resource activity store files (those with a .qamrudb extension) on the agent. These files are deleted upon successful synchronization with the server. Activity Files The total number of resource activity store files (those with a .qamrudb extension) currently on the agent. These files are deleted upon successful synchronization with the server. Agent ID A unique code generated by QAM to make sure it knows which agent this is. Agent Uptime Indicates how much time has passed since the agent’s last restart. Agents can restart for a number of reasons, including restarts of their host systems, restarts of the agent service itself, or install\upgrade operations on other agents hosted on the same system. Aggregated Activities The number of activities that have been recorded by Access Manager, after duplicate events have been removed. Aggregated Activities is based on the granularity you have set on the Resource activity tab in Agent Properties. The less granular the setting, the lower this number will be. Average Activities / Store The average number of activity records recorded per activity store. The higher the value, the more unique activities being encountered by the Access Manager agent. Average Changes (Changes/Flush) The average number of changes that are being made each time the system updates. Changes Synchronized The total number of resource activity records synchronized with the server. Failed Synchronizations The number of times the agent has attempted to synchronize resource activity information with the server, but has failed. 78 Quest Access Manager Overview and Deployment EXTRA COLUMN TITLE INFORMATION PROVIDED Keywords Any keywords that have been entered in the Managed Host’s properties. Managed Host Type The physical configuration of the Host (such as Windows Computer) Queue Flushes The number of times the Access Manager agent has flushed its internal change monitor’s queue. This value is generally used only for diagnostic purposes. Service Display Name The display name of the Access Manager agent service as displayed by the Service Control Manager. Successful Synchronizations The number of times the Access Manager agent has successfully synchronized activity information with the server. Usage Stores Synchronized The total number of resource activity store files (those with a .qamrudb extension) which have been sent from the agent to the server. These files are deleted upon successful synchronization with the server. Reporting You can run reports from both the Resource View and Trustee View of the Managed Hosts node. To run a report 1. Select one or more resources or trustees (depending on the View), right-click, and select Reporting. 2. Choose from one of the available reports: Resource Activity, Perceived Owners (Resource View), Resource Access, Trustee Access, Trustee Activity, Member Of, Member Of Comparison, Group Members (Trustee View). The type of report you can choose depends on the number and type of users or groups you have selected. – OR – Right-click a resource or trustee and select Manage Access, open a resource, and then run a report. For more information, see “Creating Reports” on page 107. 79 Quest Access Manager Layouts, Filtering, Grouping, and Sorting From the Managed Host node, you can quickly assess the information contained in the table below. Right-clicking in the right pane provides display options such as grouping on a specified column (Group by Box); saving, deleting and retrieving custom layouts (Layout Options); and choosing the columns displayed (Column Chooser). You can also use the Keywords column to group managed hosts and then configure and run reports on a group of hosts all at once. For information, see “Saving Customized Layouts” on page 59 and “Configure and Report on a Group of Managed Hosts” on page 60. The Default layout shows the Host Name, Keywords, Status, Management Method, Domain, and Data State columns. Other pre-defined layouts include: • Group by Data State • Group by Domain • Group by Keywords • Group by Status Create your own filters, group and sort the data, and then save your custom layouts to have instant access to the views you prefer. For more information see the following: • “Saving Customized Layouts” on page 59 • “Grouping, Sorting and Filtering Views” on page 58 • “Saving Customized Layouts” on page 59 • “Configure and Report on a Group of Managed Hosts” on page 60 The host may be managed by a local agent or by a remote agent residing on a different computer. For details, see “Access Manager Agent” on page 13 Specific Managed Hosts Select a specific managed host icon, then Right-click and select to view that host individually. By selecting a specific Managed Host, you can: • Right-click and select to view the access either through the Trustee view or the Resource View. The Trustee View allows you to view users and groups who have access to resources on the selected computer and modify their access. 80 Quest Access Manager Overview and Deployment The Resource View allows you to view the file system and shares on the selected host and modify their security. • Right-click and add a Managed Host. For details, see “Add a Managed Host to the Deployment” on page 34. • Right-click and add a Cluster Host. For details, see “Add a Cluster (Managed Host) to the Deployment” on page 40. • Right-click and select to view the Managed Host properties. For more information, see “Managed Host Properties” on page 46. • Right-click and select to restart agents on a locally Managed Host. For more information, see “Restart Agents” on page 39. • Right-click and select to add an agent for a remotely Managed Host. For more information, see “Add an Additional Remote Agent to a Managed Host” on page 38. • Right-click a remotely Managed Domain and synchronize with service account. This updates the credentials used by the selected agent to match those maintained by Quest Access Manager. This is useful in the event of a password change for an account being used on a remote agent, or if someone has inadvertently changed the account on an agent directly through Microsoft Windows Service Control Manager. • Right-click and select to remove a computer from control. For more information, see “Remove Forests, Domains and Hosts from Management” on page 64. • Right-click and select to export the agent log These logs are used for troubleshooting and when talking to customer support. For more information, see “Where are the Logs?” on page 136. • Right-click and select Reporting to run reports. For more information, see “Creating Reports” on page 107. • Right-click and select to review the scanning activity on the selected computer through the Properties page. For more information, see “Grouping, Sorting and Filtering Views” on page 58. • Double-click a computer to view and manage: 81 Quest Access Manager a) users and groups who have access to specific resource types b) resources with access (files, folders, shares) c) rights (Local user rights, Operating System rights) d) windows service identities (view only) Reports Node You can view and run the available report types in this node. When you select a report type, the Configure New Report button appears. Select this button to start creating a report. When you save a report template, the template is saved under its report type node. When you execute the template again, the report runs based on the saved configuration but with the current data. You can right-click a report template to: • Execute report • Schedule report • Delete report template • Rename report template • Add to ’My Reports’ When you Export a report, a copy of the report output is saved in the format and location you choose. This is a snapshot of the data at the time that it was run. To see the most current data in a report, execute the report template. For more information, see the following: • “Creating Reports” on page 115 • “Scheduling Reports” on page 125 Background Operations Node Certain operations within Access Manager occur in the background. You can view the progress of these operations by selecting the Background Operations node in the Access Manager client. Background operations include: 82 Quest Access Manager Overview and Deployment • Cloning, replacing, or removing access for a group of trustees • Changes for SACL, DACL, or owner security • Securing a share with no access control • Agent log file exports If you close the client, any operations that have not yet started will be deleted. For more information, see the following: • “Clone, Replace, and Remove Access for a Group of Trustees” on page 96 • “Edit Security” on page 94 • “Find and Secure a Share with No Access Control” on page 97 • “Where are the Logs?” on page 136 Removing Access Manager Access Manager can be removed either as part of: • An upgrade If you select this option, the deployment components will be maintained. When you install Access Manager again, you can use the Configuration Wizard to point to this existing configuration. As of version 2.0, you must provide the deployment key when performing a server upgrade. • A full deployment removal If you select this option, all deployment components are removed. This permanently removes the deployment from your environment. To remove Access Manager as part of an upgrade 1. Select Start | Programs | Add/Remove Programs. 2. Select Quest Access Manager | Remove. 3. In the Deployment Removal dialog box, select I am upgrading and want to leave my deployment intact, and click OK. 83 Quest Access Manager To perform a full deployment removal • The Management Server must be running during the uninstall. • Many of the uninstall operations are performed under the credentials of the user running the tool, therefore, those operations will fail if the user does not have the required permissions. 1. Select Start | Programs | Add/Remove Programs. 2. Select Quest Access Manager | Remove. 3. In the Deployment Removal dialog box, select I am uninstalling the application and want to remove all components. (Includes the database, Managed Hosts, and Management Server configuration), and click OK. The Deployment Removal dialog box opens. 4. Click Run. As the removal proceeds, the actions and state are updated. ACTION PERFORMED BY Remove Managed Hosts Server Remove Display Specifiers User Remove Managed Domains Server Unregister Forests Server Remove SCP Objects User Stop Services User Delete Server Keys User Delete Database User Errors and warnings are reported in the listview. You can double-click on an item to get more details. A log file, teardown_log.txt, is created for all of the removal steps. The file location is: <install root>\Quest Software\AccessManager\ManagementServer\Teardown. This file will remain after the uninstall. 5. 84 Click Finish. 2 How To . . . • Investigate Resource Access • Manage Network Access • Manage Machine Local Groups Quest Access Manager Investigate Resource Access To ensure network resources are secured in a manner that meets your business needs you must be able to easily identify who has been given access to those resources and manage that access appropriately. Using Access Manager you can quickly see who has been given access to specific resources and identify and manage the permissions associated with shares, folders, and files and run reports to save the information. You can also see where a user is running as a Windows service on Managed Hosts. 86 How To . . . To view and manage access from Access Manager FOR A USER OR GROUP • Search for the required user or group, right-click the trustee and select Manage Access, or Reporting to run a report. – OR – Select the required user or group from the Users and Group node, right-click, and select Manage Access, or Reporting to run a report. FOR A MANAGED HOST • Select a Managed Host with the Trustee View selected, browse through the resources and locate the user or group with access, right-click, and select Manage Access, or Reporting to run a report. – OR – Select a Managed Host with the Resource View selected, browse through the file system, and modify the permissions associated with shares, folders, and files or select a specific user or group and select to Manage Access, or Reporting to run a report. – OR – Search for a computer through Quick Search, right-click and select Manage Resources, browse through the file system, and modify the permissions associated with shares, folders, and files or select a specific user or group and manage their access. – OR – Search for a computer through Quick Search, right-click and select Manage Access, browse through the resources and locate the user or group with access, right-click, and select Manage Access, or Reporting to run a report. For details on managing access, see “Manage Network Access” on page 89 and modifying security see, “Edit Security” on page 94. 87 Quest Access Manager For information about running reports, see “Creating Reports” on page 107. You can also view and modify access From Active Directory Users and Computers or Quest ActiveRoles Server, right-click a user, group, or computer and select Manage Access. You must have integrated with Active Directory Users and Computers and Quest ActiveRoles to access this option. For more information, see “Integrate Access Manager with Active Directory Users and Computers or Quest ActiveRoles Server” on page 41. Search for a Specific User, Group, or Computer From the Quick Search node, you can quickly locate resources within the entire enterprise or a specific forest for users, groups, or computers. To search the enterprise for a specific user, group, or computer 1. From the Access Manager console, select Quick Search. 2. Select the search scope and the type of object for which you are going to search. Provide the search text, and click Search. – OR – Select a specific domain from the list to narrow your search for a specific user or group, and click Search. 3. Right-click a user or group and select to view and manage resource access, view group membership information (group members and the members to which the trustee belongs), run an access or group membership report, or view their properties. – OR – Right-click a computer and select to manage its access (Trustee View), manage resources (Resource View), manage a local group, view the computer and Managed host properties, run a report, add an agent, remove the computer from Access Manager control, or synchronize with a service account. For more information, see the following: 88 • “Quick Search Node” on page 71 • “Creating Reports” on page 107 How To . . . Manage Network Access Administrators must answer the following questions daily to ensure network compliance: • Where do users and groups have access and is the access correct? • Through which groups do users have access? • Has access to resources been granted through group membership or directly through the resource Access Control List? The answers to these questions are easily attained through Access Manager. More specifically, you can: • Manage Access for a User or Group • Manage Resources • View and Edit Trustee Properties • Edit Security • Clone, Replace, and Remove Access for a Group of Trustees • Find and Secure a Share with No Access Control • Add and Remove Rights • Assign Business Ownership • View Group Membership • Manage Machine Local Groups • Run a Trustee Access Report • Run a Group Members Report Manage Access for a User or Group When you right-click on a specific user or group and select Manage Access, you are presented with the Trustee Access view, which shows: • Group Membership information in the left pane • Resource Access information in the top right pane • Detailed resource Access information in the bottom right pane (based on the selection in the left and top right panes) You can right-click a trustee or a resource in any of the panes to run a report. For more information, see “Creating Reports” on page 107. 89 Quest Access Manager User and Group Membership The User and Group membership view displays a treeview with the selected trustee at the root. The first level beneath the root will be all the groups for which the trustee is a direct member. The groups contained beneath each of those groups the trustee has gained access indirectly from the first level groups, and so on. For more information, see “Group Membership and Group Expansion” on page 19. Figure 3: This view allows you to select any group to see the resource access granted by being a member of that particular group. If there have been any issues with the retrieval of group membership information, you can click the link in the lower-left to review details. Once you have expanded the list, you can right-click and select to hide the details pane. 90 How To . . . Resources This Trustee Access view shows all Managed Hosts (computers) where the selected user or group has access. Figure 4: This view displays the type of resource where the user or group has access and whether this access has been granted explicitly (Directly held —the account is in the ACL) or through group membership (Indirectly held—the account belongs to a group that is in the ACL). To get this view, select a user or group, right-click and select Manage Access. This view is highly configurable and can be grouped according to Managed Host, Resource Type, Account Name, and so on. Therefore, your view may be organized differently than the one described here. 91 Quest Access Manager Detailed Resource Information When a resource is selected in the upper-right pane of the Trustee Access view, the lower-right pane shows the individually accessible resources for the selected computer and resource type. Figure 5: From here, you can modify the security of a resource by right-clicking and selecting Edit Security. For details, see “Edit Security” on page 94. 92 How To . . . Manage Resources When you select to view a Managed Host with the Resource View enabled, you will quickly be able to see its shares and file system. Double-click through the file system to locate the required resource. Once located, you can edit the permissions or select to manage a trustee’s access. Figure 6: Select the Resource View from the Managed Host node For more information, see “Edit Security” on page 94 and “Manage Access for a User or Group” on page 89. View and Edit Trustee Properties Before editing access to specific resources, you can view the user or group properties. To view trustee properties 1. Use the Quick Search option to locate the required user or group. – OR – 93 Quest Access Manager Select the required trustee from the Users and Groups node. 2. Right-click and select Trustee Properties. 3. View the properties and edit as required. Edit Security Access Manager's Resource Security Editor allows you to edit the ACL, the SACL (Auditing), the Owner, and Share Permissions. The editor also provides an entry point to manage trustee access, view group membership information (Group Members and Group Member of), run reports such as the Trustee Access Report, and add and remove rights. Figure 7: Access Manager’s Resource Security Editor All changes are performed by the Access Manager server, using the service account appropriate for the target computer. To ensure that unauthorized access does not occur, Access Manager checks the client’s native rights to ensure they are permitted to perform the requested operations. Additionally, clients must have the Access Application right to the Access Manager deployment. 94 How To . . . The following is a summary of the native rights required to perform various security operations within the Access Manager client: OPERATION REQUIRED RIGHTS View shares No special rights required View Administrative shares\volumes Membership in the Administrators group of the computer View or modify share security Membership in the Administrators, Power Users, or Server Operators group of the computer View folder or file security Read Permissions on the folder or file Read on the share from which the folder or file is accessed Modify folder or file security Write Permissions on the folder or file Read on the share from which the folder or file is accessed. Navigate through a share or folder Read on the share from which the folder or file is accessed List Contents on the folder All changes made within Access Manager from the Resource Security Editor are logged in the Quest Access Manager Audit event log. For more information, see “Where are the Logs?” on page 136. To edit security from the Trustee View 1. Right-click a user or group and select Manage Access. For details on the various methods of locating trustees, see “Investigate Resource Access” on page 86. 2. Browse through the resource types, and select the required computer. A detailed list of all the resources with access will display. 3. 4. Right-click the resource and select Edit Security. Alter the security as required. You can also right-click the user or group to manage the trustee access, view group members, run a Trustee Access or other report, add rights, or remove permission. You can run one of the following reports, depending on the number and type of trustees you have selected: 95 Quest Access Manager Trustee Access, Trustee Activity, Member Of, Member Of Comparison, and Group Member Reports. To edit security from the Resource View 1. Select a Managed Host, and browse through the shares and file system and select the required resource. The Security Editor displays in the lower pane. 2. Alter the security as required. You can also right-click the user or group to manage the trustee access, view group members, run a Resource Activity or Perceived Owners report, add rights, or remove permission. For more information about reporting, see “Creating Reports” on page 107. Clone, Replace, and Remove Access for a Group of Trustees To quickly make changes to a group of trustees and resources, you can select to clone, replace, or remove access all at once. You can view the progress of the operations by selecting the Background Operations node in the Access Manager client. You will not be prompted to accept the removal, the operation will run automatically once the option is selected. To clone, replace, or remove access for a group of trustees 1. Right-click a user or group and select Manage Access. For details on the various methods of locating trustees, see “Investigate Resource Access” on page 86. 2. Browse through the resource types, and select the required computer. A detailed list of all the resources with access will display. 3. Right-click the resource and select Clone Trustee. Select the object type, location, and name and click OK. – OR – 4. 96 Right-click the resource and select Replace Trustee. How To . . . Select the object type, location, and name and click OK. – OR – 5. Right-click the resource and select Remove Trustee. Find and Secure a Share with No Access Control This is a security measure to ensure all shares have access control. A share without access control, whether through null security descriptor (SD), or null discretionary access control list (DACL) is a potential security risk. Quest Access Manager helps you find these resources and secure them by specifying specify a trustee with Full Control. To add a trustee to a null SD 1. In the Treeview, select the Users and Groups node. 2. Double click on Share to expand the view. 3. Select Null Security Descriptor Alias. If you do not see Null Security Descriptor Alias in the view, then you have no null SDs. 4. Right click and select Manage Access. 5. Expand the Share node in the Direct Trustee Access dialog box and select the host you wish to secure. This will open a bottom pane with the available resources on that trustee. 6. Select the desired resource or resources (using Shift + Click) in the bottom pane. 7. Right click and select Add a Trustee to Null SD. 8. A pop up dialog box will appear stating that a Background Operation is in Progress. Click Close to remove this dialog box. To see results, you can click the Background Operations node in the treeview while the client session still exists. Alternately, you can see a log of successful operations in the Quest Access Manager audit log on the Management Server. Each computer must be secured individually, using this process. 97 Quest Access Manager To add a trustee to a null DACL 1. In the Treeview, select the Users and Groups node. 2. Double click on Share to expand the view. 3. Select Null Discretionary Access Control List Alias. If you do not see Null Discretionary Access Control List Alias in the view, then you have no null DACLs. 4. Right click and select Manage Access. 5. Expand the Share node in the Direct Trustee Access dialog and select the host you wish to secure. This will open a bottom pane with the available resources on that trustee. 6. Select the desired resource or resources (using Shift + Click) in the bottom pane. 7. Right click and select Add a Trustee to Null DACL. 8. A pop up dialog box will appear stating that a Background Operation is in Progress. Click Close to remove this dialog box. To see results, you can click the Background Operations node in the treeview while the client session still exists. Alternately, you can see a log of successful operations in the Quest Access Manager audit log on the Management Server. Each computer must be secured individually, using this process. Add and Remove Rights Through the Resource Security Editor you can easily give users and groups access to a selected resource or remove access as required. To add or remove resource access from the Trustee View 1. Right-click a user or group and select Manage Access. For details on the various methods of locating trustees, see “Investigate Resource Access” on page 86. 2. Browse through the resource types, and select the required computer. A detailed list of all the resources with access will display. 98 How To . . . 3. Right-click the resource and select Edit Security. 4. Right-click, select Add Rights, select the object type, location, and name and click OK. – OR – Right-click a user or group and select Remove Selected Permissions. You will be prompted to accept or ignore the removal. To add or remove resource access from the Resource View 1. Select a Managed Host, and browse through the shares and file system and select the required resource. The Security Editor displays in the lower pane. 2. Right-click, select Add Rights, select the object type, location, and name and click OK. – OR – Right-click a user or group and select Remove Selected Permissions. You will be prompted to accept or ignore the removal. Assign Business Ownership Access Manager now enables you to manually set the business owner of a resource. Business Ownership is not the same as resource ownership, which is an Active Directory security property. Business Ownership can be used to help your organization clearly identify who owns folders and shares to meet security and privacy compliance requirements. For information on resource security ownership, see “Edit Security” on page 94. To assign ownership: 1. In the Resource View of a managed host, select the resource for which you want to assign ownership. You may have to open a higher-level object to see the resource list. 2. In the bottom pane, select the Business Ownership tab. 99 Quest Access Manager You can also open the tab through the Edit Resource Security dialog box. 3. Right-click and select Grant ownership. 4. In the Grant New Ownership dialog box, select the trustees that you want to assign to the resource and click Next. 5. Enter a justification for the resource ownership change and click Finish. The owners you have selected now appear in the list. 6. Click Save. You can also report on Business Ownership. For more information, see “Owned Resources Report” on page 108. To revoke ownership: • On the Business Ownership tab, select the trustees you want to remove, right-click and select Revoke ownership. The trustees are removed from the list of owners for that resource. View Group Membership Enterprise group membership information allows you to identify all the groups to which a user belongs and all the members of a particular group. This allows you to quickly see network access to resources and alter it where required. Any issues related to the network, specific access, or improper credentials for the domain will be highlighted. To view group membership for a specific trustee 1. From the Access Manager console, find the required group, right-click, and select Group Members. You will see a hierarchical view of group membership and the recursive list of who is contained in the group. It eliminates the need to navigate through group nesting to identify all group members that ultimately have access to a specific shares, folders, and files. – OR – From the Access Manager console, find the required user or group, right-click, and select Manage Access. 100 How To . . . You will see all the groups that the selected user or group is a member of (both explicitly and indirectly) and the associated access obtained through this group membership. – OR – From the Access Manager console, find the required group, right-click, and select Group Member of. You will see all the groups that the selected user or group is a member of (both explicitly and indirectly). 2. You can now choose to manage the access where required or run reports that detail the access and membership for the selected group or trustee. For details, see “Manage Access for a User or Group” on page 89 and “Creating Reports” on page 115. Group Member Information Details of group membership are available in the Group Membership display, accessed by right-clicking on a group and selecting Group Members. The Members Tree The left pane displays all group members for the selected group — both direct and indirect. The columns contain the following information: COLUMN CONTENT Name The common name (CN) of the group. Location The location in Active Directory where the group resides. Members This column depicts two values: the first, the number of directly included users and groups; the second bracketed value is the total number of members, both direct and indirect. Group Type The group type can be: Machine Local Group, Universal, Global or Domain Local. 101 Quest Access Manager The Members List The right pane displays all members of the group selected in the left pane (“Members Tree”). The columns contain the following information: COLUMN CONTENT Member Name The common name (CN) for the member. Location The location in Active Directory where the member resides. Via An indication as to whether this member is a “Direct” or “Indirect” member of the selected group. • Empty: This member is a group but the group does not have any members. Status • Populated: The member is a group and the group has at least one member. • Non Group: This member is not a group and could be a user, computer, contact or any other entity allowed through normal Active Directory group membership rules. To identify all empty groups • Right-click an empty group in the Status column, and select Group By This Column. To determine if a particular user is a member of a group 1. Select a group in the left-hand pane. The right-hand pane contains a list of all members of the selected group and all members of all the nested groups. By filtering on the username, you can easily determine if a given user is a member of a group. 2. Right-click on the column you wish to filter by and select Filter Editor. 3. Enter the user’s name and click OK. 102 How To . . . View Group Membership from Active Directory Users and Computers You need to have the Active Directory integration enabled for this tab to be present in Active Directory Users and Computers. For more information, see “Integrate Access Manager with Active Directory Users and Computers or Quest ActiveRoles Server” on page 41. To view group membership 1. 2. From Active Directory Users and Computers, right-click the required user or group and select to view their properties. Select the Group Membership tab. If there have been any issues with the retrieval of group membership information, you can click a link to see the list of issues. From here, you can see the issue details and take the required corrective actions. You can also run reports to view group membership information and comparisons. For information, see “Creating Reports” on page 115. Manage Machine Local Groups Access Manager allows you to view the local groups present on any given server within a Managed Domain. This allows for full machine local group management including creation, deletion, and membership modification. Access Manager uses the same delegation model as Managed Domains for machine local groups and includes a granular set of Active Directory extended rights to control their management on a per server basis. View Local Machine Groups You can view machine local groups through: • the Access Manager client • Active Directory Users and Computers • Quest Active Roles Server A computer must be a member of a domain managed by Quest Access Manager in order to view and manipulate its Local Machine Groups. 103 Quest Access Manager If there have been any issues with the retrieval of group membership information, you can click a link in the lower-left corner to see the list of errors. From here, you can see the error details and take the required corrective actions. Delegated Access and Machine Local Groups It is necessary to ensure that Access Manager has sufficient rights to properly manage machine local groups. Below is a list of the extended rights that need to be delegated to the user of the Access Manager client. • Application Access: Required by all users. • Bypass Active Directory Delegation: Allows full access to Access Manager and is required for queries and local group management. • Allow Directory Browsing: Allows users to browse licensed domains for trustees to be added to machine local groups. • QAM Manage Machine Local Groups: Allows users to manage the machine local groups of any computer over which they have been granted this permission. Users granted this permission do not need to be in any of the groups on the target computer that would generally allow them to manage machine local groups (Server Operators, Administrators, and others), provided changes to machine local group management is performed through Access Manager. • QAM Manage Machine Local Admins Group: Allows users to manage the machine local Administrators group. To view local groups from Access Manager 1. Expand the Managed Hosts node, right-click the computer to be examined, and select Properties. 2. Select the Local Groups tab to view the local groups property sheet. 3. Double-click any group to view its properties. To view and manage local group membership from either Active Directory Users and Computers and Quest Active Roles Server, you first need to integrate with Access Manager. For more information, see “Integrate Access Manager with Active Directory Users and Computers or Quest ActiveRoles Server” on page 41. To view local groups using Quest Active Roles Server 1. 104 Select the Active Directory node in the treeview. 2. Right-click the required computer and select Manage Local Groups. 3. Double-click any group to view its properties. How To . . . To view local groups using Active Directory Users and Computers 1. Open Active Directory Users and Computers. 2. Right-click the required computer and select Properties. 3. Select the Local Groups tab with the Quest logo to view the local groups. 4. Double-click any group to view its properties. To view local groups using the Quest Access Manager client Quick Search 1. Select the Quick Search node from the treeview of the Access Manager client. 2. Use the Search bar to find the group to be managed. 3. Right-click on the group and select Properties. 4. Select the Local Groups tab with the Quest logo to view the local groups. The Local Groups dialog box displays all of the local groups that exist on the selected computer. The groups are divided into Built-in groups defined by the operating system and Custom Local groups that are defined by the administrator. This dialog box allows you to create or delete local groups, and view the properties of local groups. Right-click any group in the list to access these features. Create or Delete Machine Local Groups To manage machine local groups, users must have the QAM Manage Local Administrator Group privilege enabled. For more information, see “Delegating Access to Access Manager” on page 27. To create a new Machine Local Group 1. Follow one of the procedures to view local groups (see “View Local Machine Groups” on page 103). 2. Right-click inside the dialog box and select Create. 3. Provide a group name and description. 4. Add members to the group by clicking Add. Click Advanced to enable advanced search options. 5. When all the required members have been added to the group, click Create. 105 Quest Access Manager To delete existing Machine Local Groups 1. Follow one of the procedures to view local groups (see “View Local Machine Groups” on page 103). 2. Select the group that you wish to delete. 3. Right-click a highlighted group and select Delete. 4. Click OK. If you find groups listed in the confirmation dialog box that you do not want to delete, select them in the confirmation dialog box and remove them using the delete key. Adding Users or Groups to a Machine Local Group To add users or groups to a machine local group 1. Follow one of the procedures to view local groups (see “View Local Machine Groups” on page 103). 2. Select the group to which you would like to add users, right-click the group, and select Properties. 3. Click Add. 4. Enter the object name to be added to this group and click OK. – OR – Click Advanced to launch the advanced search dialog box and continue with step 5. 5. 106 When you have selected all of the users and groups to add to this group, click OK. 3 Creating Reports • Available Reports • Creating Reports • Scheduling Reports Quest Access Manager Available Reports Reports are a powerful tool to help you summarize and analyze resource and trustee access and activity. Any user who has been granted the Application Access right can create reports in Access Manager. For information on delegating access, see “Delegating Access to Access Manager” on page 27. The following reports are available: • Owned Resources Report • Perceived Owners Report • Trustee Access Report • Resource Activity Report • Trustee Activity Report • Group Members Report • Group Members Comparison Report • Member Of Comparison Report • Member Of Report • Resource Access Report • Local Rights and Service Identities Report Owned Resources Report Through ongoing data governance activities, the assignment of ownership to unstructured data will, over time, improve the overall health of your network. The Owned Resources Report lists all the resources located on Windows File Servers and NAS devices that have been assigned business ownership through the Access Manager interface. You can limit the scope of the report to one or more trustees, in which case the report returns all the resources for which the selected trustees are set as the business owner. To see if the current business owner matches the activity patterns on the resource, you can click a resource link to run a Perceived Owner report on that resource. You can run this report from the Reports node. 108 Creating Reports For more information, see “Assign Business Ownership” on page 99. Perceived Owners Report Unstructured data can be quite substantial across an enterprise, so it is important to have a grasp of who is responsible for managing that data. Access Manager uses historical resource activity to provide guidance on who should own a particular resource. With this information, business ownership can be assessed and then set directly on the resource through the Access Manager application. You can also select a trustee name in the report output to immediately set that trustee as business owner for the resource in question. This report offers two options for assessing perceived ownership. You can Find Folders with High Activity, which looks at the activity on all sub-folders in the selected resource and makes a recommendation based on the trustees with the highest percentage of weighted activity. Actions such as writes and creates are weighted heavier than reads. This query excludes resources that have a Business Owner already assigned. If you choose Calculate Perceived Owner option, this option uses historical resource activity data on the selected folder (not sub-folders) to recommend which trustees should be assigned ownership. This query includes resources that have a Business Owner already assigned, and the owners are indicated in the report output. This report requires that Resource Activity Tracking be enabled on the locally managed host (Windows computers) or remote agent (NAS device). Resource activity tracking is not available for remotely managed Windows computers. For more information, see “Locally Managed Host Properties” on page 49. You can run this report directly from a resource in the Managed Hosts node by right-clicking the resource and selecting Reporting and then Perceived Owners. You can run this report from the Reports Node, Managed Hosts node, and the Security Editor. If you are not running the report in context (you do not have resources already selected), you can drag and drop from Windows Explorer to select the resources to report on during report configuration. For more information, see the following: • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 109 Quest Access Manager Trustee Access Report Using Access Manager you can view a report of a trustee’s resource access across all Managed Hosts within the enterprise. The report provides a detailed view of trustee group membership, and specific resource access. You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts, Quick Search, and the Security Editor. For a Trustee Access report on multiple trustees, a separate file is created for each trustee. If you have grouped the view by computer, the report creates a result for each trustee for the selected computer. Otherwise, it returns results for all resources each trustee has access to. For more information, see the following: • “Quick Search Node” on page 71 • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Resource Activity Report Network resources can be accessed frequently by many users over time. Recording and reporting on this activity can help administrators determine patterns of usage (who uses which resources regularly) and helps to spot atypical behavior (for example, someone who is reading documents they should not have access to). The Resource Activity Report provides a granular list of activities recorded over a period of time that can then be used to verify proper resource usage and make decisions on removing access for particular trustees. When running the report, you can drag and drop from Windows explorer to select the resources to report on and also exclude trustees for whom you do not want to see activity. This report requires that Resource Activity Tracking be enabled on the locally managed host (Windows computers) or remote agent (NAS device). Resource activity tracking is not available for remotely managed Windows computers. For more information, see “Locally Managed Host Properties” on page 49. You can run this report from Reports node, or by selecting a resource and using the right-click Reporting menu in the Managed Hosts node (Resource View), Quick Search, and the Security Editor. 110 Creating Reports For more information, see the following: • “Quick Search Node” on page 71 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Trustee Activity Report Constant provisioning and de-provisioning activities can leave your organization open to security breaches and data leakage. Identifying the resource activity of trustees is essential to determining where access should be removed. The Trustee Activity Report shows you all the activity for a particular trustee (for example file reads, writes, and creates) against specific managed hosts. With this information, you can identify activities that are outside the scope of a trustee’s roles, and take steps to secure your resources through the security editing capabilities of Access Manager. This report requires that Resource Activity Tracking is enabled on the locally managed host (Windows computers) or remote agent (NAS device). Resource activity tracking is not available for remotely managed Windows computers. For more information, see “Locally Managed Host Properties” on page 49. You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts node (Trustee View), Quick Search, and the Security Editor. For more information, see the following: • “Quick Search Node” on page 71 • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Group Members Report Active Directory security groups can become bloated over time due to unrestricted provisioning and de-provisioning activities. This report displays a group’s complete direct and indirect membership list. The report can help you identify trustees that should be removed from a group membership list to ensure least privilege within your network. 111 Quest Access Manager You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts node (Trustee View), Quick Search, and the Security Editor. For more information, see the following: • “Quick Search Node” on page 71 • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Group Members Comparison Report Administrators are often responsible for managing groups that have similar membership requirements. A quick glance may not easily distinguish one group from another. The Group Members Comparison report highlights where group membership differs between two or more groups. You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts node (Trustee View), Quick Search, and the Security Editor. For more information, see the following: • “Quick Search Node” on page 71 • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Member Of Comparison Report Two users who have been provisioned for similar roles may find that they have different levels of access due to differences in group membership. The Member Of Comparison report helps identify these differences so they can be corrected. You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts node (Trustee View), Quick Search, and the Security Editor. For more information, see the following: • 112 “Quick Search Node” on page 71 Creating Reports • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Member Of Report In the native environment, it can be difficult to get an accurate representation of nested group membership. Users can be a member of a group through many levels of nesting, including local groups. This report shows a clear picture of a trustee’s full membership in Access Manager’s indexed security groups. You can run this report from the Reports node, as well as from any node in which you can select one or more trustees: the Users and Groups node, Managed Hosts node (Trustee View), Quick Search, and the Security Editor. For more information, see the following: • “Quick Search Node” on page 71 • “Users and Groups Node” on page 73 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Resource Access Report You can use this report to determine who has access to the resources in which you are interested. The data usage information in the report can help you meet your compliance and audit goals. When you run the report, you can set the parameters to report on the folders or shares of interest to you. You can also isolate specific types of permission, such as modify, full control, read, and execute. The report includes subfolders and files of the identified resources if the security differs from the parent, such as when inheritance of security is overridden or blocked. 113 Quest Access Manager You can run this report from the Reports node, the Quick Search View (right-click the context menu on computers added as a managed host only), the Access Query View (right-click the context menu on your chosen resources), or from the Managed Hosts Resource View (right-click the context menu on your chosen resources). You must run this report using the same roots by which your host is scanned. On a locally managed host, use the admin path. On a remotely managed host, you have the option of the remote shares or the admin paths. When dragging paths into the Resource Access and Security report parameters, the paths must point to indexed objects. Dragging non-scanned folders or other objects into the window for reporting will result in a report error. For more information, see the following: • “Quick Search Node” on page 71 • “Managed Hosts Node” on page 75 • “Edit Security” on page 94 Local Rights and Service Identities Report This report helps you understand who has local rights on a managed host and which identities are being used to run Windows services. It is organized into three key sections. • Service Identities - Lists the identities used to run services on the selected Managed Host. An example would be the "BroadwayAgentService". • Local User Rights - Lists the particular rights that a trustee has on a given Managed Host. An example would be the "Allow Logon Locally" right. • Admin Rights - Lists trustees with Operating System Administrative rights on a given Managed Host. You can run this report from the Reports node, the Managed Hosts node, or the Quick Search node. For more information, see the following: 114 • “Quick Search Node” on page 71 • “Managed Hosts Node” on page 75 Creating Reports Creating Reports The options you have to configure a report depend on the type of report you are running. You may also be able to run reports from some or all of the following nodes: • Quick Search — For information, see “Quick Search Node” on page 71. • Users and Groups — For information, see “Users and Groups Node” on page 73. • Managed Hosts — For information, see “Managed Hosts Node” on page 75. • Security Editor — For information, see “Edit Security” on page 94. You must explicitly save or export the report to save the template or the data. When you save a report, the report definition is saved under the node for the type of report you have selected. To see the data, run the report again. When you export a report, a copy of the report output is saved in the format and location you choose. To see the data, open the report. After you save a report, you can also schedule it to run. For information, see “Scheduling Reports” on page 125. To run a report 1. Click the Reports node in the left pane. This opens the treeview, showing all available reports. 115 Quest Access Manager 2. Select a report from the list then click Configure New Report. IF YOU SELECT... Owned Resources PROCEDURE 1. Select one or more trustees to limit the report scope to resources owned by the selected trustees, if applicable, and click Finish. If you have not limited the scope of the report by selecting trustees, the report returns all the resources in the Security Index that have a Business Owner defined. 2. In the report output, you can click a resource link to run a Perceived Owner report on that resource. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 116 Creating Reports IF YOU SELECT... Perceived Owners PROCEDURE 1. Click Add to enter the fully qualified URIs for the resources on which you want to report, and click Next. For example, \\Server\c$\Folder You can also drag and drop from Windows Explorer. – OR – Click Import to import a text file with a list of URIs on which to report. Note: To import successfully, use a plain text file, with a separate URI on each line and a hard return at the end of each line. Do not include any commas or headers. 2. On the Resources page, select one of the following options, depending on how you want to find perceived owners, and click Next. • Find Folders with High Activity - this option uses historical resource activity data on the sub-folders of the selected folder, and returns a business owner recommendation based on the trustees with the highest percentage of weighted activity. Actions such as writes and creates are weighted heavier than reads. This query excludes resources that have a Business Owner already assigned. Set a value for the Number of resources per data root. This setting applies only to the Find Folders with High Activity option. For example, if you choose five, the results display the five busiest folders. • Calculate Perceived Owner - this option uses historical resource activity data on the selected folder (not sub-folders) to recommend which trustees should be assigned business ownership. This query includes resources that have a Business Owner already assigned, and the owners are indicated in the report output. 117 Quest Access Manager IF YOU SELECT... PROCEDURE 3. Select a time range to report on and click Next. 4. Select the trustees to be excluded from the report, if applicable, and click Finish. You can click a resource name at the top of the report output to go to the page for that resource. Note: You can select a trustee name in the report output to add the trustee as a business owner for the resource in question. You are prompted to specify a justification. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 118 Creating Reports IF YOU SELECT... Trustee Access PROCEDURE 1. Select the object types by clicking the Object Types button and selecting items to include, then click OK. 2. You can modify the host by clicking Location, selecting a specific host and clicking OK. 3. To select a trustee, you can enter some or all of the letters in the name and click Check Names, then select the trustee you want from the results list and click OK. – OR – Click Advanced and use the query dialog to find a particular name or description that Starts With, Ends With, Is Exactly Or Contains the string you type. Use the dropdown list to select the best search type, then click Find Now. Select the trustee from the results list and click OK. 4. Click Next. 5. Clear the check box next to any resource type you want to exclude from your report and click Next. 6. If you only want to report on specific hosts, select Specific hosts and then select the host names on which you want to report, and click Next. 7. Select the Group Expansion Options you want to use when generating the report. You have the option to select direct access only or include the Trustees Group expansion. Further, you can exclude specific groups to simplify the report results. Make your selections and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 119 Quest Access Manager IF YOU SELECT... Resource Activity PROCEDURE 1. Click Add to enter the fully qualified URIs for the resources you want to report on and click Next. For example, \\Server\c$\Folder You can also drag and drop from Windows Explorer. – OR – Click Import to import a text file with a list of URIs to report on. Note: To import successfully, use a plain text file, with a separate URI on each line and a hard return at the end of each line. Do not include any commas or headers. 2. Select a Time Range to report on and click Next. 3. Select the Trustees to be excluded from the report, if applicable, and click Next. 4. Select the Display Options and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 120 Creating Reports IF YOU SELECT... Trustee Activity PROCEDURE 1. Enter the name of a trustee to report on and click Next. 2. Select the Host computers to report on and click Next. 3. Select a Time Range to report on and click Next. 4. Select the Display Options you want and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. Group Members 1. Enter the name of one or more groups to report on and click Next. 2. Select the Display Options for the report and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 121 Quest Access Manager IF YOU SELECT... Group Members Comparison PROCEDURE • Enter the name of two or more groups to report on and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. Member Of Comparison • Enter the name of two or more trustees to report on and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. Member Of 1. Enter the name of one or more trustees on which you want to report and click Next. 2. Select the Display Options for the report and click Finish. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 122 Creating Reports IF YOU SELECT... Resource Access PROCEDURE 1. Click Add to enter the fully qualified URIs for the folders and shares you want to report on and click Next. For example, \\Server\c$\Folder You can also drag and drop from Windows Explorer. – OR – Click Import to import a text file with a list of URIs to report on. Note: To import successfully, use a plain text file, with a separate URI on each line and a hard return at the end of each line. Do not include any commas or headers. 2. Select the Permission types to report on and click Next. 3. Select the types of trustee to include in the report and click Next. 4. Select the display options for the report and click Next. A summary of all the trustees found is displayed, grouped by type. Note: Child objects are reported by default only if their security differs from the parent, for example a file that has different security settings from the parent folder. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 123 Quest Access Manager IF YOU SELECT... Local Rights and Service Identities Report PROCEDURE 1. Select either All accessible hosts and click Next. – OR – Select Specific hosts, click on each host you want to include and click Next. 2. Select the Permission types to report on and click Next. 3. Filter out any trustees you do not want in your report by searching in the top pane. Type the first few letters of the trustee and press Search. Select any trustees you wish to exclude and click Exclude. You will see your list of excluded trustees in the accumulator pane below the search window. 4. Click Finish. The Local Rights and Service IDs and Admin rights are displayed, grouped by Managed host and then by Trustee. Once you have generated your report, you can: • Right-click anywhere in the report, select export and save it to an Excel, Word or PDF file. • Save the settings of your report for future use by clicking Save Template as… and providing a name and description. A new report appears in the treeview. You can now run the report with your selected settings at any time. 124 Creating Reports Scheduling Reports You can schedule a report to run after you have run that report at least once and saved it. You must have the following permissions to schedule reports: • Application Access in the Access Manager deployment permissions. For information, see “Access Manager Deployment Permissions” on page 28 • "Logon as a batch job" privilege in the User Rights Assignments of the Local Policies on the client to schedule a task in Task Manager • Write access to the folder where you will save reports To schedule a report 1. Open the Reports folder in the left pane and locate the saved report you want to schedule. You must run and save a report first before you can schedule it. After you have saved the report, you can find it in the Reports item under the type of report, for example, Group Members Report. 2. Select the report name and click Schedule Report. 3. In the Schedule Settings dialog box, choose a date and time, period (weekly, monthly, and so on) as well as the start and finish, as required, and click Next. 4. Select a Format and Location for the report output, and click Next. 5. Enter your password to save the schedule task, and click Next. 6. Review the Description and Report Summary to ensure they are what you want, and click Finish. To view, edit, or delete scheduled tasks 1. Open the Windows Administrative Tools group and select Task Scheduler. 2. Expand the Task Scheduler Library | Microsoft | Quest Software | Access Manager | Scheduled Reports and find the scheduled item by name. If you are using an Access Manager client on Windows XP or Windows 2003, all scheduled tasks are kept in a single list within the Task Scheduler. 3. To edit the schedule, right-click the item name and select Properties. 125 Quest Access Manager 4. Open the Triggers tab and click Edit. – OR – Click New for a new Schedule item on the same report template. You may be prompted for your password again to save any settings. For more information about the Windows Task Scheduler, see the Task Scheduler section of the Microsoft Management Console Help. 126 4 Understanding Access Manager through Scenarios • Provision a User • Deprovision a User • Cleanup Resources • Investigate User and Group Access • Investigate a Specific Type of User Access • Investigate Computer Access • Assess Group Membership and Access Quest Access Manager Provision a User Scenario: Your organization has acquired a small company and as the administrator, you need to ensure that all new employees in the various departments have the required access to all of the applications, configuration settings, and material to begin work effectively within your organization. Administration Tasks: • Determine the required access and groups to which the new user account should belong • Use Access Manager to ensure that the proper access has been granted and make any alterations where necessary To provision a user 1. From the Access Manager console, use the Quick Search to find the required group, right-click, and select Manage Access. – OR – From your Active Directory Users and Computers or Quest ActiveRoles Server, right-click the required group, and select Manage Access. 128 Understanding Access Manager through Scenarios 2. Expand the resource type and select a Managed Host. The Access Manager console displays the computers and resource types where the group has access. 3. Right-click the required resource in the lower-right pane, and select Edit Security. 4. Add access to the specific resource by right-clicking in the Resource Security Editor and selecting Add Rights. 5. In the Add Permission Wizard, select a user or group, specify the required permissions, and click Finish. Using Access Manager’s Clone Trustee feature, you can quickly and easily copy and apply the required permissions to a new user or group. To clone access 1. Locate the user or group whose access you would like to copy, and select Manage Access. 2. From within the Resource Security Editor, right-click the required resource, and select Clone Trustee. 3. Select the required user or group, and click OK. The access to the resource will be cloned to the new user or group. To view the success of the operation view the Background Operations node. 129 Quest Access Manager Deprovision a User Scenario: A contract employee, who has been given access to various financial resources located on several servers throughout your network, is no longer required. As the work progressed so did their access to various files. The access was incremental and not always granted by the same administrator. As a result, access has been granted both through groups and by placing the account directly in the Access Control List (ACL) of the resource. Administration Task: • Ensure the account access is effectively removed from all resources. To remove a user’s access from a resource 1. From the Access Manager console, use the Quick Search to find the required user or group, right-click, and select Manage Access. – OR – From your Active Directory Users and Computers or Quest ActiveRoles Server, right-click the required group, and select Manage Access. The Access Manager console displays the computers and resource types where the user or group has access. 2. Expand the resource type and select a Managed Host. 3. Right-click the required resource, and select Edit Security. 4. Right-click the user in the Resource Security Editor, select Remove Selected Permissions, and click Save. You can also select to remove the user access quickly from multiple resources by selecting all the required resources within the Resource Security Editor, right-clicking, and selecting Remove Trustee. To view the success of the operation view the Background Operations node. Cleanup Resources Scenario: Access Manager facilitates the removal of SIDs that appear directly in ACLs. The scenario presented below demonstrates this capability. 130 Understanding Access Manager through Scenarios Administration Tasks: • Remove unresolved SIDs to improve performance To remove unresolved SIDs 1. From the Access Manager console, select the Users and Groups node and expand the trustee type Unknown. 2. Right-click the unresolved SID and select Managed Access. 3. Right-click the required resource and select Edit Security. 4. Right-click the unresolved SID in the Resource Security Editor, select Remove Selected Permissions, and click Save. You can also select to remove the access quickly for an unresolved SID by right-clicking it within the Resource Security Editor, and selecting Remove Trustee. To view the success of the operation view the Background Operations node. Investigate User and Group Access Scenario: Where Do Users and Groups have Access on the Network? As people join, depart, and shuffle throughout your organization, you will need to change their access to resources. With Access Manager, you can validate that users and groups have been granted access to all the resources they need, ensure they do not have access to excess resources, and manage their access when problems arise. Administration Tasks: • Investigate access for a user in a particular role within your organization to help grant the same access to a new hire. For details, see “Clone, Replace, and Remove Access for a Group of Trustees” on page 96. • Investigate where users have access and modify it if required. For details, see “Manage Network Access” on page 89, and “Creating Reports” on page 107. • Perform a spot check on a particular user or group to ensure they have the correct access to resources. For details, see “Manage Machine Local Groups” on page 103. 131 Quest Access Manager • Evaluate a group’s access before deleting it. For details, see “Investigate Resource Access” on page 86, “View Group Membership” on page 100, and “Creating Reports” on page 107. Investigate a Specific Type of User Access Scenario: Where are Domain-level Users Being Run as Service Identities? In the Users and Groups node, you can filter, group, and sort data from any angle to zero in on very specific questions you need to answer. In this scenario, you want to find Domain-level users that are being used as service identities, on a specific set of server names that all start with the same prefix. Administration Tasks: 1. In the Users and Groups Node, open the layout panel and select the pre-defined layout called Domain-level Trustees Only. If the layout panel is not open, select Show Layout Options from the Action menu. For information, see “Saving Customized Layouts” on page 59. 2. Use the Group By Box in the Layout Options to group the columns by Resource Type and then by Host Name. 3. In the Filter Editor, add an item for [Host Name] [Begins with] [your filter criteria]. For example, filter for Host Names that begin with CAN. For more information, see “Grouping, Sorting and Filtering Views” on page 58. You have grouped by Resource Type, so you can clearly see in the Windows Service Identity node all the Managed Hosts where Domain-level users are being run as Service Identities. For more information, see the following: 132 • “Users and Groups Node” on page 73 • “Saving Customized Layouts” on page 59 Understanding Access Manager through Scenarios Investigate Computer Access Scenario: Who has Access to a Specific Resource? To ensure a computer is secured in a way that meets your business requirements, it is essential that you can easily and quickly see who has been given access to resources (specifically users/groups who have explicit access to a specific computer), and correct any issues identified. Administration Tasks: • Investigate who appears in the security settings on a specific computer to ensure that corporate policy is being followed. • Look for non-authorized users on a specific computer. For detailed procedures, see “Investigate Resource Access” on page 86, “Manage Resources” on page 93, and “Creating Reports” on page 107. Assess Group Membership and Access Scenario: Where Does the Access Originate? Because user and group access may be the result of several layers of nested groups, it may be difficult to assess. Using Access Manager, you can easily see group membership, computers, and resource types where the user or group has both direct access and indirect access by means of group membership. Administration Task: • Ensure group access is properly assigned. For more information, see the following: • “Investigate Resource Access” on page 86 • “View Group Membership” on page 100 • “Creating Reports” on page 115 133 Quest Access Manager 134 5 Troubleshooting • Where are the Logs? • Why is the Managed Hosts Node Empty? • Where is My Activity Data? • Where are the Menus and Property Pages in Active Directory Users and Computers? • Why is an Agent not Connecting to the Access Manager Server? • Why are Groups Missing from the Group Memberships Treeview? • Why are Agent Leases Expiring? • Why are My PowerShell Cmdlets not Contacting the Access Manager Server? Quest Access Manager Where are the Logs? Server Logs The Access Manager server log files are located in the program directory, which is by default: c:\Program Files\Quest Software\Access Manager\ManagementServer At any given point, you will see the following files: • QAM Service Log.txt • QAM Group Resolution Log.txt • QAM Lease Manager Log.txt • QAM Machine Local Group Log.txt There may be two files because the Access Manager server maintains rolling logs, in an effort to save space on the hosting computer. The first log file is the active log, and is constantly being maintained by the server. When this file reaches its threshold (20 MB), it is renamed with the current year, and a new one is started. This second log file is overwritten each time the server starts a new log. Both files are generally necessary when troubleshooting issues. Agent Logs Local agent log files are stored on the agent host computer in a subdirectory of the agent installation folder named \BroadwayAgentService. Remote agent instance logs are in subdirectories of the agent installation folder, named after the agent ID on the host computers. A specific agent ID for a managed host can be found on the Agent Details tab in the Agent Service section of the Agent Properties page. Note that the identity being used by each agent must be capable of creating sub-folders and files beneath the agent's installation directory. Agent log files are maintained as a binary file with the file extension .bwalog. To view their contents, Quest has provided a command line tool, BWAgentLogReader.exe. To convert an Agent log file into readable text, enter the following from the command prompt: 136 Troubleshooting bwagentlogreader /f <path to logfile> /full >> outputFile. You can also export the agent log as a text file using the context menu on a managed host and selecting Export Agent Log. Why is the Managed Hosts Node Empty? There may not be any Managed Hosts configured in your deployment. To gather information, Access Manager must be told which computers to index. For more information, see “Managed Host” on page 13 and “Add an Additional Remote Agent to a Managed Host” on page 38. Resolution Navigate to Access Manager, right-click the Managed Hosts node, and select Add Managed Host. Select a management method. (Decide if you want to manage the host using a remote agent on another computer or using a locally installed agent.) Select the domain in which the host resides, select the host, and click Add. If the agent is hosted locally, the addition of the Managed Host is complete. If a remote agent has been selected, you need to configure the remote agent. Select a host computer from within the same forest as the target computer. Select a service account with sufficient permissions to access the target computer. Define a schedule for the agent to scan the target computer and click Next. Select the data roots that will be indexed by this agent and click Finish. Adding a Managed Host will deploy the Access Manager Agent to the computer. The agent will index security information, and pass on requested information to the Access Manager server. Most information is kept on the Agent, and retrieved only when requested by a client to ensure a minimal impact on the network. Where is My Activity Data? When you run a Resource Activity, Trustee Activity, or Perceived Owner reports, you may not immediately see activity in the report that you know you have performed. 137 Quest Access Manager Probable Cause: • There is some lag time between when an action occurs, such as a file read or write, and when the data is sent from the agent to the server. This delay is dependent upon the granularity setting, the update schedule, and various internal processes. • It is possible you did not have resource activity tracking enabled for that data root during the time span covered in the report. • If you have enabled resource activity tracking, it is possible you have excluded some trustees, files, or folders where the activity occurred. Resolution: • For a locally managed Windows computer, open the Managed Host Properties, select the Resource Activity tab, and enable the activity tracking. • To verify which trustees, files, or folders are being tracked, click Manage Exclusions and check each tab. • For a remotely managed NAS device, open the Managed Host Properties, and select the Agents tab. Then right-click to open the Agent Properties, select the Resource Activity tab, and enable the activity tracking or check the settings. For information on all the resource activity settings, see “Locally Managed Host Properties” on page 49. Where are the Menus and Property Pages in Active Directory Users and Computers? For Access Manager to place extension menus in Active Directory Users and Computers, it must modify the DisplaySpecifiers container in all of the Active Directory forests containing users and groups that you want to query. The Access Manager client must also be installed on the computer from which the user is trying to use Active Directory Users and Computers. 138 Troubleshooting Resolution Register all forests containing users that you want to query in the Access Manager. When a forest is registered, Access Manager will extend the DisplaySpecifiers of the forest with the required keys. This change will cause no negative effects in the enterprise. For details, see “Grouping, Sorting and Filtering Views” on page 58. Why is an Agent not Connecting to the Access Manager Server? Probable Cause: • The Agent has not been able to find a Service Connection Point that points to a valid server. • A firewall is active on the agent hosting computer, which is preventing the Agent from connecting to the server. • The proxy settings on the agent computer are preventing it from connecting to the server. Resolution: • Ensure that the Service Connection Points of the agent computer's Managed Domain are OK. (You can find this information by right-clicking a Managed Domain, and selecting to view its Properties. If the Service Connection Points are listed as Not Found, select Create.) • Ensure that the following registry value contains the same Deployment ID value present on the Access Manager snap-in’s home page: Registry Key: HKEY_LOCAL_MACHINE\Software\Quest Software\Broadway\Agent\Services\communication Registry Value: deploymentId (REG_SZ) • Configure the firewall on the Agent to allow outgoing traffic on TCP port 8721, as well as incoming traffic on TCP port 18530. Also, ensure that the Management Server firewall has the following exceptions configured: incoming TCP 8721, 8722 and outgoing 18530. 139 Quest Access Manager • Configure the proxy settings on the Agent computer to either store credentials for accessing your corporate HTTP proxy, or allow bypassing of the proxy for local addresses. Why are Groups Missing from the Group Memberships Treeview? To examine group membership in your enterprise, Access Manager requires credentials that allow it to read group memberships in the domains that make up your enterprise trust structure. These credentials are provided through service accounts, and by adding domains. If Access Manager is having trouble resolving group memberships, you will see a link in the lower-left pane (after having selected Manage Access from the client), that you can click to see a list of issues that details any problems encountered during group expansion. Resolution Ensure that all domains that contain relevant groups have a service account specified in Managed Domains. This grants the ability to read all group membership information in their associated forests. For more information, see “Add a Domain to the Deployment” on page 31. Why are Agent Leases Expiring? Probable Cause: • The computer on which the Agent is running has rebooted. • The Agent service on the hosting computer has been stopped or disabled. • The Server service has been restarted. Resolution • 140 Ensure the Quest Access Manager Agent service is running on the hosting computer. Troubleshooting Why are My PowerShell Cmdlets not Contacting the Access Manager Server? You must provide the PowerShell session with the location of the Access Manager server. This setting is preserved so it need only be set once per user, per client computer. Resolution After opening PowerShell and loading the cmdlets, execute the following statement to allow the cmdlets to find the Access Manager server: Set-QServiceConnection [-ServerName] <string> [-Port] <string> 141 Quest Access Manager 142 Appendix A: Configuring EMC Celerra • Configuring the CEPA Facility • Configuring the Individual CEPA Pool Servers • Configuring Access Manager to Watch the Data Mover • Verifying the Status of the CEPA Facility 143 Quest Access Manager Configuring the CEPA Facility For EMC Celerra Network Attached Storage (NAS) devices, Quest Access Manager Agents support connectivity to the Celerra Event Publishing Agent (CEPA). With this support, the agent can read real-time file system events on Common Internet File System(CIFS)-based Data Movers for the purpose of real-time security indexing and activity (read/write) monitoring. Configuring this support enables you to track both real-time security index updates and activities on the device, and provides access to several reports in Access Manager. For more information, see “Creating Reports” on page 107. Due to the EMC architecture, you must complete the following procedures to enable CEPA connectivity, as well as the procedures listed in these topics: • Configuring the Individual CEPA Pool Servers • Configuring Access Manager to Watch the Data Mover • Verifying the Status of the CEPA Facility If you have upgraded your agents, you must restart the agent after you configure the EMC Celerra device. To configure the CEPA Facility on the EMC Data Mover 1. Connect to the Celerra Control Station using telnet, logging in as the NAS Admin user. 2. Copy the current configuration file from the Data Mover: $ server_file [movername] -get cepp.conf cepp.conf Where: [movername] = name of the Data Mover where the configuration file resides. 3. Edit the cepp.conf file to ensure the postevents flags incorporate all events: postevents =* If the CEPA Facility is not configured and you receive an error in step 2 above, then create a cepp.conf file using VI or other preferred text editor and populate the file with the following configuration: pool name=[poolname] servers=[server1]|[server2]|[…] postevents=* Where: [poolname] = The CEPA pool name alpha-numeric eg: MyCepaPool. 144 Appendix A: Configuring EMC Celerra [serverX] = The full DNS name or IP address of the Windows computer hosting the Celerra Event Enabler software from EMC and the QCEE connector software from Quest software. 4. Stop the CEPA facility on the Data Mover: $ server_cepp [movername] -service -stop Where: [movername] = name of the Data Mover where the configuration file resides. 5. Publish the cepp.conf file to the Data Mover: $ server_file [movername] -put cepp.conf cepp.conf Where: [movername] = name of the Data Mover where the configuration file resides. 6. Start the CEPA facility on the Data Mover: $ server_cepp [movername] -service -start Where: [movername] = name of the Data Mover where the configuration file resides. 7. Verify the CEPA status using the following command: $ server_cepp [movername] -service -status Where: [movername] = name of the Data Mover where the configuration file resides. Configuring the Individual CEPA Pool Servers For CEPA pool servers, only 64-bit platforms are supported at this time. To configure the pool servers 1. Download the EMC Celerra Event Enabler software from the EMC Web site. You have the option to run the Complete or the Custom install. It is recommended you install the Complete package. 2. Install the software on each server found in the Servers attribute, as defined in the cepp.conf file above. 3. From the Quest Access Manager installation CD, find and install the QCEE_x64 Quest connector software. 145 Quest Access Manager Configuring Access Manager to Watch the Data Mover To configure the Access Manager server to watch the data mover 1. In the Access Manager console, select the Managed Hosts node, right-click, and select Add Managed Host. 2. In the Select Management Method box, select Remotely managed through an agent on another computer, and click Next. For remotely managed hosts, the first remote agent must be added during the host’s initial deployment. You can manually add more remote agents later, if needed. For information about agents, see “Access Manager Agent” on page 13. 3. 4. Select the EMC Celerra file server and click Add to select it as the target of the scan, and click Next. Select the Enable resource activity tracking option. Resource activity tracking is used to collect data on identities, reads, writes, creates, and other actions performed on the target computer. This information is required for several report types, including the Resource Activity report. For more information, see “Creating Reports” on page 107. 5. In the Settings box, set the Granularity for the resource activity tracking. Granularity specifies how often resource activity data is captured. 6. To limit network traffic, select Synchronize only between these times and set the From and To values. This setting specifies when the agent sends the resource activity data to the management server. 7. To change the identities, files, or folders that are excluded from tracking, click the Manage Exclusions button and select the objects to exclude. This box also includes tabs to exclude file extensions and folders. Certain administrative identities, file extensions, and folders are excluded by default. You can see the full list by clicking the Manage Exclusions button. If the list is empty, click Default to populate the exclusions with default values. For file extensions, you can enter a Category name to group any extensions you add to the exclusions list. 146 Appendix A: Configuring EMC Celerra Use the Export and Import buttons on their respective tabs to export and import a list of SIDs, file types, or folders to exclude. For information on the file syntaxes, see the parameter descriptions in “Add-QManagedHostByAccountName” on page 156. For folders, you can also drag and drop from Windows explorer. 8. Click Next. 9. Select a Host Computer (on which to install the agent) from within the same forest as the target computer, and select a service account with sufficient permissions to access the target device. 10. Define a schedule for the agent to scan the target computer, and select the required real-time file system updates settings. For information about the real-time file system updates settings, see “Agent Status Descriptions” on page 56. Some NAS devices may not provide reliable remote change detection. Enabling the remote change detection feature on these agents may lead to frequent complete scans. 11. Select the data roots that will be indexed by this agent, and click Next. Only one agent can scan a given data root. The agent will now be installed on the selected computer. 12. Enter the CEPA pool servers that were placed in the cepp.conf file above, one per line. 13. Click Finish. To view the users and groups associated with the new managed host, select the Refresh menu option. Verifying the Status of the CEPA Facility After the Quest Access Manager Agent completes the installation and the status shows OK, return to the telnet session for the control station and enter the following command to determine the status of the CEPA pool servers: • $ server_cepp <movername> -pool -info Where: [movername] = name of the Data Mover where the configuration file resides. 147 Quest Access Manager The output should contain an entry for each server in the CEPA pool showing a status of ONLINE. 148 Appendix B: PowerShell Cmdlets • What is Microsoft Windows PowerShell? • Windows PowerShell Cmdlets • Registering the PowerShell Cmdlets • Adding the Snap-in Automatically to New Sessions • Quest Access Manager Cmdlets 149 Quest Access Manager What is Microsoft Windows PowerShell? Microsoft® Windows PowerShell™ is a Windows command-line shell and scripting language designed specifically for system administrators and built on top of the Microsoft .NET Framework. Windows PowerShell can be installed on Windows XP, Windows Vista™, and Windows Server® 2003, and is included with Windows Server® 2008. Windows PowerShell Cmdlets Windows PowerShell has the concept of cmdlets. A cmdlet is a simple, single-function command that manipulates objects and is designed to be used in combination with other cmdlets. If you already had Windows PowerShell installed on your computer before you installed Quest Access Manager, then the Access Manager Windows PowerShell cmdlets were automatically installed and registered with Windows PowerShell when you installed Access Manager. This means that you are ready to start using the Quest Access Manager cmdlets in Windows PowerShell. Registering the PowerShell Cmdlets If you installed Windows PowerShell on your computer after you installed Quest Access Manager, you must register the cmdlets before you can start using them in Windows PowerShell. To register the Quest Access Manager cmdlets 1. Open a Windows PowerShell window and type the following at the Windows PowerShell command prompt: Add-PSSnapin Quest.AccessManager 2. Type the following at the Windows PowerShell command prompt to verify that the snap-in was added: Get-PSSnapin All registered PowerShell snap-ins are listed. 150 Appendix B: PowerShell Cmdlets Adding the Snap-in Automatically to New Sessions If you do not want to manually add the Quest Access Manager PowerShell snap-in each time you start a new Windows PowerShell session, you can modify the Windows PowerShell profile file so that it is added automatically for you. To add the Quest Access Manager PowerShell snap-in automatically when you start a new Windows PowerShell session • Add the following line to the Windows PowerShell profile file (profile.ps1) file: Add-PSSnapin Quest.AccessManager The location of the Windows PowerShell profile file is as follows: WINDOWS\system32\windowspowershell\v1.0 If you get the error message "...profile.ps1 cannot be loaded because the execution of scripts is disabled" the next time you start a new Windows PowerShell session, type the following at the Windows PowerShell command prompt: Set-ExecutionPolicy RemoteSigned Then, type the following at the Windows PowerShell command prompt to confirm that the execution policy has been changed: Get-ExecutionPolicy RemoteSigned Quest Access Manager Cmdlets Before you can run any cmdlets, you must first call the Set-QServiceConnection cmdlet. Quest Access Manager includes the following cmdlets: • Set-QServiceConnection • Change-QDBAccessAccount • Export-QResourceAccess • Get-QManagedHosts • Get-QManagedDomains 151 Quest Access Manager • Get-QResourceAccess • Get-QServiceAccounts • Get-QTrusteesForHost • Add-QManagedHostByAccountName • Add-QManagedHostByAccountSid • Add-QManagedDomain • Add-QServiceAccount • Get-QAccessibleHostsForTrustee • Set-QAccountPassword • Get-QTrusteeAccess Set-QServiceConnection Sets the server name and port information used by the Access Manager cmdlets to connect to the Access Manager server. Parameters • Server Name (Quest Access Manager Server Computer Name) • Port (Port information used by Quest Access Manager cmdlets to connect to the Quest Access Manager server.) This value is optional, and should not be changed from 8722. Syntax Set-QServiceConnection [-ServerName] <String> [-Port] <String> [-WarningAction] <ActionPreference> [-WarningVariable] <String> Change-QDBAccessAccount Changes the account used by the Access Manager server to communicate with the SQL Server database. Parameters 152 • DomainName • AccountName • Password Appendix B: PowerShell Cmdlets Syntax Change-QDBAccessAccount [-DomainName] <String> [-AccountName] <String> [-Password] <String> [-WarningAction] <ActionPreference> [-WarningVariable] <String> Export-QResourceAccess This cmdlet is used to export the security information retrieved using Get-QResourceAccess into a CSV file. Parameters • ResourceAccessQueryResults - Resource security information retrieved using the Get-QResourceAccess cmdlet • OutputPath - The output path of the dumped CSV file • DisplayInheritedSecurity (*) - Flag. The presence of this flag indicates that you want the full security information returned for all child objects of the selected root. The default behavior when the flag is not present is to show only security that differs from parent objects. Syntax Export-QResourceAccess [-ResourceAccessQueryResults] <ResourceAccessQueryResults> [-OutputPath] <String> [-DisplayInheritedSecurity] Parameters marked with an (*) are optional. Example 1 $resourceAccess | Export-QResourceAccess -OutputPath "C:\Test1\ResourceAccess.CSV" -DisplayInheritedSecurity Example 2 Export-QResourceAccess $resourceAccess "C:\Test1\ResourceAccess.CSV" -DisplayInheritedSecurity Get-QManagedHosts Returns a list of all the registered Managed Hosts. 153 Quest Access Manager No Parameters Get-QManagedDomains Returns a list of all the registered Managed Domains. No Parameters Get-QResourceAccess This Cmdlet is used to retrieve the security information of the selected resources from a specific managed host, as well as child objects whose security differs from the parent (inheritance is overridden or blocked). Parameters • ManagedHostId • ResourceType - Valid values: File, Folder, Share, AdminRight, LocalOSRight, ServiceIdentity • Resources - Valid values: Comma-separated path list • ExcludeSubObjectDeviations (*)- Flag. The presence of this parameter means the Cmdlet only returns the security data for the root objects specified. If not present, the cmdlet returns security information for children below the roots whose security differs from the parent. Syntax Get-QResourceAccess [-ManagedHostId] <String> [-ResourceType] <ResourceAccessQueryResourceType> [-Resources] <String> [-ExcludeSubObjectDeviations] Parameters marked with an (*) are optional. Example $resourceAccess = Get-QResourceAccess $managedHostId Folder "C:\Test1","C:\Test2" -ExcludSubObjectDeviations 154 Appendix B: PowerShell Cmdlets Example 2 This example explains a three-stage process for using this Cmdlet along with the Get-QManagedHosts and Export-QResourceAccess Cmdlets for inputs and outputs. To use the cmdlet 1. Run the Get-QManagedHosts Cmdlet to identify the managed host you want to target. Next, you must determine if the managed host is local or remote. $managedHosts = Get-QManagedHosts 2. Run the Get-QResourceAccess cmdlet, specifying the managed host ID (use the array index of the managed hosts or directly enter the managed host ID), the resource type (including Folder, File, Share, LocalOsRight, AdminRight, ServiceIdentity), and the local path list if the managed host is local or remote path list if the managed host is a remote host. Get-QResourceAccess $managedHosts[0].ManagedHostId Folder "C:\Test1","C:\Test2" 3. The result of the Get-QResourceAccess cmdlet can be stored in a variable for later use, such exporting it into a CSV file. $resourceAccessInfo = Get-QResourceAccess $managedHosts[0].ManagedHostId Folder "C:\Test1","C:\Test2" $resourceAccessInfo | Export-QResourceAccess –OutputPath "C:\ResourceAccessInfo.csv" Get-QServiceAccounts Returns a list of all the service accounts. No Parameters Get-QTrusteesForHost Retrieves a list of the trustees with access on the specified Managed Host. Parameters ManagedHostId — ID of the Managed Host to retrieve trustees for 155 Quest Access Manager Syntax Get-QTrusteesForHost [-ManagedHostId] <string> Add-QManagedHostByAccountName Creates a Managed Host entry for a computer specified by AD account name and sets the options for the agent. Parameters • AccountName (Computer Account Name) • DeploymentType (*) — Valid values: External, ManagementServerInstall Default value: External • Keyword (*) - Add a keyword string if needed for grouping managed hosts in the layout. • ResourceActivityEnabled (*) - Flag; no value required • Granularity (*) - Option for the Resource Activity Setting. Valid values: A number (read as minutes, for example, 1, 5, 60, and so on) • ExcludedTrusteesImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a trustee list import file Valid file values: Comma-separated SID values • ExcludedFileTypesImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a file types import file Valid file values: [file type name]:[semi-colon-delimited extension list][cr] Example: Database files: lck;ldb Temp files: tmp;temp • 156 ExcludedFoldersImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a folders import file Valid file values: [%Folder name%][cr] Example: %SystemRoot% %Program Files% %c:\temp% Appendix B: PowerShell Cmdlets Syntax Add-QManagedHostByAccountName [-AccountName] <string> [-Keyword] <string> [-ResourceActivityEnabled] [-Granularity] <integer> [-ExcludedTrusteesImportFile] <string> [-ExcludedFileTypesImportFile] <string> [-ExcludedFoldersImportFile]<string> Parameters marked with an (*) are optional. Add-QManagedHostByAccountSid Creates a Managed Host entry for a computer specified by SID and sets the options for the agent. Parameters • AccountSid (Computer Account SID) • DeploymentType (*) – Valid values: External, ManagementServerInstall Default value: External • Keyword (*) - Add a keyword string if needed for grouping managed hosts in the layout. • ResourceActivityEnabled (*) - Flag; no value required • Granularity (*) - Valid values: A number (read as minutes, for example, 1, 5, 60, and so on) • ExcludedTrusteesImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a trustee list import file Valid file values: Comma-separated SID values • ExcludedFileTypesImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a file types import file Valid file values: [file type name]:[semi-colon-delimited extension list][cr] Example: Database files: lck;ldb Temp files: tmp;temp 157 Quest Access Manager • ExcludedFoldersImportFile (*) - Option for the Resource Activity Setting. Valid value: Path to a folders import file Valid file values: [%Folder name%][cr] Example: %SystemRoot% %Program Files% Syntax Add-QManagedHostByAccountSid [-AccountName] <string> [-Keyword] <string> [-ResourceActivityEnabled] [-Granularity] <integer> [-ExcludedTrusteesImportFile] <string> [-ExcludedFileTypesImportFile] <string> [-ExcludedFoldersImportFile]<string> Parameters marked with an (*) are optional. Add-QManagedDomain Creates a new Managed Domain entry and links a service account to it. Parameters • DomainName • ServiceAccountId Syntax Add-QManagedDomain [–DomainName] <string> [-ServiceAccountId] <string> Add-QServiceAccount Creates a new service account for use in group expansion and computer management. Parameters 158 • AccountDomain • AccountName Appendix B: PowerShell Cmdlets • Password • IsDefaultObjectResolution (*) - Valid values: true, false Default value: false Syntax Add-QServiceAccount [-AccountDomain] <string> [-AccountName] <string> [-Password] <string> Parameters marked with an (*) are optional. Get-QAccessibleHostsForTrustee Returns a listing of the computers that a specified trustee has been found to have access to by the security system. Access for each resource type is displayed for each computer. Parameters • TrusteeSid • Location (*)—Specify domain DNS or computer DNS name if the trusteeSid is a BUILT-IN group or user. Syntax Get-QAccessibleHostsForTrustee [-TrusteeSid] <string> [-Location] <string> Get-QTrusteeAccess Performs a detailed access query for a particular trustees access for a specific resource type on a Managed Host. Parameters • ManagedHostId • TrusteeSid • ResType – Valid values: Files, Folders, Shares, LocalOSRights, AdminRights 159 Quest Access Manager Syntax Syntax: Get-QTrusteeAccess [-ManagedHostId] <string> [-TrusteeSid] <string> [-ResType] <string> Set-QAccountPassword This commandlet lets you change the password of a service account, including an option to resynchronize the new password with the appropriate agents. Parameters • AccountName - <String> - The domain\service account whose password you are changing. • Password - <SecureString> - The new password you want to associate with the service account. Note: You must enter this at the user prompt in order for it to be encrypted. The cmdlet will fail if a non-encrypted password is passed as a string variable when the cmdlet is invoked. If you do invoke Set-QAccountPassword with a string of parameters, be sure to encrypt the password separately before passing the string. Note: Parameters marked with an (*) are optional. • Resynchronize (*)- <Flag> - Use this flag to invoke a resynchronization of the applicable agents with the new service account password. Note: If you use the Get-Help function at the command prompt, you will see two empty parameters, WarningAction and WarningVariable. These are set by PowerShell itself. They are not needed to run this commandlet. Syntax Syntax: Set-QAccountPassword [-AccountName] <String> [-Password] <SecureString> [[-Resynchronize]] [-WarningAction <ActionP reference>] [-WarningVariable <String>] [<CommonParameters>] 160 Glossary This glossary contains definitions taken from Microsoft publications. A Access Control Entry (ACE) An entry in an access-control list (ACL) that contains a set of access rights and a security identifier (SID) that identifies a trustee, such as a user or group, for whom the rights are allowed, denied, or audited. Access Control List (ACL) A list of access-control entries (ACEs) that define the security protections on an object. There are two kinds of ACLs that can appear in an object's security descriptor: a discretionary ACL (DACL) that controls access to the object, and a system ACL (SACL) that controls auditing of attempts to access the object. Active Directory (AD) The Windows directory service. Administrative rights The rights granted to a member of the Administrators local group. This member can perform such actions as creating user accounts, creating groups, and adding group members. Authentication The process required to log on locally to a computer. Authentication requires a valid user name and password that exists in the local accounts database. An access token is created if the information provided matches the account in the database. 161 Quest Access Manager C Child object Container object An object that is the immediate subordinate of another object in a hierarchy. A child object can have only one immediate superior or parent object. An object that can logically contain other objects. For example, a folder is a container object. D Database An information store for storing critical application information used by management servers. Access Manager requires these application databases to be setup on SQL Server 2005 or 2008 servers. Distinguished Name (DN) The fully qualified name of an object in a hierarchical system. Distinguished names are used for all Active Directory objects and in the Domain Name System (DNS). No two objects in these systems should have the same distinguished name. Deployment Domain A conceptual installation of the system, which consists of a Management Server and databases. In relation to a Microsoft network, a logical collection of resources consisting of computers, printers, computer accounts, user accounts, and other related objects. The domain also has a system of logon authentication of user accounts, and computer accounts. Domain Controller (DC) A server that authenticates domain logon passwords and maintains security policy and the security accounts master database for a domain. Domain Local Group A domain local group can be used on access-control lists (ACLs) only in its own domain. A domain local group can contain as members the following: Accounts from any domain, Global Groups from any domain, Universal Groups from any domain, or Domain local groups (only from the same domain as the parent local group). 162 Glossary Domain Name System (DNS) A hierarchical naming system used for locating domain names on the Internet and private TCP/IP networks. F Forest One or more domain trees that do not form a contiguous namespace, but share a common schema, configuration, and global catalog. G global catalog A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. The partial copies of all domain objects included in the global catalog are those most commonly used in user search operations. These attributes are marked for inclusion in the global catalog as part of their schema definition, which is extensible. A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller. A global catalog is replicated only to other domain controllers that have been designated as global catalogs. M Management Server All Access Manager clients and agents communicate with a Management Server to provide information and functionality. Managed Domain An Active Directory domain that is configured for use by the Access Manager deployment. Managed Domains contain Managed Hosts. Each Managed Domain is associated with a service account, which Access Manager uses to access and manage security on objects within the domain. 163 Quest Access Manager Managed Host Computer that is registered with Access Manager and can have its resources queried and security managed. O Object A Windows entity. Examples include users, groups, and computers. Access rights to objects include create, read, edit, and delete. Organizational Unit (OU) A container object used to organize the Active Directory objects logically within a domain. P Parent Object Permission Property The object that is the immediate superior of another object in a hierarchy. A parent object can have multiple subordinate or child objects. A rule associated with an object to regulate access to a particular object on the network. For example, a user may have read and write access to a file on the network. An attribute of a Windows network object. Examples include a user's password, groups to which a user belongs, and a group's description. R Registry Resource A hierarchical database in Windows operating systems that contains configuration information about applications, users, and devices. A fundamental object that is operated on by Access Manager. It is any entity within the Enterprise that can be secured or managed. Common types of resource are files, folders, and shares. Resources are always associated with a Managed Host. For instance, the Resource Host of a share would be the computer where that share resides. 164 Glossary Resource Security Editor The Resource Security Editor allows for easy navigation and management of shares, files, and folder permissions by providing a consolidated security view that combines features from the native simple and advanced views. You can quickly view the complete security and easily modify existing access, run Trustee Access and Trustee Group Membership reports, and view a comprehensive group membership display for all users and groups. The editor is available from the Quest Access Manager Client and through a convenient Windows Explorer extension. Resource View Root directory The Resource View allows you to view the file system and shares on the selected host and modify their security. (You access this view by right-clicking a Managed Host in the Access Manager client treeview, and selecting Resource View.) The top-level directory on a computer, a partition, or volume. S SACL See Access Control List (ACL). SAM-Account-Name Attribute The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This attribute is a Unicode string and must be less than 20 characters to support older clients. Schema Server Shares In Windows, this describes the definition of the Active Directory database, including all classes of objects, their mandatory and optional attributes, and the data types used for storing. A computer on a network shared by multiple users. Folders that can be accessed through the network from a computer. 165 Quest Access Manager Service accounts Service accounts are registered credentials, used by Access Manager, to perform a number of network operations on the users behalf. The credentials provided for each service account are stored in the Access Manager database in a secure encrypted format, and cannot be decrypted by anyone without the encryption key, which is stored on the Management Server. Security Identifier (SID) In Windows operating systems, the SID is a unique alphanumeric character string that identifies each security principal (domain, user, group, computer). SIDs are used by the Windows operating system to represent these objects in resource permissions and other applications requiring reliable security authentication. 166 INDEX A about Quest 175 access clone 96 edit security 94 group membership, investigate 133 investigate 131 investigating 133 manage 86 manage for user or group 89 manage network 89 managing resources 93 remove 96 replace 96 Access Manager client 15 client overview 64 configuration 24 delegate access 27 key components and concepts 11 node 64 PowerShell Cmdlets 151 remove 83 removing, upgrading 83 Self-Service Request Client 44 Active Directory integrate 41 integration permissions 29 service account 16 view group membership from 103 ActiveRoles Server integration 42 Web Integration 42 activity tracking 50, 54, 109, 110, 111 activity enabled agents view 78 activity file size agents view 78 activity files agents view 78 add agents 52, 81 cluster 40 domain 30 forest 30 host 30 local agent 30 Managed Domain 30, 31 Managed Host 30 remote agent 30 user access 128 users to machine local group 106 Add a Remote Agent to a Managed Host 38 add or remove rights 98 adding service account 62 Adding a Managed Host with a Local Agent 35 Adding a Managed Host with a Remote Agent 37 Adding a Trustee to a Null Security Descriptor (Null SD)or a Null Discretionary Access Control List (DACL) 97 adding columns 58 additional remote agent adding host with 38 agent 13 add 52 add an additional remote agent 38 add remote 37 adding 81 adding local 34 automatic shutdown 39 data roots 14, 49, 55 events 55 export log 82 for NAS devices 34 lease expired 140 local properties 50 logs 136 properties 53, 54, 55 real-time file system scan settings 57 remote, properties 52 remove 52 resource activity tracking 50, 54 restarting 39, 52, 81 service account 17 update 40 agent deployment 35 agent host agents view 77 agent host type agents view 77 agent ID agents view 78 agent properties 52 details 53 agent status agents view 77 167 Quest Access Manager agent store size agents view 77 agent uptime agents view 78 agent version agents view 77 agents view 77 aggregated activities agents view 78 Applications node 71 assign business ownership 99 automatic agent safety check 39 available reports 108 average activities / store agents view 78 average changes (changes/flush) agents view 78 B background operations 82 Background Operations node 82 C changes synchronized agents view 78 changing service account 62 cleanup resources 130 client 15 Access Manager node 64 Access Manager, overview 64 Applications node 71 Background Operations node 82 Configuration node 65 Managed Domain node 68 Managed Hosts node 75 Quick Search node 71 Reports node 82 service account node 65 Users and Groups node 73 clone access 82, 96 clusters adding 40 column chooser managed hosts view 76 columns adding 58 changing order 58 configuring 48, 56 filtering 59 168 sorting 59 computer access investigating 133 Configuration node 65 Configuration Wizard setup a new Management Server 25 configuring Access Manager 24 business ownership 99 columns 48, 56 EMC Celerra 144 grouped managed hosts 60, 80 machine local access 103 reports 115 resource access 93 rights 98 user, group access 89 Configuring the Management Server 24 connect to server 27 contacting Quest 175 Contacting Quest Software 175 contacting Quest support 175 creating machine local groups 105 reports 115 credentials and service accounts 17 D data roots 14, 55 configuring 49 data state managed host view 76 database deployment 16 default Service Account 17 delegate access 27 for machine local groups 104 deleting machine local groups 105 deleting report templates 82 deployment 19 database 16 ignore domain 32 key 19 planning 23 security 27 setup a new Management Server 25 Index Deployment Security 21 deprovision a user 130 devices NAS 34 domain managed hosts view 76 domains viewing external 32 E edit security 21 trustee properties 93 Edit Deployment Security 21 EMC Celerra 34 configuring 144 empty security descriptors 74 encryption deployment key 19 events 55 exclusions for resource activity 36, 51 executing reports 82 F failed synchronizations agents view 78 file system scan time agents view 77 filers 34 filter information in Managed Hosts node 80 filtering 59 Find and Secure a Share with No Access Control 97 forest 11 adding 31 removing 64 service account 16 forest DNS name managed hosts view 76 FPolicies 34 G group membership comparison report 112 comparison report, steps 122 from Active Directory Users and Computers 103 information 101 investigate access 133 local, properties 51 manage access 89 query issues 61 report 111 report, steps 121 viewing 100 grouping in Managed Hosts node 80 managed hosts with keywords 60 groups investigate access 131 machine local 103 H host DNS name managed hosts view 76 host name managed hosts view 76 I ignore domain 32 indexing performance (items/sec) agents view 77 integrate Active Directory Users and Computers 42 ActiveRoles Server 42 items scanned agents view 77 items stored agents view 77 K key deployment 19 keywords agents view 79 for managed hosts 80 managed hosts view 76 using to group managed hosts 60 L layout options 59 in Managed Hosts node 80 in Users and Groups node 74 LDAP queries in Quick Search 71 lease expiry 140 licensing a domain 41 Access Manager 22 169 Quest Access Manager local agent adding host with 34 properties 50 local rights local rights and service identities report 114 local rights and service identities report steps 124 logs 136 agent, background operations 82 agent, exporting 137 teardown (uninstall) 84 M machine local group 103 add users or groups 106 creating or deleting 105 manage access add or remove rights 98 clone, replace, remove 96 edit security 94 network 89 Resource View 93 resources 86 trustee properties 93 user or group 89 Managed Domain 12 add 30 node 68 removing 64 service account 16 Managed Host 13 add 30 configuring and reporting 60 grouping 60 keywords for grouping 80 NAS devices 34 node 75 removing 64 managed host agents view 77 managed host ID managed hosts view 76 managed host status descriptions 48, 56 managed host type managed hosts view 76, 79 Managed Hosts node layouts, filtering, grouping, sorting 80 170 management method managed hosts view 76 Management Server 15 connect to 27 setup in a new deployment 25 member of report steps 122 members comparison report 112 investigate group access 133 manage access 89 report 113 viewing group 100 most recent activity managed hosts view 76 MS SQL Express and resource activity tracking 36, 50 N Network Attached Storage (NAS) 34 EMC Celerra 144 NetApp 34 null security descriptors 74 O owned resources report 108 steps 116 ownership business, assigning 99 business, report 108 business, revoking 100 P perceived owners report 109 steps 117 PowerShell add the Snap-in Automatically to New Sessions 151 available Cmdlets 151 registering Cmdlets 150 PowerShell Cmdlets 149 Set-QAccountPassword 160 properties agent 54, 55 local agent 50 Managed Host 46 remote agent 52, 57 Service Account 63 trustee 93 Index provision a user 128 Q Quest ActiveRoles Server integration 42 queue flushes agents view 79 Quick Search 88 and reporting 71 node 71 queries 71 quick search class 72 columns available 72 description 72 distinguished name 72 location 72 managed 72 name 72 operating system 72 pre windows 2000 name 72 sid 72 type 72 R real-time file system scanning 57 and agent updates 40 register PowerShell Cmdlets 150 registered forest 11 remote agent adding host with 37 and EMC Celerra 144 and NAS devices 34 and NetApp 34 properties 51, 52, 57 real-time file scanning 57 remove access 82, 96 Access Manager 83 agent 52 business ownership 100 forest 64 Managed Domain 64 Managed Host 64 rights 98 user access 130 renaming report templates 82 replace access 82, 96 reports 108 creating 115 for grouped managed hosts 60 from Quick Search node 71 from Security Editor 94 from Users and Groups node 73 group members 111 group members comparison 112 group members comparison, steps 122 group members, steps 121 local rights and service identities 114 local rights and service identities, steps 124 member of 113 member of comparison 112 member of, steps 122 owned resources 108 owned resources, steps 116 perceived owners 109 perceived owners, steps 117 perceived resource ownership 109 resource access 113 resource access, steps 123 resource activity 110, 114 resource activity, steps 120 scheduling 125 templates and saving 82 trustee access 110 trustee access, steps 119 trustee activity 111 trustee activity, steps 121 Reports node 82 resource access report,steps 123 access, investigating 133 assigning business ownership 99 cleanup 130 revoking business ownership 100 view and manage access 86 resource access report 113 resource activity 50 and MS SQL Express 36 and perceived owners report 109 and trustee activity report 111 exclusions 36, 51 report 110, 114 report, steps 120 setting for report 110 tracking 36, 54 tracking, configuring 50 Resource Security Editor 21 resources managing 93 171 Quest Access Manager restarting agents 39, 52, 81 revoke business ownership 100 rights Access Manager deployment 28 account usage 17 Active Directory 29 add and remove 98 after installation 23 delegating 27 native, and security editing 95 to machine local groups 104 run and schedule reports 125 S saving reports 82 scheduling real-time file system scans 57 reports 125 scheduling reports 82 searching 88 security and native rights 95 delegating deployment 27 deprovision a user 130 editing 94 for machine local groups 104 of Service Accounts 18 provisioning a user 128 removing a user 130 reports from editor 94 resource editing 21 security changes background operations 82 security descriptors null or empty 74 Service Account 16 account usage 17 changing 62 default 17 for forests 16 for managed domains 16, 69 for managed hosts 17 node 65 properties 63 security 18 status 66 synchronizing 52, 81 using 67 service display name agents view 79 172 service identities investigating 132 services connection points 23 sorting 59 in Managed Hosts node 80 in Users and Groups node 73 special trustee types 74 SQL Server and resource activity tracking 36, 50, 55 configuring 23 deployment database 16 starts with managed hosts view 76 status Active Directory integration 70 agent updates 40 agents 55 domains 68 group resolution 69 local agent 50 managed domain 70 managed host 48, 56 managed hosts view 76 Service Account 66 successful synchronizations agents view 79 synchronizing service account 52 service accounts 81 T templates reports 82 third party licenses 176 time stamps and resource activity 50 total file system operations agents view 77 troubleshooting 135 trustee access report 110 access report,steps 119 activity report 111 activity report, steps 121 assigning business ownership 99 properties 93 revoke business ownership 100 types 74 Index U uninstalling 83 log 84 updating agents 40 upgrading Access Manager 83 usage stores synchronized agents view 79 users adding to machine local groups 106 as service identities 132 deprovision 130 investigate access 131 provisioning 128 Users and Computers integration 41 Users and Groups node 73 reporting from 73 V viewing access through ActiveRoles Server 43 external domains 32 FPolicies 34 group membership 100 layout options 59 machine local groups 103 membership from Active Directory 103 resource access 86 service account properties 63 173 Quest Access Manager 174 About Quest Software Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com. Contacting Quest Software Refer to our Web site for regional and international office information. Email info@quest.com Mail Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Web site www.quest.com Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com. From SupportLink, you can do the following: • Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs • Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at: http://support.quest.com. 175 Quest GPOADmin Third Party Contributions Quest Access Manager contains some third party components (listed below). Copies of their licenses may be found on our web site at http://www.quest.com/legal/third-party-licenses.aspx COMPONENT LICENSE OR ACKNOWLEDGEMENT Agent and Server zlib 1.2.3 Agent Boost 1.34.1 (using most recent license - 1.0) Agent/Server/Client Windows Installer XML toolset (aka WIX) 3.0.5419 Server/Client Microsoft Enterprise Library 3.1 (May 2007) Contains software or other content adapted from Microsoft patterns & practices ObjectBuilder, © 2006 Microsoft Corporation. All rights reserved. 176