Quest® Access Manager 2.1
User Guide
©
2011 Quest Software, Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software
described in this guide is furnished under a software license or nondisclosure
agreement. This software may be used or copied only in accordance with the terms
of the applicable agreement. No part of this guide may be reproduced or transmitted
in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the
written permission of Quest Software, Inc.
Disclaimer: The information in this document is provided in connection with Quest
products. No license, express or implied, by estoppel or otherwise, to any intellectual
property right is granted by this document or in connection with the sale of Quest
products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS
SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY
WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR
INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties
with respect to the accuracy or completeness of the contents of this document and
reserves the right to make changes to specifications and product descriptions at any
time without notice. Quest does not make any commitment to update the
information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
email: legal@quest.com
Refer to our Web site for regional and international office information.
Patents
This product includes patent pending technology.
Trademarks
Quest, Quest Software, the Quest Software logo, and ActiveRoles are
trademarks and registered trademarks of Quest Software, Inc in the United
States of America and other countries. For a complete list of Quest Software's
trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other
trademarks and registered trademarks are property of their respective owners.
Access Manager User Guide
Updated - November 2011
Software Version - 2.1
3
Contents
CONTENTS
CHAPTER 1
QUEST ACCESS MANAGER OVERVIEW AND DEPLOYMENT. . . . . . . . . 9
QUEST ACCESS MANAGER OVERVIEW . . . . . . . . . . . . . . . . . . .10
KEY COMPONENTS AND CONCEPTS . . . . . . . . . . . . . . . . . . . . .11
PLANNING YOUR DEPLOYMENT . . . . . . . . . . . . . . . . . . . . . . .23
CONFIGURING ACCESS MANAGER . . . . . . . . . . . . . . . . . .24
CONFIGURING THE MANAGEMENT SERVER . . . . . . . . . . . . .24
CONNECT TO THE MANAGEMENT SERVER . . . . . . . . . . . . . .27
DELEGATING ACCESS TO ACCESS MANAGER . . . . . . . . . . . .27
ADD FORESTS, DOMAINS, HOSTS AND AGENTS . . . . . . . . . .30
LICENSE A DOMAIN . . . . . . . . . . . . . . . . . . . . . . . . . . .41
INTEGRATE ACCESS MANAGER WITH ACTIVE
DIRECTORY USERS AND COMPUTERS OR
QUEST ACTIVEROLES SERVER . . . . . . . . . . . . . . . . . . . .41
MANAGED HOST PROPERTIES . . . . . . . . . . . . . . . . . . . . .46
AGENT PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . .54
SAVING CUSTOMIZED LAYOUTS. . . . . . . . . . . . . . . . . . . .59
GROUPING MANAGED HOSTS USING KEYWORDS . . . . . . . . .60
CONFIGURE AND REPORT ON A GROUP OF MANAGED HOSTS . .60
IDENTIFY AND FIX GROUP RESOLUTION ISSUES . . . . . . . . . .61
CHANGE THE SERVICE ACCOUNT USED TO ACCESS
INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
REMOVE FORESTS, DOMAINS AND HOSTS
MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . .64
FROM
ACCESS MANAGER CLIENT OVERVIEW . . . . . . . . . . . . . . . . . . .64
REMOVING ACCESS MANAGER . . . . . . . . . . . . . . . . . . . . . . .83
CHAPTER 2
HOW TO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
INVESTIGATE RESOURCE ACCESS . . . . . . . . . . . . . . . . . . . . .86
MANAGE NETWORK ACCESS . . . . . . . . . . . . . . . . . . . . . . . . .89
MANAGE ACCESS FOR A USER OR GROUP . . . . . . . . . . . . .89
MANAGE RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . .93
v
Quest Access Manager
VIEW AND EDIT TRUSTEE PROPERTIES . . . . . . . . . . . . . . .93
EDIT SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
CLONE, REPLACE, AND REMOVE ACCESS FOR A
GROUP OF TRUSTEES . . . . . . . . . . . . . . . . . . . . . . . . . .96
FIND AND SECURE A SHARE WITH NO ACCESS CONTROL . . . .97
ADD AND REMOVE RIGHTS . . . . . . . . . . . . . . . . . . . . . .98
ASSIGN BUSINESS OWNERSHIP . . . . . . . . . . . . . . . . . . .99
VIEW GROUP MEMBERSHIP . . . . . . . . . . . . . . . . . . . . . 100
MANAGE MACHINE LOCAL GROUPS . . . . . . . . . . . . . . . . . . . 103
CHAPTER 3
CREATING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
AVAILABLE REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
OWNED RESOURCES REPORT . . . . . . . . . . . . . . . . . . . . 108
PERCEIVED OWNERS REPORT . . . . . . . . . . . . . . . . . . . . 109
TRUSTEE ACCESS REPORT . . . . . . . . . . . . . . . . . . . . . . 110
RESOURCE ACTIVITY REPORT . . . . . . . . . . . . . . . . . . . . 110
TRUSTEE ACTIVITY REPORT . . . . . . . . . . . . . . . . . . . . . 111
GROUP MEMBERS REPORT . . . . . . . . . . . . . . . . . . . . . . 111
GROUP MEMBERS COMPARISON REPORT . . . . . . . . . . . . . 112
MEMBER OF COMPARISON REPORT . . . . . . . . . . . . . . . . 112
MEMBER OF REPORT . . . . . . . . . . . . . . . . . . . . . . . . . 113
RESOURCE ACCESS REPORT . . . . . . . . . . . . . . . . . . . . . 113
LOCAL RIGHTS AND SERVICE IDENTITIES REPORT . . . . . . . 114
CREATING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
SCHEDULING REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
CHAPTER 4
UNDERSTANDING ACCESS MANAGER THROUGH SCENARIOS . . . . . 127
PROVISION A USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
DEPROVISION A USER . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
CLEANUP RESOURCES . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
INVESTIGATE USER AND GROUP ACCESS . . . . . . . . . . . . . . . . 131
INVESTIGATE A SPECIFIC TYPE OF USER ACCESS . . . . . . . . . . . 132
INVESTIGATE COMPUTER ACCESS . . . . . . . . . . . . . . . . . . . . 133
vi
Contents
ASSESS GROUP MEMBERSHIP AND ACCESS . . . . . . . . . . . . . . 133
CHAPTER 5
TROUBLESHOOTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
WHERE ARE THE LOGS? . . . . . . . . . . . . . . . . . . . . . . . . . . 136
WHY IS THE MANAGED HOSTS NODE EMPTY? . . . . . . . . . . . . . 137
WHERE IS MY ACTIVITY DATA? . . . . . . . . . . . . . . . . . . . . . 137
WHERE ARE THE MENUS AND PROPERTY PAGES IN ACTIVE
DIRECTORY USERS AND COMPUTERS?. . . . . . . . . . . . . . . . . . 138
WHY IS AN AGENT NOT CONNECTING TO
THE ACCESS MANAGER SERVER?. . . . . .
. . . . . . . . . . . . . . . 139
WHY ARE GROUPS MISSING FROM THE
GROUP MEMBERSHIPS TREEVIEW? . . . . . . . . . . . . . . . . . . . . 140
WHY ARE AGENT LEASES EXPIRING? . . . . . . . . . . . . . . . . . . 140
WHY ARE MY POWERSHELL CMDLETS NOT
CONTACTING THE ACCESS MANAGER SERVER? . . . . . . . . . . . . 141
APPENDIX A: CONFIGURING EMC CELERRA . . . . . . . . . . . . . . . 143
CONFIGURING THE CEPA FACILITY . . . . . . . . . . . . . . . . . . . 144
CONFIGURING THE INDIVIDUAL CEPA POOL SERVERS . . . . . . . . 145
CONFIGURING ACCESS MANAGER TO WATCH THE DATA MOVER . . 146
VERIFYING THE STATUS OF THE CEPA FACILITY . . . . . . . . . . . 147
APPENDIX B: POWERSHELL CMDLETS . . . . . . . . . . . . . . . . . . . 149
WHAT IS MICROSOFT WINDOWS POWERSHELL? . . . . . . . . . . . 150
WINDOWS POWERSHELL CMDLETS. . . . . . . . . . . . . . . . . . . . 150
REGISTERING THE POWERSHELL CMDLETS . . . . . . . . . . . . . . . 150
ADDING THE SNAP-IN AUTOMATICALLY TO NEW SESSIONS . . . . . 151
QUEST ACCESS MANAGER CMDLETS . . . . . . . . . . . . . . . . . . . 151
SET-QSERVICECONNECTION . . . . . . . . . . . . . . . . . . . . 152
CHANGE-QDBACCESSACCOUNT . . . . . . . . . . . . . . . . . . 152
EXPORT-QRESOURCEACCESS . . . . . . . . . . . . . . . . . . . . 153
GET-QMANAGEDHOSTS . . . . . . . . . . . . . . . . . . . . . . . 153
GET-QMANAGEDDOMAINS . . . . . . . . . . . . . . . . . . . . . 154
GET-QRESOURCEACCESS . . . . . . . . . . . . . . . . . . . . . . 154
GET-QSERVICEACCOUNTS. . . . . . . . . . . . . . . . . . . . . . 155
GET-QTRUSTEESFORHOST . . . . . . . . . . . . . . . . . . . . . 155
ADD-QMANAGEDHOSTBYACCOUNTNAME . . . . . . . . . . . . . 156
vii
Quest Access Manager
ADD-QMANAGEDHOSTBYACCOUNTSID . . . . . . . . . . . . . . 157
ADD-QMANAGEDDOMAIN . . . . . . . . . . . . . . . . . . . . . . 158
ADD-QSERVICEACCOUNT . . . . . . . . . . . . . . . . . . . . . . 158
GET-QACCESSIBLEHOSTSFORTRUSTEE . . . . . . . . . . . . . . 159
GET-QTRUSTEEACCESS . . . . . . . . . . . . . . . . . . . . . . . 159
SET-QACCOUNTPASSWORD . . . . . . . . . . . . . . . . . . . . . 160
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . 175
CONTACTING QUEST SUPPORT . . . . . . . . . . . . . . . . . . . 175
THIRD PARTY CONTRIBUTIONS . . . . . . . . . . . . . . . . . . . 176
viii
1
Quest Access Manager
Overview and Deployment
• Quest Access Manager Overview
• Key Components and Concepts
• Planning your Deployment
• Configuring Access Manager
• Access Manager Client Overview
• Removing Access Manager
Quest Access Manager
Quest Access Manager Overview
This document has been prepared to assist you in becoming familiar with Quest
Access Manager, a Quest Windows Management Suite product. It is intended for
network administrators, consultants, analysts, and any other IT professionals
using the product.
The management of computer resources is a complex and time-consuming
process. There are numerous manual steps and disconnected management
applications that must be leveraged before a resource can be safely deployed
and made accessible to the appropriate users. Once deployed, there are
concerns that granted access is neither increased nor removed inadvertently. To
exacerbate this challenge in many organizations, the content owners have to
rely on IT administrators to manage resource access without knowing the
implications of their actions. Ultimately, this leaves an organization unable to
maintain operational efficiency or sustain continuous compliance.
Quest’s Solution
Quest Access Manager takes the following approach to meet the challenge:
•
Unify resource management
Access Manager allows you to view and report on overall resource
access — both directly applied access and access obtained through
group membership. Without this information, visibility is limited and
could result in security breaches through inadvertent access.
•
Evaluate resource access
Access Manager provides a real-time view of network resource
access, providing an immediate and ongoing ability to modify access
to resources. This helps enforce your corporate network access policy.
For an example of how to use Access Manager, see “Understanding Access
Manager through Scenarios” on page 127.
10
Quest Access Manager Overview and Deployment
Key Components and Concepts
Access Manager consists of the following components:
Figure 1: Access Manager Components
Registered Forest
To register a forest, add the forest to Access Manager, following the instructions
“Add a Forest to the Deployment” on page 31. When you add a forest, you must
provide a service account with sufficient permissions to perform all QAM
management tasks. If the application needs to resolve a SID or expand group
membership from that forest, it will use the associated service account.
Once the forest is registered, you have the option of integrating with Active
Directory. Adding directory integration points to the forest makes Active
Directory Users & Computers extensions and extended rights for delegation
available to all domains within this forest.
To configure Active Directory extensions, several objects will be added to the
forest configuration container during the integration (Extended Rights in the
Configuration | Extended Rights container of the forest and Display Specifiers in
the Configuration | Display Specifiers container of the forest).
11
Quest Access Manager
Once integrated, the Access Manager context menu items and features such as
the Group Membership tab will be available within Active Directory Users and
Computers.
When you add a Managed Domain and the associated Active Directory forest is
not yet registered, the Management Server will automatically add the forest and
use the domain service account credentials as the forest credentials. Note that
you can change the service account credentials at a later time.
For more information, see the following:
•
“Add a Forest to the Deployment” on page 31
•
“Change the Service Account Used to Access Information” on page 62
Managed Domain
To ensure that the application can install agents successfully, the Management
Server needs domain user credentials with sufficient access. Access Manager
uses the concept of a Managed Domain, which is an association of service
accounts (user credentials) to Active Directory domains. When a new service
account is added in the configuration, it is automatically granted the required
Log On as a Service local user right on the Quest Access Manager Management
Server. This Managed Domain service account is used to install the agents. Local
agents run as Local System and remote agents run as the service account
specified during their installation.
Only domains that have a trust relationship with the Management Servers
domain can be managed.
Once a domain is managed, the application creates a Service Connection Point
(SCP) in the domain that provides server location information so that all agents
and clients know where to connect. This is particularly useful if the Management
Server is reinstalled on a new computer in that domain.
For more information, see the following:
12
•
“Add a Domain to the Deployment” on page 31
•
“View and Ignore Externally Trusted Domains” on page 32
Quest Access Manager Overview and Deployment
Managed Host
A Managed Host is essentially any network object that can host resources.
Currently supported host resources include Windows computers, Windows
clusters, and certain network attached storage (NAS) devices. When the user
takes a computer under control (adds a Managed Host), Quest Access Manager
deploys an agent to scan that computer. The agent may be installed on the
computer (local agent) or it may be installed on another computer (remote
agent). Detailed access information is maintained on the agent computer, only
sending general access information to the central server.
When adding a remote agent, ensure a trust exists between the host and the
resource domains.
For more information, see the following:
•
“Add a Managed Host to the Deployment” on page 34
•
“Add a Cluster (Managed Host) to the Deployment” on page 40
•
“Managed Host Properties” on page 46
•
“Saving Customized Layouts” on page 59
Access Manager Agent
When a Managed Host is taken under control, an agent is assigned to that
computer. The agent may reside on the computer or it may be a remote agent
that resides elsewhere. The agent’s primary focus is to index all the direct access
points throughout its assigned data roots for subsequent management.
The indexing of direct access points only is done for several reasons:
•
It is the only point from which access control list (ACL) modifications
can be made. (For example, you cannot make ACL modifications to an
inherited ACL, and once you break the inheritance it becomes a direct
access point.)
•
Indexing every access point would overwhelm the indexing system.
•
Indexing every access point would overwhelm the user with
information that could not be managed.
A Managed Host may be scanned by either a local agent or one or more remote
agents. Only one local agent can be installed on a Managed Host and a Managed
Host with a local agent cannot be scanned by remote agents.
13
Quest Access Manager
A local agent does an immediate scan as soon as it is added. Remote agents only
scan according to the schedule, but if you want the agent to scan as soon as it
is added you can enable the Immediately scan on agent restart or data root
change option. This option is cleared by default.
To reduce network usage and increase scalability, detailed access information is
maintained on the agent computers. To optimize searches for access points,
agents send small subsets of detailed access information to the server. This
allows clients to quickly determine which hosts to direct detailed access queries
to.
If you manually install an agent on a computer (for example, it has not been
deployed through the Management Server with the Add Managed Host
mechanism), the agent will not be able to connect to a server successfully
until the management server adds the computer as a Managed Host. Once it
has been added, all of the indexed information collected by the agent will be
available for use.
For more information, see the following:
•
“Agent Properties” on page 54
•
“Add a Managed Host to the Deployment” on page 34
•
“Add an Additional Remote Agent to a Managed Host” on page 38
•
“Restart Agents” on page 39
•
“Update Agents” on page 40
•
“Data Roots” on page 14
Data Roots
A data root is the root of a directory tree to be scanned by an agent. The data
roots available for scanning differ for local and remote agents.
Local agents scan all local fixed volumes on their host computer. Limiting a local
agent to a subset of these volumes is accomplished through the Data Roots tab
of the Managed Host Properties page. For more information, see “Locally
Managed Host Properties” on page 49.
Remote agents may scan all shares available to agents as well as any
user-created shares. The data roots scanned by a remote agent are chosen
during the configuration of a new remote agent. The scanned roots may also be
changed through the Data Roots tab of the Agent Properties dialog box. For more
information, see “Remotely Managed Host Properties” on page 51.
14
Quest Access Manager Overview and Deployment
More than one remote agent may be configured to scan a Managed Host
provided each agent scans different data roots. A given data root can be scanned
by only one agent.
If a selected data root has inherited access rights from a parent folder, these
access rights will be displayed as explicit rights at the selected data root when
indexed. This is done to ensure that these access points are not omitted from
the index. Normally, these would be displayed explicitly at the point where they
obtained their access, but since this parent folder is above the selected data
root, the rights are displayed as explicit at the first point they are encountered
by the agent. In the case of inherited access rights, the first point that they are
encountered is the data root (the child folder). You can easily see these folders
by selecting the Inheritance column from the Column Chooser and adding it to
the view.
Management Server
The Management Server is the central authority that receives and indexes
information from agents. It only maintains a subset of information for the
computers that are being indexed, which is essentially trustee access to specific
resource types on managed computers. Once the user requires detailed access
information, the Management Server will attempt to contact the local agent and
provide information stored in the local agent index.
Management Servers work independently; they cannot share information or
work collectively with other Management Servers.
For large geographically separate Active Directory forests, we recommend
that you install a Management Server and configure a new deployment in
each location. This way, data being transferred to the server, and the queries
and commands being issued from it, do not have to deal with large network
latency. For details, see “Configuring the Management Server” on page 24.
For more information, see “Connect to the Management Server” on page 27.
Access Manager Client
The Access Manager client is the application that the user uses to perform daily
operations. The client is capable of connecting to different Management Servers.
Once connected to a Management Server, you can perform functions on all the
associated Registered Forests, Managed Domains, and Managed Hosts — given
you have the appropriate rights to do so.
15
Quest Access Manager
For more information, see the following:
•
“Access Manager Client Overview” on page 64
•
“Delegating Access to Access Manager” on page 27
Database
Management Servers store all data in the deployment in an SQL Server
database, including indexed data received from the agents. The Management
Server is the only component in the system that accesses the database.
Service Account
A service account is a set of credentials provided by the user and is used to
perform certain deployment and query operations.
Managed Domains Service Account
When you take a domain under management, you must provide a service
account for the domain. You can only take computers under management that
are from Managed Domains. The Managed Domain service account ensures
computers from that domain can be taken under control. Each Managed Domain
can only have one associated service account at any time, but the same service
account can be used for multiple Managed Domains. The service account can be
changed through the Managed Domain properties page within the application.
When a new service account is added in the configuration, it is automatically
granted the required Log On as a Service local user right on the Quest Access
Manager Management Server.
Active Directory Forests Service Account
Although Quest Access Manager does not manage the Active Directory forest, it
does associate a service account with it. Active Directory forests are added to
the application either explicitly by the user adding the Forest directly and
providing a service account credentials or implicitly when the user adds a
Managed Domain. When you add a Managed Domain, the associated Active
Directory forest is added with the same credentials as the Managed Domain. The
Active Directory forest service account is initially used to enumerate the objects
within the forest itself so you can perform operations like enumerating domains
within that forest. The account is also used to enumerate group membership for
trustees you are managing and for resolving SIDs. You can change the service
account for the forest later through the Active Directory forest properties page
within the application.
16
Quest Access Manager Overview and Deployment
Managed Host Service Account
When you deploy an agent to a computer for remote indexing, the agent
requires a set of credentials to read information from the remote target
computer. The credentials provided are referred to as the Managed Host service
account and are used only to read information from the remotely targeted
computer.
Default Service Account
The default service account serves as a set of credentials to enumerate trusted
forests that have not been explicitly added to the product with an associated
service account. The default service account is used for group expansion and SID
resolution for Managed Accounts and their group membership.
Account Usage
Various operations within the Access Manager use different credentials. The
following table details when various accounts are being used. Note that although
certain actions are performed using elevated privileges, the user must be
granted access to the application and granted rights to perform certain
operations.
ACTIONS
MANAGED
DOMAIN
SERVICE
ACCOUNT
Agent Deployment
and Removal1
Yes
Restart Agent
Yes
Synchronize Agent
Service Account
Yes
Take Domain
Under
Management
Yes
ACCOUNTS USED
INTERACTIVE
USER
Modify Resource
Security
Yes
Integrate with
ActiveRoles Server
Yes
Integrate with
Active Directory
Yes
FOREST SERVICE
ACCOUNT
17
Quest Access Manager
ACTIONS
MANAGED
DOMAIN
SERVICE
ACCOUNT
ACCOUNTS USED
INTERACTIVE
USER
View Trustee
Properties
Yes
Perform a Quick
Search
Yes
Register a Forest
and Enumerate
FOREST SERVICE
ACCOUNT
Yes
Manage Trustee
Access2
Yes
Yes
Report on Trustee
Access2
Yes
Yes
Read a Trustee’s
Group
Membership2
Yes
Yes
1: The Managed Domain service account is used to install, upgrade, or remove
the agent on the target computer. In the case where the agent is deployed for
local indexing, the agent will run as Local System. In the case where an agent is
deployed for remote indexing, the Managed Host service account is used to
read\index the information from the remote computer.
2: For query operations, the Default service account may also be used in certain
cases as described in the Default service account section above.
Security of the Service Accounts
The service account credentials are maintained in the database in a secure
encrypted form. In the event that someone gains access to the database, they
would not be able to decrypt any of the credentials provided without the
encryption key.
Access Manager uses the Advanced Encryption Standard with a 256-bit key to
protect secure data.
18
Quest Access Manager Overview and Deployment
Deployment
A deployment is the collective installation (grouping) of a single Management
Server, the associated back-end SQL database, and the associated registered
forests, Managed Domains, and Managed Hosts.
Currently, Access Manager does not support multiple deployments sharing the
same Managed Hosts or agents. You can use the same Managed Domain in
multiple deployments, although from an organizational standpoint it is not
recommended. (This type of deployment is possible, but it is not recommended
as it may cause adverse affects). You can register a forest in multiple
deployments with no adverse affects.
Deployment Key
During configuration, Access Manager creates a set of encryption keys that are
used to secure sensitive information, such as the credentials used to access the
database and stored service account credentials. During the configuration of
Access Manager, you are prompted to store a backup of this key information,
encrypted with a passphrase. This backed up key information is required for all
upgrades as of version 2.0. The deployment key can be used to connect another
Access Manager server to the database, in the event of server failure or another
unplanned reconfiguration.
It is very important that the backup deployment key file, and its associated
passphrase, not be lost as it is required during an upgrade.
As of version 1.6.1 of Access Manager, it is possible to connect a server to an
existing database without a backup of the deployment key information and
its associated passphrase. However, when this operation is performed, all
service account password information held in the Access Manager database is
lost, and must be re-entered. After re-entering the service account
passwords, you must restart the Quest Access Manager Service.
Group Membership and Group Expansion
When examining and managing the access settings of a user or group, it is
necessary to know to which groups they belong. Access Manager provides a
comprehensive group membership visualization and reporting system to provide
the information required to manage user or group access on the network.
The Access Manager group membership tree is displayed as an integral part of
the information gathered during access queries. The membership tree allows
you to see a list of all groups to which a trustee belongs, taking into account
group nesting. While similar to the Member Of information maintained in Active
Directory for users and groups (which can be seen using the Active Directory
19
Quest Access Manager
Users and Computers MMC snap-in), the information presented in the Access
Manager group membership tree is much more complete. In addition to showing
group nesting information, it shows domain group membership information,
cross-forest group membership and machine local group memberships of
Managed Hosts.
Figure 2: Group Membership Treeview
When interrogating a group that is nested within itself, the circular nesting will
be clearly displayed in the membership tree and report. For instance, if group A
is in group B, group B is in group C and group C is in group A, then a report
interrogating group A will clearly show that A is circularly nested within itself.
In Trustee Access reports, the groups to which the report’s focused trustee
belongs are presented in a flat list for easy viewing. Within each of these groups,
a list of how the root trustee gained membership in a particular group is shown.
If group expansion fails on a report for a selected trustee, the report will
return an error report indicating the reason that the report failed. Either run
the report selecting ’Direct Trustee Access Only’ or resolve the indicated
problem.
20
Quest Access Manager Overview and Deployment
Detailed View of Group Members
Access Manager now provides a hierarchical view of group membership and the
recursive list of who is contained in the group. It eliminates the need to navigate
through group nesting to identify all group members that ultimately have access
to a specific shares, folders, and files.
The Users and Groups node contains columns with the full range of information
needed to find specific data. You can use the Filter Editor in this node, and
Column grouping in the Layout Options to create customized views of groups,
group members, and the resources they have access to.
You can also use reports to see group membership details and comparisons
between groups, to help clean up redundant or erroneous membership. For
information about reporting on group membership, see “Creating Reports” on
page 107.
For more information, see the following:
•
“Users and Groups Node” on page 73
•
“View Group Membership” on page 100
•
“Group Members Report” on page 111
•
“Group Members Comparison Report” on page 112
•
“Member Of Report” on page 113
•
“Member Of Comparison Report” on page 112
Resource Security Editing
The native Security Editor provided to manipulate the permissions of files,
folders, and shares can be confusing due to its simple/advanced Properties
approach. Access Manager's Resource Security Editor allows for easy navigation
of shares, files, and folder permissions by providing a similar viewing experience
to the simple native view, but with the advanced ability to discern inheritance
differences. You can quickly view the complete security and easily modify
existing access, view a comprehensive Membership display for all users and
groups, as well as run comparison reports.
In the Resource View, you can open and select a resource and then right-click
one or more users or groups in the Security Editor in the lower pane to run a
Trustee Access, Trustee Activity, Member Of, Member Of Comparison, Group
Members, or Group Members Comparison report, depending on what is selected.
Reports are also available by right-clicking the resource itself and selecting
Reporting.
21
Quest Access Manager
In the Trustee View, you can open and select a resource and then right-click it
and select Reporting to run a Trustee Access, Trustee Activity, Member Of,
Member Of Comparison, Group Members, or Group Members Comparison report,
depending on what is selected.
For more information about reporting, see “Creating Reports” on page 115.
The new Security Editor enhances all instances of the native security editor on
all windows platforms supporting the Quest Access Manager client. It can be
accessed through the Access Manager client, as well as through a Windows
Explorer extension for files, folders, and shares.
To provide a number of enhanced functions, including auditing, and very robust
SID resolution capabilities, it is necessary for the Access Manager Security Editor
to read and write security information through the Access Manager server,
leveraging the Managed Domain/service account structures defined by
administrators.
Because the Security Editor leverages the Access Manager server’s security
manipulation functions, it automatically gains auditing capabilities. Whenever
security information is manipulated by the server, difference calculations are
performed, and the resulting change information is written to the Access
Manager server’s audit logs. These audits can be used to trace security changes.
For more information, see “Edit Security” on page 94.
Licensing
Licensing is based on the number of enabled users and InetOrgPerson accounts
per licensed domain in the enterprise. Every Managed Domain is automatically
licensed. If you want to turn off the licensing for a domain you first have to
remove the domain from management.
Licensing has three states:
•
Managed — Licensed: You are managing computers and users in the
domain.
•
Unmanaged — Licensed: You want to run queries against accounts in
a domain though you are not managing any computers in.
•
Unmanaged — Unlicensed: You want to ensure group expansion
enumerates groups in the domain, although you will not be running
any access queries.
For more information, see “Remove Forests, Domains and Hosts from
Management” on page 64.
22
Quest Access Manager Overview and Deployment
Service Connection Point (SCP)
Service Connection Points are a standard Active Directory object used by
applications to locate applicable services available on the network. Access
Manager creates a Service Connection Point within each managed domain so
that agents, clients, and third party applications can locate the Access Manager
Management Server.
Access to the Application
After installation, the only user or group who will have access to the
Management Server are members of the computer’s local Administrators group
where the Management Server is installed. You can add other user or groups or
alter the access the Administrators group has to the server. For more
information, see “Delegating Access to Access Manager” on page 27.
Planning your Deployment
To deploy Access Manager you must have the following in place:
Server Installation
•
The server is the central hub for communication and therefore should
be installed on a reliable and secured computer.
It is important that the Administrators group on the Management Server be
very secure to ensure the protection of the encryption key.
Server Configuration/Database Creation
•
Be sure to install QAM using an account with SysAdmin rights across
the network, including the domain controller and the SQL server. If
you use an account without full SysAdmin rights on the key system
components, you will not be able to successfully configure QAM.
•
Before the server is operational, an SQL database must be created for
its use.
23
Quest Access Manager
Domain Identification and Service Account
Credentials
•
Before you can start managing resources, you must first identify the
domains in which those resources reside (Managed Domains), and
provide the credentials (service account) that can perform operations
on those resources.
You will be prompted to register a domain and service account with Access
Manager when you initially configure an Access Manager deployment during
the installation.
When a new service account is added in the configuration, it is automatically
granted the required Log On as a Service local user right on the Quest Access
Manager Management Server.
Computer Identification
•
Before you can start managing resources, you must add computers
(Managed Hosts) to the deployment. For details, see “Add a Managed
Host to the Deployment” on page 34.
Client Installation
Once the Client and Server are installed and configured, domains have been
added, computers have been added, and access has been delegated, users can
start gathering security information on the enterprise resources.
To use the Access Manager MMC client to access the application, the user
must be delegated access through deployment security. For more
information, see “Delegating Access to Access Manager” on page 27.
Configuring Access Manager
The key to getting the most from Quest Access Manager is in tailoring it to your
particular needs. In this section, you will learn about the various parameters you
can set and views you can establish, to monitor your particular agents and
processes.
Configuring the Management Server
You can accomplish all of your server configuration steps by using the
Configuration Wizard.
24
Quest Access Manager Overview and Deployment
Setup a Management Server in a New Deployment
For large geographically separate Active Directory forests, Quest recommends
that you install a Management Server and configure a new deployment in each
location so that data being transferred to the server, and the queries and
commands being issued from it, do not have to deal with large network latency.
To setup a Management Server in a new deployment
1.
From the Autorun, select the Quest Access Manager tab, click
Quest Access Manager Server to open the install wizard, then
follow the installation instructions.
2.
Click Next.
3.
Read and accept the license information and click Next.
4.
Enter a location for the install and click Next.
5.
Click Install.
6.
Click Finish.
The Quest Access Manager client opens.
7.
Enter the name of the Management Server, confirm that the port
number is 8722, and click Connect.
The default port is 8722 and should not be changed. If you need to alter the
port number, contact Quest Support for more information.
A dialog box indicating that the Management Server is not configured
opens.
8.
Click Yes.
The Configuration Wizard opens to guide you through the
Management Server setup.
9.
Specify a valid license and click Next.
10. Specify the database server, database name, enter the database
access credentials, and click Next.
These credentials are used both for database creation and subsequent
access.
11. Enter the Deployment name and the required Deployment Key
information and click Next.
12. Enter the initial Managed Domain (a domain that has an associated
service account, in which you can manage resources), the service
account credentials, and click Next.
25
Quest Access Manager
The service account information is used by the server to take actions
within the domain. The service account credentials should have
Administrative access to the Managed Domain. When you add this
service account, it is automatically granted the required Log On as a
Service local user right on the Quest Access Manager Management
Server.
13. Review the Summary page, and click Finish.
Replace or Rejoin an Access Manager Server
While Access Manager uses only a single server per deployment, this server can
be replaced or rejoined in the event of hardware failure or other unplanned
reconfiguration. This functionality allows an existing server to be rejoined to a
deployment or a new server to connect to an existing Access Manager database,
and assume all a decommissioned server’s functionality.
To replace or rejoin an Access Manager server
1.
Ensure that the original server is not operational (if replacing).
Only one server at a time is permitted to connect to an Access
Manager database.
2.
Install the Quest Access Manager server components on the new
system (if replacing).
3.
During the configuration of the server, enter the database server and
name used for the deployment.
4.
At the prompt for deployment key backup information, select the
original deployment’s backup key information, as well as the
passphrase associated with the backup.
If you do not have the original deployment key backup information,
specify a new backup location and passphrase.
Upon completing the Configuration wizard, you must re-enter all
service account password information.
26
Quest Access Manager Overview and Deployment
Connect to the Management Server
Management Servers coordinate communication between clients and agents and
perform management tasks on user’s behalf.
To connect to a server
1.
From the Access Manager client, right-click the Quest Access
Manager node and select Connect to Server.
2.
Enter the server name.
– OR –
Click the Browse button to select a server, and enter the port
information.
The server will be validated to ensure that it has been configured. This
port will be used by clients to connect to the Management Server, and
should allow incoming connections.
The default port is 8722 and should not be changed. If you need to alter the
port number, contact Quest Support for more information.
Delegating Access to Access Manager
Quest Access Manager permissions are controlled through a combination of
permissions over the Access Manager deployment and permissions applied to
Active Directory objects. By default, Access Manager maintains a set of
permissions over the Access Manager deployment itself. These control access to
the application. Additionally, when a forest is marked as integrated within the
Access Manager console, a set of extended Active Directory rights are added to
the forest that allow for fine delegation over individual objects within Active
Directory.
By default, the BUILTIN\Administrators group of the computer hosting the
Management Server have full access to the Access Manager deployment.
27
Quest Access Manager
Access Manager Deployment Permissions
PERMISSION
DESCRIPTION
Application Access
This permission allows users basic read access to
Access Manager. This is the base permission
required to use Access Manager that all users
must possess. With this permission, a user can
connect to an Access Manager server with a client,
view configuration information, perform queries,
and run reports, provided they have either the
QAM Query Trustee Access right over the
appropriate target objects or the Bypass Active
Directory Delegation permission.
Manage Configuration
This permission allows users to modify the
configuration of Access Manager. With this
permission, a user can modify all elements of the
configuration of Access Manager including adding
service accounts, Managed Hosts, Managed
Domains, and delegated Access Manager
permissions. This right should only be granted to
highly trusted accounts.
Bypass Active Directory
Delegation
This permission allow users to bypass all
delegation through Active Directory and grant full
access to the application. This includes querying
trustee access, and local group management
features. In cases where a domain cannot be
integrated with Active Directory, this permission
must be granted to all Access Manager users to
allow them to use the query and local group
management features.
Allow Directory Browsing
This permission allows users to browse licensed
domains for trustees to be added to machine local
groups. Without this right, a user cannot browse
for trustees to add to machine local groups
through the Access Manager client.
28
Quest Access Manager Overview and Deployment
PERMISSION
DESCRIPTION
Manage Resource Auditing
Settings
This permission is required for client users to
make changes to the SACLs of resources. With this
right, client users are permitted to make changes
to object SACLs on any managed hosts, so long as
they have the Change Permissions right on the
target resources. Note that this is subtly different
than what is enforced natively, where a client user
would require the "Manage auditing and security
log" right on the target computer.
Note: With this Access Manager deployment
permission, a client user will not require this
native privilege, so care should be taken in
delegating this deployment permission.
Self-Service Access
This permission allows trustees to use Quest
Access Manager Self-Service functionality.
Resource Security Query Access
This permission allows the user to run resource
security reports such as Resource Access and
Local Rights and Service Identities. This right
should only be granted to highly trusted accounts.
Active Directory Permissions
When a domain is marked as integrated, Access Manager adds extended right
objects to the forest to which the domain belongs. This allows the delegation of
rights over various Access Manager operations using native Active Directory
delegation. If a user has the "Bypass Active Directory Delegation" permission,
then they will not be subjected to any Active Directory access checks; any access
delegations made in Active Directory are ignored.
The following rights are added to each domain in an integrated forest:
PERMISSION
DESCRIPTION
QAM Query Trustee Access
This permission is available to users,
INetOrgPerson, groups, and computers. If a user
has this permission with respect to a user, group, or
InetOrgPerson, they will be permitted to see the
full access information related to that user or
group. If a user does not have this permission, any
access information for this user will be filtered from
the results. If a user has this permission on a
computer, then the user may see the access on that
particular computer from any built-in account, local
user or group, or well-known security principal.
29
Quest Access Manager
PERMISSION
DESCRIPTION
QAM Manage Machine Local
Groups
This permission is available on computers. Access
Manager users are permitted to manage the
machine local groups of any computer over which
they have been granted this permission. Users
granted this permission do not need to be in any of
the groups on the target computer that would
generally allow them to manage machine local
groups (Server Operators, Administrators, and
others), provided changes to machine local group
management is performed through Access
Manager.
QAM Read Local Groups
This permission is available on computers. Access
Manager users are permitted to enumerate and
view the memberships of computers over which
they have been granted this right without being
able to natively view those groups.
QAM Manage Machine Local
Admins Group
This permission allows management of all local
groups on the computer except the Administrators
group. To manage the Administrators group, the
Manage Machine Local Admins Group permission is
required.
For ActiveRoles Server integration you must have Read access in Access
Manager and the running account must have the proper rights in ActiveRoles
Server. No actual changes are made within Access Manager for the
integration; all changes are made within ActiveRoles Server.
To set the level of access to the Access Manager deployment
1.
Right-click the Quest Access Manager node and select
Deployment Security.
2.
Add and remove users and groups as required and click OK.
Add Forests, Domains, Hosts and Agents
Before you can gather security information on the resources in your enterprise,
you must add the required forests, domains, and computers to the Access
Manager deployment and provide credentials that can access those resources.
30
Quest Access Manager Overview and Deployment
Add a Forest to the Deployment
When you add a Managed Domain and its forest is not already added, Access
Manager will automatically register it using the service account provided for the
domain.
You also have the option of registering the forest and providing its own service
account.
To add a forest
1.
Expand Quest Access Manager, Configuration, and select
Managed Domains.
2.
Click in the right-pane, right-click the Managed Domain node, and
select Add Forest.
3.
Enter the DNS Name, select a service account, and select Add.
– OR –
Click New to create a new service account.
4.
Click Next.
The service account must have sufficient access required to query group
membership within the forest.
You can right-click a Managed Forest in the right pane to view its properties
and change the associated service account.
5.
Click Finish.
Add a Domain to the Deployment
Adding domains allows you to register Managed Hosts (computers that you want
to query) from those domains. If a domain is not managed, it cannot have
Managed Hosts.
When a domain is brought under management, an operation is performed to
ensure Access Manager can function properly with resources from that domain.
An Access Manager container is created in the domain’s System container. This
container holds a set of Service Connection Point objects, which are used by the
components of Access Manager to find one another.
31
Quest Access Manager
Agents and clients use this information to determine where the Management
Server they should connect to exists.
Only domains that have a trust relationship with the Management Server’s
domain can be managed.
To add a domain
1.
Expand Quest Access Manager, Configuration, and select
Managed Domains.
2.
Click in the right-pane, right-click the Managed Domain node, and
select Add Managed Domain.
3.
Enter the domain DNS name, select an existing service account to
associate with the domain, and click Finish.
– OR –
Enter the domain DNS name, click New to create a new service
account to associate with the domain, enter the account name and
credential, and click Finish.
When a new service account is added in the configuration, it is automatically
granted the required Log On as a Service local user right on the Quest Access
Manager Management Server.
If required at a later date, you can easily associate a different service
account. For information, see “Change the Service Account Used to
Access Information” on page 62.
You can right-click a managed domain in the right pane to view its properties
and change the associated service account. When a managed domain service
account is changed, remote agents in that domain will have their service
accounts updated by the Management Server. The agents will be restarted.
View and Ignore Externally Trusted Domains
Access Manager determines group membership (member of) through all of the
groups to which the user belongs in their home forest, any groups they are in by
virtue of forest trusts, or any groups they are in by virtue of incoming external
trusts with the domain in which they reside.
Managed domains can have child trusts, forest trusts, and external outgoing
one-way trusts that allow principals from other domains to have access to the
managed domain. As such, the group resolution picture or security picture would
not be complete without understanding the membership from these domains.
32
Quest Access Manager Overview and Deployment
If you do not want to query a domain, for group resolution purposes, you can
mark a domain such that Access Manager will no longer contact it.
The Group Resolution Status column indicates whether or not it is ignored.
The possible values include:
• Unknown: Not yet contacted for group resolution
• OK: Available for group resolution
• Disabled: Disabled for group resolution
The External Trust Type column, displays whether the trust is incoming,
outgoing, or bi-directional.
You cannot select to ignore a managed domain.
To view external trusts and ignore a domain
1.
Expand Quest Access Manager, Configuration, and select
Managed Domains.
2.
Right-click a Managed Domain, and select Properties.
3.
Click the External Trusts tab.
All externally trusted domains are displayed. From here, you can
choose to ignore those that you are not interested in.
4.
Right-click a trusted domain, and select Ignore Domain.
If you select to ignore a domain, it will not be contacted and any
principals from this domain will not be considered in queries.
– OR –
Right-click and select Resolve Domain.
When you select to resolve the domain, it is no longer excluded from
“Group Member Of” and “Group Member” operations. As such, users
and groups from this domain will be included in query results. If the
domain is down, however, due to network access or any other issue,
the only artifact will be log entries and issues within the issue list for
the problem encountered.
To mark an child domain as ignored, right-click an unmanaged domain in the
Managed Domains view and select Ignore Domain.
33
Quest Access Manager
Add a Managed Host to the Deployment
When you add a managed host, you have the option of installing a local agent
on the same computer or configuring a remote agent installed on another
computer. If you install a locally managed host, you have the option of
automatically installing the agent with the host, or manually installing the agent
later.
Only computers in domains that are managed can be added as Managed
Hosts. To add a domain, other than the domain specified during installation,
see “Add a Domain to the Deployment” on page 31.
If you choose to add a remote agent to a Managed Host, the first remote
agent must be configured during the deployment of the Managed Host. You
can add more remote agents later, if needed.
More than one remote agent may be used to scan a Managed Host. This is
particularly useful if the host has a large set of data roots. Multiple agents
may not scan the same data root.
For more information about remote and local agents, see “Access Manager
Agent” on page 13.
Network Attached Storage Devices
You can add Network Attached Storage (NAS) devices as managed hosts, with
remote agents. You can enable both real-time file system updates and resource
activity tracking on these devices. For details on compatible NAS devices, see
the Quick Start Guide.
Enabling resource activity allows collection of usage information. For details, see
“Tracking Resource Activity” on page 50. When enabling resource activity for a
NetApp filer, Access Manager creates and enables an FPolicy on the target host
responsible for monitoring file activity for the specified data roots. The FPolicy is
named after the agent instance, such as BW_30d83dc5882449f28d49059b948647
c1.
To view an FPolicy, establish a Telnet or SSH connection to the filer device,
login and type: “fpolicy”.
Do not use the computer hosting a remote agent watching a NetApp filer to
perform actions on that NetApp filer (reads, writes, and so on). If you do, the
agent will not record the activity data.
34
Quest Access Manager Overview and Deployment
When you remove an agent, the FPolicy is deleted. For information about
configuring an EMC Celerra device, see “Appendix A: Configuring EMC Celerra”
on page 143.
Agent Deployment
Agent Deployment Best Practice
When deploying Access Manager agents, local agents are generally
preferable to remote agents. Local agents reduce network bandwidth and
increase responsiveness. In cases where it is not possible to deploy local
agents to a system (such as when using a network attached storage device,
or a virtual cluster node), the following best practices should be considered:
• When deploying multiple remote agents to a hosting computer, limit the
number of agents to 20. Too many agents, especially those for whom
remote real-time file system indexing is enabled, can use more resources
than are available, causing intermittent failures in indexing operations.
• When deploying agents to remotely index, ensure that the agents are
hosted on computers that have low latency, high bandwidth connections
to their targets. This ensures that agents that have real-time remote file
system indexing enabled will not suffer from periodic watch failures.
• Avoid deploying more than 5 agents to the computer hosting the Access
Manager server itself. The Access Manager server requires significant
network resources to perform its various operations. When agents are
deployed to this system, they compete for these network resources.
Leaving the server with as few agents as possible ensures that it will not
suffer performance degradation due to resource scarcity.
Adding a Managed Host with a Local Agent
To add a managed host with a local agent
1.
Expand Quest Access Manager, right-click the Managed Hosts
node, and select Add Managed Host.
2.
In the Select Management Method, select Locally managed
through a locally installed agent, and click Next.
When you add a Managed Host, you can choose to automatically
install an agent or choose manual installation to defer the agent
installation to a later date.
3.
In the Agent Deployment box, choose between Automatic installation
from the Management Server or Manual installation, and click Next.
An agent must be configured for the computer to communicate with the
server and gather resource information. Until this is done, no resource access
will be reported for this computer.
35
Quest Access Manager
4.
Select the domain in which the host resides, select the host, and click
Add.
Only computers with Windows 2000 Server operating systems or later, and
certain NAS devices will be displayed while adding computers to be managed
by Quest Access Manager. For details on compatible NAS devices, see the
Quick Start Guide.
5.
If you have chosen the manual agent installation, the task of adding
a managed host is now complete. If you are installing the agent
automatically with the managed host, you must now decide if you
want to enable resource activity tracking for the agent.
Resource activity tracking is used to collect data on identities, reads,
writes, creates, moves, renames and security changes on files and
folders. This information is required for several report types, including
the Resource Activity report. For more information, see “Creating
Reports” on page 107.
Resource activity tracking is not supported with MS SQL Express. You must
use SQL Server Standard or Enterprise Edition with this feature.
6.
In the Settings box, set the Granularity for the resource activity
tracking.
Granularity specifies how often resource activity data is aggregated.
As an example, if the time is set to an hour, the aggregation for all
activity for a given user on a given resource in that hour is 1.
The time stamps for resource activity are based on the agent local time.
7.
To limit network traffic, select Synchronize only between these
times and set the From and To values.
This setting specifies when the agent sends the resource activity data
to the management server.
8.
To change the identities, files, or folders that are excluded from
tracking, click the Manage Exclusions button and select the objects
to exclude.
Certain administrative identities, file extensions, and folders are
excluded by default. You can see the full list by clicking the Manage
Exclusions button. If the list is empty, click Default to populate the
exclusions with default values.
36
Quest Access Manager Overview and Deployment
Use the Export and Import buttons on their respective tabs to export
and import a list of SIDs, file types, or folders to exclude. For
information on the file syntaxes, see the parameter descriptions in
“Add-QManagedHostByAccountName” on page 156. For folders, you
can also drag and drop from Windows explorer.
9.
Click Finish.
10. Select Refresh to update the view.
The agent will now be installed on the selected computers.
It takes a few minutes for the agent to start collecting data for the new
managed host.
As the state changes, a regular refresh will allow you to see the changes.
For more information on Managed Host properties and changing the associated
service account, see “Locally Managed Host Properties” on page 49.
You can remove computers from the deployment, by selecting the Managed
Host node, right-clicking the required computer, and selecting Remove.
Adding a Managed Host with a Remote Agent
To add a managed host with a remote agent
1.
Expand Quest Access Manager, right-click the Managed Hosts
node, and select Add Managed Host.
2.
In the Select Management Method box, select Remotely managed
through an agent on another computer, and click Next.
For remotely managed hosts, the first remote agent must be added
during the host’s initial deployment. You can manually add more
remote agents later, if needed. For information about agents, see
“Access Manager Agent” on page 13.
3.
Select a Host Computer (on which to install the agent) from within
the same forest as the target computer, and select a service account
with sufficient permissions to access the target computer.
4.
Define a schedule for the agent to scan the target computer, and
select the required real-time file system updates setting.
For information about the real-time file system updates settings, see
“Remote Agent Settings” on page 57.
5.
Select the data roots that will be indexed by this agent, and click
Finish.
Only one agent can scan a given data root.
37
Quest Access Manager
The agent will now be installed on the selected computer.
6.
To view the users and groups associated with the new managed host,
select the Refresh menu option.
For more information, see the following:
•
“Remotely Managed Host Properties” on page 51
•
“Agent Properties” on page 54
•
“Change the Service Account Used to Access Information” on page 62
Add an Additional Remote Agent to a Managed Host
If you added a remote agent when deploying a Managed Host, you can manually
add more remote agents to that host.
When adding a remote agent, ensure a trust exists between the host and the
resource domains.
To add an additional remote agent
1.
Expand Quest Access Manager and select Managed Hosts.
2.
Right-click the Managed Host to which you want to add the remote
agent and select Add Agent.
3.
Select a host cluster, net application filter, or windows host from
within the same forest as the target host.
4.
Select a service account with sufficient permissions to access the
target host.
5.
Define a schedule for the agent to scan the target computer, and
select the required real-time file system updates settings, and click
Next.
For information about the real-time file system updates settings, see
“Remote Agent Settings” on page 57.
6.
Select the data roots that will be indexed by this agent and click
Finish.
The agent cannot scan a data root that is already being scanned by
another agent.
The agent will now be installed on the selected computer. To view the
users and groups associated with the Managed Host, select the
Refresh menu option.
38
Quest Access Manager Overview and Deployment
Automatic Agent Safety Check
If an Agent store hosting volume has fewer than 2 GB of available space on a
volume hosting an agent store, the agent service will automatically shut down.
This is a safeguard to prevent disruption of other services hosted on the
computer, allowing you time to add a volume or reallocate space.
This is just one of the reasons why an agent might have stopped. To
determine if low space on the host volume was the cause, check the Events
tab in the agent properties. For more information, see “Agent Properties” on
page 54.
Agent List View
You can view the remote agents on a given Managed Host by selecting the host
in the right window and right-clicking to bring up the Properties panel. Clicking
the Agent tab lists all remote agents for that host.
Restart Agents
You must restart an agent when:
•
A new storage volume is added to the system.
•
The agent computer’s network or firewall configuration renders it
unable to contact the server.
When an Access Manager agent is restarted, it re-creates all information
within its local index. The server index is updated when the full scan
completes. A full scan occurs with a restart if you have enabled this option in
the agent’s Properties. To determine whether data in the client is the most
current from the agent, ensure that the data state of the managed host being
examined is marked as “Data Available.”
To restart an Agent
1.
Expand the Managed Host node and select the required Managed
Host.
2.
Right-click and select Restart Agent.
You can select the number of Agents you want to restart, either by using Ctrl
+ click to select multiple items, or Shift + click at the top and bottom of a
contiguous series of items to select them all.
You can also restart the Agent through Managed Host properties.
39
Quest Access Manager
Update Agents
If the agent version that you are running is older than the current installed
Management Server, you can update the agent from the Access Manager
console.
When an upgrade is available for an agent, the status of the Managed Host will
display as Agent Update Required.
To update an agent
•
Right-click the Managed Host, and select Upgrade Agent.
When you upgrade a Remotely Managed Host, the agent settings for
real-time file system updates will be disabled by default.
You can select the number of Agents you want to update, either by using Ctrl
+ click to select multiple items, or Shift + click at the top and bottom of a
contiguous series of items to select them all.
You can also update the Agent through Managed Host Properties.
Add a Cluster (Managed Host) to the Deployment
Once installed, a managed cluster is functionally identical to a remotely
Managed Host. However, the nature of clusters require that they only be
managed remotely. Additionally, the remote agent must be configured after
the cluster has been added to the deployment as a Managed Host.
Only Windows failover cluster configurations are supported.
To add a cluster
1.
Expand Quest Access Manager and select Managed Hosts.
2.
Right-click and select Add Cluster Host.
3.
Select the Managed Domain containing the cluster from the list.
Once the domain has been selected, the wizard enumerates the
clusters available in the domain.
4.
Select the cluster to be added to the Managed Domain and click
Finish.
The managed cluster has been added to the Managed Domain.
However, no agents have been deployed to the managed cluster. To
add an agent to the managed cluster, see “Add an Additional Remote
Agent to a Managed Host” on page 38.
40
Quest Access Manager Overview and Deployment
License a Domain
Once a domain is added to the deployment it is automatically licensed for use
and only users, groups, and computers within these domains are available to
manage. When a forest is added all domains in the forest are automatically
licensed.
When the number of enabled users in registered domains exceeds the
number of licensed users, you will be notified of the license violation.
To correct this violation, contact Quest Sales, and purchase additional
licenses, or remove domains from being licensed.
Because the license agreement is calculated on the number of licensed users,
you can remove the license on those domains that you do not want to query for
access information.
Only domains that are not managed (for example, external domains that do
not have agents deployed or Managed Hosts) can be unlicensed.
To remove the license for a specific domain
1.
Expand Quest Access Manager, Configuration, and select the
Managed Domains node.
2.
Right-click the domain, and select Remove License.
To license a domain
•
Expand the Managed Domain node, select an unlicensed domain,
right-click and select License.
Integrate Access Manager with Active
Directory Users and Computers or
Quest ActiveRoles Server
You can manage resources from the Access Manager console, from Active
Directory Users and Computers, and from Quest ActiveRoles Server once they
have been integrated.
Users or groups with Read access can integrate with ActiveRoles Server.
However, to integrate with Active Directory, users must be delegated Write
access. For more information, see “Delegating Access to Access Manager” on
page 27.
41
Quest Access Manager
Active Directory Users and Computers
To use Access Manager functionality from Active Directory Users and Computers,
you must have the Client installed on the computer and register the computer’s
Active Directory forest within Quest Access Manager.
Only forests that are added to the deployment can be registered for Active
Directory integration. For more information, see “Add a Forest to the
Deployment” on page 31.
When integrating with Active Directory, Access Manager uses the credentials
of the user running the Client. The user must have the required permission to
modify the contents of the Display Specifiers container in the forest’s
configuration partition. This is usually limited to users in the Enterprise
Administrators group.
To integrate with Active Directory Users and Computers
1.
Expand Quest Access Manager, Configuration and select the
Managed Domains node.
2.
Right-click the forest where the Access Manager extensions will be
registered, select Integrate with Active Directory, and click
Finish.
Quest ActiveRoles Server
Once you have integrated with ActiveRoles Server, you can easily manage
resources with Access Manager.
ActiveRoles Server Web Integration
The web integration allows you to use Access Manager and detailed resource
security information directly from ActiveRoles Server. You can view access on
selected resources from both the ActiveRoles Server MMC Client and from the
Web client.
When extending the ActiveRoles Server Web Interface, you must install the
Access Manager Web Integration package, ARSWebIntegration.msi, on all IIS
servers hosting the ActiveRoles Server Web Interface.
Once the web integration has been installed and configured, you can view user
and group access to files, folders, and shares.
42
Quest Access Manager Overview and Deployment
To integrate Access Manager with ActiveRoles Server MMC Console and
Web Client
For ActiveRoles Server integration you must have Read access in Access
Manager and the running account must have the proper rights in ActiveRoles
Server.
No actual changes are made within Access Manager for the integration; all
changes are made within ActiveRoles Server.
For more information, see “Delegating Access to Access Manager” on
page 27.
1.
Expand Quest Access Manager, and select the Applications node.
2.
Right-click ActiveRoles Server, and select ActiveRoles Server
Integration.
You have the option of integrating Access Manager capabilities with
both the ActiveRoles Server MMC Console and the Web Client.
3.
Select the appropriate options and click Apply.
For the Access Manager management options to display in the MMC
Console, you must have the Access Manager client installed and you
will need to restart the Quest ActiveRoles Server service.
For the Access Manager options to display in the Web Client, you will
need to select Customization | Reload from within the Web Client.
Once you have finished the integration, you will be able to view access
either through the MMC Console or the Web Client by selecting a user
or group and choosing to Show Access.
After upgrading your ActiveRoles Server web components, you must uninstall
and re-install the Quest Access Manager Web Integration Pack on all
upgraded web servers.
To view user and group access through the ActiveRoles Server Web
Client
1.
Select the Directory Management option in the ActiveRoles Server
web client.
2.
Select the Menu tab, and the required user or group.
3.
Select Show Access.
You will see the resources to which the selected user or group has
access. As you browse through the access, you will see all the
specifics such as whether the access is obtained directly through the
ACL or indirectly through group membership, the resource and
trustee name, the rights over the resource, and how inheritance has
been applied.
43
Quest Access Manager
4.
Right-click to filter the results to remove common built-ins (built-in
Administrators and Users groups) and those resources where access
is obtained indirectly through group membership.
You have the option of customizing the way that the web client
displays and sorts the information. Specifically, you can change the
order that the information is displayed, select the columns to display,
and group the information by the column that suits your needs.
5.
You can also:
a) Click the column header and sort in ascending/descending order.
b) Group the results by a specific column by dragging the column
header to the group by option.
c) Select the drop-down arrow to filter the results based on the
column contents.
d) Select the key icon to filter the results based on the following:
Begins with, Contains, Ends with, Equals, Doesn’t equal, Is less
than, Is less than or equal to, Is greater than, Is greater than or
equal to).
e) Right-click the columns and Show Customization Window to
select the fields to display.
Access Manager Self-Service Request Client
The Access Manager Self-Service Request client allows users to request access
to resources while maintaining the approval process included in ActiveRoles
Server.
To allow users to use the Self-Service Access Request client, the Access Manager
Self-Service package (QuestAccessManager_SelfServiceClient_x86.msi or
QuestAccessManager_SelfServiceClient_x64.msi) must be deployed. You must
also configure its options, and delegate the Self-Service Access right. For details,
see “Delegating Access to Access Manager” on page 27.
For a user to make use of the Access Manager Self-Service functionality, they
must be from a forest that is registered in the Managed Domains view, in
addition to being granted the right to access self-service on the deployment.
To configure the Self-Service Client
44
1.
Expand Quest Access Manager, and select the Applications node.
2.
Right-click ActiveRoles Server, and select Access Manager
Self-Service Configuration.
3.
Select to allow users to request access to resources, and enter the
ActiveRoles server that will be used to satisfy self-service requests.
Quest Access Manager Overview and Deployment
4.
Select to allow groups that have not been published on the
ActiveRoles server.
Allowing non-published groups
If this option is selected, groups that have not been marked as published
within ActiveRoles Server can be included in the list of groups to which a user
can request access. When these groups are encountered, the requesting
users rights are checked, and the group is only included in their list of
available selections if one of the following two criteria is met:
• The requesting user has the ability to modify the membership of the
group.
• The requesting user has the right to add themselves to the membership
of the group granted through ActiveRoles Server.
If either of these two rights is held by the user, the group will be presented as
a valid option for requesting access. For groups meeting this criteria, if the
user has the right through ActiveRoles Server to add themselves to the
group, the operation will be attempted, and subjected to any membership
modification workflows specified by ActiveRoles Server. If no workflows have
been defined, and the user is permitted to modify the membership of the
group, they will be automatically added to its membership list.
5.
Enter the Help Desk Information that will be displayed to the users.
(Help message, Help Desk phone number and email address, email
subject, and email body.)
6.
Click Apply.
To use the Self-Service feature
1.
2.
A user right-clicks a folder and selects Request Access.
They select either Read or Contribute access.
A list of groups that will grant the user the requested access to the
resource will be displayed.
Quest Access Manager uses a variety of criteria to determine suitability for
group selection, based on Microsoft’s best practices for setting file and folder
security in a distributed environment. Under certain conditions, a security
group that would give users their requested access may be deemed to be
inappropriate and therefore the group will not be displayed as an available
option. Please consult Microsoft’s documentation for more information.
3.
The user simply clicks the required group, enters a reason to join the
group, and clicks OK to send a request to join the group.
Should any questions or issues arise, users have the ability to contact
the Help Desk for support if an email application has been configured
on the client.
45
Quest Access Manager
Explicit Exclusion of Groups
You may want to mark certain groups as being ineligible for self-service
requests, especially when Access Manager is configured to allow for
non-published groups to be presented. In this case, it is possible to mark either
specific groups, or all groups within a particular Active Directory container as
being ineligible for access requests.
To exclude groups
Modifying the registry can cause serious issues. Ensure that when making
these changes, only the described keys are modified.
1.
On the Access Manager server, navigate to the following registry key
using regedit.exe: HKEY_LOCAL_MACHINE\Software\Quest
Software\Broadway\Server\DeploymentData\SelfServe
\ExclusionByDN
The “DeploymentData” and “ExclusionByDN” subkeys may not exist. If these
keys are not present, they should be created.
2.
Beneath the ExclusionByDN key, create string values whose names
match the Distinguished Name of the groups that are to be excluded
If you want to exclude an entire container of groups, specify the
Distinguished name of the container, with an asterisk ("*") prefix. For
example to exclude all groups in the Users container of example.com, use
the following syntax: "*CN=Users,DC=example,DC=com".
Managed Host Properties
When you select the Managed Hosts node, you get a series of columns in the
right pane, giving details about all hosts managed by Access Manager.
Agent Events
During normal operation, Access Manager agents sometimes encounter issues
that cause normal indexing operations to be interrupted. When these events,
along with any other events of significant importance, occur, they are written to
the Agent Events list. This list is viewable through the Access Manager MMC
console, and can help diagnose problems.
46
Quest Access Manager Overview and Deployment
For managed hosts that host local agents, the Agent Events tab can be found
on the Managed Host Properties dialog box. For more information on how to
access the properties dialog box, see “Specific Managed Hosts” on page 80.
For managed hosts being remotely managed, the properties dialog box for each
agent has its own Events tab.
Managed Host Data State Descriptions
DATA STATE
DESCRIPTION
A scanner error has
occurred
A scanner error has occurred with one or more of the
agent scanners for this host.
Data Available
Agents deployed to this host have completed their initial
scans and returned their data.
Performing an initial
scan
Agents deployed to this host report that the scanners
have begun their initial scans.
Waiting for scanner
status
Agents have been deployed for this host but they have
not yet reported their scanner status to the server.
Waiting for scanners to
start
Agents for this host have reported back to the server but
not all of the scanners have started up.
47
Quest Access Manager
Managed Host Status Descriptions
STATUS
DESCRIPTION
Agent Issue
One or more agents for this Managed Host are in an error
state. View the Agent tab in Managed Host properties for
detailed information.
Agent Registration
Failed
An error occurred while the agent was attempting to register
with the server.
Agent Unregistered
The agent for this Managed Host has unregistered.
Deleting
The Managed Host is being deleted.
Deleting And
Uninstalling
The Managed Host is being deleted and the agent is being
removed.
Deploying Agent
An agent for this Managed Host is being installed.
Incompatible Agent
Version
An unsupported agent version has attempted to register
with the server.
Install Failed
An automatic agent install has failed. The Configuration
Message property will contain detailed information regarding
the failure.
Install In Progress
An automatic agent installation is in progress.
Lease Expired
The lease for the agent on this Managed Host has expired. A
communications issue has occurred between the agent and
the server, or the agent is no longer running.
Ensure that the agent is capable of communicating with the
server.
If an agent stays in this state for too long, the data state will
be switched to suspect, and ultimately to stale, due to the
absence of updates.
No Agent for host
There are no agents associated with this managed host.
OK
The agent is communicating with the server.
Resolved
The Managed Host’s information has been resolved, but it
has not yet been configured for management. This is a
temporary state.
Resolving Agent
The server is resolving the agent computer for this Managed
Host.
Undeploying Agent
Agent for this Managed Host is being uninstalled.
Uninstall In Progress
An automatic uninstall of the agent is in progress.
48
Quest Access Manager Overview and Deployment
STATUS
DESCRIPTION
Uninstalling Agents
Failed
An automatic uninstall of the agent failed. The Configuration
Message property will contain more detailed information
regarding the failure.
Unresolvable
A Managed Host was added, but the computer information
could not be verified. Managed Hosts in this state are not
functional.
Unresolved
The agent computer has not yet been resolved.
Waiting for Agent First
Connect
The Managed Host has been configured, and is waiting for
an agent to register.
Note: If a Managed Host stays in this state for a long period
of time, it could indicate a communications issue between
the agent and the server.
Locally Managed Host Properties
The locally managed host properties presents the following:
General
This read-only tab displays the name of the computer being managed, the
management method (local), and any keywords added for the host.
Keywords can be used to configure several hosts together by using one or more
keywords to group them. For more information, see the following:
•
“Saving Customized Layouts” on page 59
•
“Configure and Report on a Group of Managed Hosts” on page 60
Data Roots
This tab presents the folder structures scanned by the agent. The agent will
default to a full scan of the computer.
To scan specific data roots
1.
Right-click the required Managed Host and select Managed Host
Properties.
2.
Select the Data Roots tab.
3.
Select the data roots to be scanned, and click OK.
For more information, see “Data Roots” on page 14.
49
Quest Access Manager
Agent Details
This read-only tab displays agent status and configuration data for the local
agent.
For more information, see the following:
•
“Agent Properties” on page 54
•
“Access Manager Agent” on page 13
•
“Add a Managed Host to the Deployment” on page 34
•
“Restart Agents” on page 39
•
“Update Agents” on page 40
Tracking Resource Activity
With Resource Activity Tracking, you can track actions, such as file access,
performed on the target computer. Several report types make use of this
information, including the Resource Activity report. All resource activity time
settings reflect local agent time. For information about reports, see “Creating
Reports” on page 107.
This setting is available for agents on locally managed hosts (Windows
computers), and on supported NAS devices (remotely managed). For a complete
list of supported platforms, see the Quick Start Guide.
You cannot use resource activity tracking with MS SQL Express, you must use
SQL Server Standard or Enterprise Edition.
For more information about NAS devices, see “Network Attached Storage
Devices” on page 34.
In some cases, Access Manager breaks actions down. For example, a rename
may be represented as a delete and a create. There may be variations in how
actions are represented depending on the system or the application that has
modified the resources.
To enable resource activity tracking
50
1.
Right-click the required Managed Host and select Managed Host
Properties.
2.
Select the Resource Activity tab.
3.
Select the Enable resource activity tracking check box.
Quest Access Manager Overview and Deployment
4.
Select the Granularity for the resource activity tracking.
Granularity specifies how often resource activity data is captured. The
time stamps for resource activity are based on the agent local time.
5.
To limit network traffic, select Synchronize only between these
times and set the From and To time values, bearing in mind that all
resource activity time settings reflect local agent time.
6.
o change the identities and objects, that are excluded from tracking,
click the Manage Exclusions button and select the objects, file
extensions and folders to exclude.
7.
To return the exclusions list to the standard list, click Default.
8.
To group excluded file extensions, enter a Category name to the
exclusions list.
9.
To Import or Export a list of SIDs, file types, or folders to exclude,
use the Export and Import buttons on their respective tabs.
10. Click OK to close the Exclusions dialog box.
11. Click OK to close the Properties dialog box.
For information on the file syntaxes, see the parameter descriptions
in “Add-QManagedHostByAccountName” on page 156. For folders,
you can also drag and drop from Windows Explorer.
Local Groups
This tab presents the list of local groups found on the Managed Host. The list is
subdivided into Built-in Groups and other groups created by users or software.
From here, you can right-click and select to
•
View the group properties
•
Create or delete the group
•
Manage the group access
•
View trustee properties
•
View the group members and manage their access
•
Run a group members or trustee access report
Remotely Managed Host Properties
The Remotely Managed Host Properties dialog box presents three tabs:
•
General
•
Agents
•
Local Groups
51
Quest Access Manager
General
This read-only tab displays the name of the computer being managed, the
management method (remote), and any keywords added for the host.
Keywords can be used to configure and report on several hosts at once by using
a keyword to group them. For more information, see the following:
•
“Saving Customized Layouts” on page 59
•
“Configure and Report on a Group of Managed Hosts” on page 60
Agents
This tab presents the list of remote agents configured to scan this host. From the
context menu you can also:
MENU
DESCRIPTION
Add Agent
Allows you to add another remote agent to scan
another part of the target computer.
Remove Agent
Allows you to remove the remote agent. Note
that the information will no longer be indexed and
all stored access information collected by that
agent is removed as well.
Restart an Agent
Allows you to remotely restart the agent.
Synchronize with Service
Account
Updates the credentials used by the selected
agent to match those maintained by Quest
Access Manager. This is useful in the event of a
password change for an account being used on a
remote agent, or if someone has inadvertently
changed the account on an agent directly through
Microsoft Windows Service Control Manager.
Agent Properties
Displays detailed information in 4 tabs as
described in the table below.
Show Layout Options
Shows the layout menu bar that you can use to
save layouts.
Show Group By Box
Shows the group by menu box that you can use
to drag a column into and group the layout by
that column.
Column Chooser
Opens the Customization box that you can use to
add, remove, and rearrange columns in the
layout.
52
Quest Access Manager Overview and Deployment
MENU
DESCRIPTION
AGENT PROPERTIES
Displays the computer name hosting the agent
and the agent’s credentials. It also presents the
schedule used to index the target computer and
real-time file system update settings.
Note: When selecting to "Run On An Interval," it
is possible to choose a frequency such that the
agent is still busy completing the last scan when
the next scan should start. In this case, the scan
that could not start on time will be skipped and
the next scan will be started as normal.
Settings
For information about using the File System
Scanning Schedule and the Real-time File System
Updates settings, see “Agent Status Descriptions”
on page 56.
This tab presents the folder structures being
scanned.
To change the selected data roots
Data Roots
1. Click Edit.
2. Select the data roots to be scanned and
remove those that should not be scanned.
3. Click OK.
Agent Details
This read-only tab displays agent status and
configuration information.
Refresh
Refreshes the information presented in the user
interface
Remember that it is not possible to have multiple agents scan the same data
root on a target computer. It is also not possible to have multiple agents on a
host computer scan the same target computer.
For more information, see the following:
•
“Access Manager Agent” on page 13
•
“Agent Properties” on page 54
•
“Add a Managed Host to the Deployment” on page 34
•
“Restart Agents” on page 39
•
“Update Agents” on page 40
53
Quest Access Manager
Local Groups
This tab presents the list of local groups found on the Managed Host. The list is
subdivided into Built-in Groups and Custom Local Groups created by users or
software.
From here, you can right-click and:
•
View the group properties
•
Create or delete the group
•
Manage the group access
•
Run a trustee access report
•
View trustee properties
•
View the group members and manage their access
Agent Properties
Both remote and local agents share attributes presented in the Details tab of the
Properties dialog box.
To view Agent Properties for a local agent
1.
Right-click a host and select Managed Host Properties.
2.
Select the Agent Metrics or the Agent Details tab.
To view Agent Properties for a remote agent
1.
Right-click a host and select Managed Host Properties.
2.
Select the Agents tab.
3.
Right-click the Agent Computer and select Agent Properties.
Resource Activity Tracking
Resource activity tracking is used to collect data on identities, reads, writes,
creates, and other actions performed on the target computer. This information
is required for several report types, including the Resource Activity report. For
more information, see “Creating Reports” on page 107.
This setting is available for agents on locally managed hosts (Windows
computers), and on supported NAS devices (remotely managed). For a complete
list of supported platforms, see the Quick Start Guide.
54
Quest Access Manager Overview and Deployment
For more information about using resource activity tracking, see “Tracking
Resource Activity” on page 50.
You cannot use resource activity tracking with MS SQL Express, you must use
SQL Server Standard or Enterprise Edition.
Properties Common to all Agents
Data Roots
The Data Roots tab displays the data roots scanned by the agent. Clicking Edit
allows the addition and deletion of data root targets for this agent.
For more information, see “Data Roots” on page 14.
Events
The Events tab displays errors that have occurred related to an agent. Errors
such as those generated during file system scans, remote file system
monitoring, and service account synchronizations are displayed in this list. This
list is periodically truncated as new items are added.
Agent Details
The Agent Details tab is a read-only display of the configuration settings of the
selected agent. This tab displays the following information:
•
Status
•
Mode
•
Agent Port
•
Agent Version
•
Whether an upgrade for the agent is available
•
The last recorded activity from this agent
•
The ID, Display Name, and service name of the Agent Service
55
Quest Access Manager
Agent Status Descriptions
The following table details the possible entries in the Status field:
AGENT STATES
DESCRIPTION
Agent Unregistered
Agent has unregistered.
Configuration Failed
An error has occurred while creating the agent service
on the agent host computer.
Configuration in Progress
Agent service is being configured.
Deconfiguration Failed
An error occurred while removing the agent from the
agent host computer.
Deconfiguration in Progress
The agent service is being removed.
Deleting
The agent is being deleted.
Deleting and Uninstalling
The agent software is being uninstalled.
Expired Lease
The agent has failed to renew its lease. This is often an
indication of an error on the agent computer. Ensure
that the agent is capable of communicating with the
server.
Incompatible Agent Version
An unsupported agent version has attempted to
register with the server.
Install Failed
An error occurred while installing the agent.
Install in Progress
The agent installation is in progress.
OK
The agent is in a good state and not experiencing any
problems.
Registration Failed
An error occurred while the agent was attempting to
register with the server.
Resolved
The agent computer has been resolved. This is a
temporary state.
Uninstall in Progress
The agent is being uninstalled.
Uninstalled
The uninstall has finished. This is a temporary state.
Unresolvable
The agent computer has not yet been resolved.
Upgrading Agents
The agents for this host are being upgraded to a newer
software version.
56
Quest Access Manager Overview and Deployment
AGENT STATES
DESCRIPTION
Waiting for Agent First
Connection
The management server is waiting for the agent to
register with the server for the first time.
Properties Specific to Remote Agents
Remote agents have additional properties that are not in common with local
agents, shown on the Settings tab.
Remote Agent Settings
Agents managing computers remotely can be configured to watch for changes
to the structure and security of file systems. However, there is a chance of errors
occurring during the watch due to the introduction of the network. For example,
network connections can be severed, watch roots can be deleted, or permissions
can deny the ability to watch for change. Because of this, two things are required
of the user: a scan schedule must be specified, and the rescan immediately if
changes are missed option must be configured.
File System Scanning Schedule
The Settings tab allows you to set the time and frequency with which the agent
scans the target computer. This tab also displays the host computer where the
agent resides and the service account that the agent uses to access the target
computer.
When selecting to "Run On An Interval," it is possible to choose a frequency
such that the agent is still busy completing the last scan when the next scan
should start. In this case, the scan that could not start on time will be
skipped and the next scan will be started as normal.
For remote agents, you must enable the Immediately scan on agent restart or
data root change option if you want the agent to scan immediately when it is
added. This option is cleared by default.
Real-time File System Updates
Selecting the Enable remote real-time file system updates option causes the
agent to watch for file or access changes, including change of ownership, on the
file system of the target managed host.
When this setting changes, the agent starts watching for the change during and
following the next scheduled full scan.
57
Quest Access Manager
You can also restart the agent to force a full scan, if the Immediately scan on
agent restart or data root change option is enabled.
The time stamps for real-time file system updates are based on the agent
local time.
If network errors occur, the system will need to perform a full scan. If the rescan
immediately if changes are missed option is enabled, the agent will immediately
attempt to fully rescan the configured root objects. If it is not set, the agent will
wait until the next scheduled scan time to perform a full scan, leaving the index
in a stale state until that time.
Some NAS devices may not provide reliable remote change detection.
Enabling the remote change detection feature on these agents may lead to
frequent complete scans.
Grouping, Sorting and Filtering Views
Any time you see a view with column headers, such as the properties of your
server, or a list of rules or risks, you can work with it to present the information
in a useful way.
Adding and Removing Columns
To add a column to the display
1.
Right-click any column header.
2.
Select Column Chooser.
3.
Drag the field to the desired location on the column header.
Some lists have more columns available than shown in the default
view.
4.
Close the Customization dialog box by clicking the X in the top
right-hand corner.
To change the order of the columns
1.
Click and drag the column header to its new location.
To remove a column from the display
1.
58
Click and drag the column header until an X appears.
Quest Access Manager Overview and Deployment
Grouping Information
To group the information to suit your needs
1.
Select the Group Panel option and drag and drop the column
headers in the required order.
To filter the information
1.
Hover over the column header on which you want to filter.
2.
Click the filter icon that appears.
3.
Select a value.
To filter risks and verifications by severity
1.
From the Severity Filter option, select the minimum level that you
want to show in the report.
You can choose between Information, Low, Medium, High, or Critical.
The default severity filter is set to Information, which shows all levels
of risk.
To sort the information
1.
Click the column header to sort on that field.
If you want to sort in the opposite order, click the column header
again.
Saving Customized Layouts
Once you have the results displayed in a manner that suits your needs, you can
save the layout for future use.
To use layout options
1.
Right-click the list view for Managed Hosts or Users and Groups
node, and select Show Layout Options.
This option is also available from the Quick Search node.
2.
Select from the list of layouts provided to change the view.
– OR –
Create your own layout by dragging the required column headers
above the list view.
Select Save Layout As, enter a name for the layout, and click OK.
59
Quest Access Manager
Grouping Managed Hosts Using Keywords
You can use the Keywords box in the Managed Host Properties (General tab) to
filter and group hosts that share the same keyword. This enables you organize
computers into groupings to set the configuration options and run reports for a
group of managed hosts all at once.
To add keywords to managed hosts
1.
Expand Quest Access Manager, and select the Managed Hosts
node.
2.
Select all the hosts to which you want to add a keyword.
You can use the Filter Editor to search for hosts with specific
attributes, for example search by attributes such as name, ID, or
status.
For information, see “Grouping, Sorting and Filtering Views” on
page 58.
3.
Right-click and select Managed Host Properties.
4.
In the Keywords box, enter one or more meaningful keywords you
can use to filter, sort, and group managed hosts.
For example, to group by function or region, you might enter the
keywords "Sales Canada."
5.
Once you have added keywords to a group of hosts, you can make
the hosts easily accessible by doing the following:
a) Filter and Sort Information - from the Managed Hosts node, group
and sort using the keywords column and use the Filter Editor to
search for hosts based on one or more keyword strings.
For example, filter on either "Sales" or "Canada."
You can also use sub-grouping to further sort the layout.
b) Save Customized Layouts - once you have filtered and grouped
hosts by keyword, save the layout.
For information, see “Saving Customized Layouts” on page 59.
Configure and Report on a Group of
Managed Hosts
After you have grouped some managed hosts using column grouping, filtering,
or keywords, you can easily perform several configuration and reporting actions
for the whole group at once:
60
Quest Access Manager Overview and Deployment
•
Set the Managed Host Properties
For information, see “Managed Host Properties” on page 46.
•
Remove the hosts
For information, see “Remove Forests, Domains and Hosts from
Management” on page 64.
•
Reinstall agents
For information, see “Access Manager Agent” on page 13.
•
Run reports
For information, see “Creating Reports” on page 107.
To configure and report on a group of managed hosts
1.
Expand Quest Access Manager, and select the Managed Hosts
node.
You can customize your view to get the information you need. For
more information, see “Grouping, Sorting and Filtering Views” on
page 58.
2.
If your layout has been saved, select the layout that displays your
grouped managed hosts. For information, see “Saving Customized
Layouts” on page 59.
3.
After you have selected the group of managed hosts, right-click and
select the action you want to perform.
For reports, you can run the Trustee Access and Resource Activity
reports for a group of managed hosts. For more information, see
“Creating Reports” on page 107.
There are several ways you can group your managed hosts. For information, see
the following:
•
“Grouping, Sorting and Filtering Views” on page 58
•
“Saving Customized Layouts” on page 59
Identify and Fix Group Resolution Issues
If there are any issues with group membership query operations in the domain,
the data may not present a complete representation of access for a specified
trustee type.
61
Quest Access Manager
To view issues
1.
If you have integrated Access Manager with Active Directory, you can
right-click a user or group from within Active Directory Users and
Computers, and select Manage Access.
– OR –
From the Access Manager console, use the Quick Search to find the
required user or group, right-click, and select Manage Access.
The Access Manager console displays the computers and resource
types where the user or group explicitly has access.
If there have been any issues with the retrieval of group membership
information, you will be able to review a list of issues and take the
required corrective actions.
2.
Click the Click to see a list of issues link.
The group resolution issues will be displayed along with guidance on
how to resolve the specific issue. Once you have expanded the list,
you can right-click and select to hide the details pane.
Change the Service Account Used to Access
Information
At any time, you can change the account being used to access the information
from Managed Domains and computers.
To select a new service account
1.
2.
Expand Quest Access Manager, Configuration, and select the
Managed Domains node.
Right-click a forest, and select Properties.
When the application needs to resolve a SID from this forest or
expand group membership it will use the associated service account.
– OR –
Right-click a domain, and select Properties.
3.
Select an existing service account.
– OR –
62
Quest Access Manager Overview and Deployment
Click New to enter the credentials for a new service account.
When a new service account is added in the configuration, it is automatically
granted the required Log On as a Service local user right on the Quest Access
Manager Management Server.
The Managed Domain service account is used to install the agents on the
Managed Hosts and not for the ongoing running of the agents.
Manage Service Account Properties
From the service account properties you can view the account name, change the
password and description, view the status and whether the account can be used
to manage domains.
You can also change the default service account, by checking the box on the
property page for an account that is not already set as the default. The default
service account is the single account that will be tried when enumerating a
domain that is not managed.
The service account must have Administrative rights to the domain that you
want to access.
STATUS
DESCRIPTION
Account Not
Found
The Active Directory account represented by the service account
has been deleted or moved. To resolve this, change the name
information of the service account to match the new name of the
Active Directory account.
Account Not
Resolvable
The Active Directory could not be contacted to determine whether
the service account information is valid. To resolve this, ensure that
the user name and password are correct.
Network Issue
The Active Directory domain containing the service account could
not be contacted, and the account could not be logged on.
OK
The service account is functioning properly.
63
Quest Access Manager
Remove Forests, Domains and Hosts
from Management
To remove a forest
•
From the Managed Domains node, select the required forest,
right-click, and select Remove.
To remove forests, you must first remove all Managed Domains.
To remove Managed Domains
•
From the Managed Domains node, select the required domain,
right-click, and select Remove from Management.
To remove Managed Domains, you must first remove all Managed Hosts.
To remove Managed Hosts
•
From the Managed Hosts node, select the required computer,
right-click, and select Remove.
Access Manager Client Overview
The Access Manager client quickly provides resource security information.
Quest Access Manager Node
The specific actions that you can perform within Access Manager are
determined by how the administrator has delegated responsibilities. For
more information, see “Delegating Access to Access Manager” on page 27.
From the Quest Access Manager node you can view the status of current Access
Manager deployments within your organization. From here you can also:
•
64
Quickly locate users, groups, and computers on the network by
entering the user, group, or computer and selecting Start Search.
Quest Access Manager Overview and Deployment
•
Add computers to the Access Manager deployment so that you can
manage its resources by selecting Add Managed Host.
Only computers in domains that are managed can be added as Managed
Hosts and have their security information gathered.
•
View currently Managed Domains and add new domains to the Access
Manager deployment by selecting Add Managed Domain.
•
View the deployment information and connect to a new Management
Server by opening the Deployment item and selecting Change Server.
•
View the license information and update the license by selecting
Update License.
•
Set the access to Access Manager by right-clicking and selecting
Deployment Security.
Configuration Node
From this node you can access and configure the service account used to
manage agent deployments, group expansion queries, and SID resolution. From
this node you can also access the Managed Domains node, which is used to
configure licensing, service account, and Active Directory Integration for
Managed Domains and Managed Forests.
For more detailed information, see “Service Account Node” on page 65 and
“Managed Domains Node” on page 68.
Service Account Node
A service account is associated with Managed Domains and represents the
credentials used to access and manage resources. You can specify these
credentials for an entire forest or on a per domain basis.
From the service account node, you can:
•
Add a new service account
•
Access the service account properties
From the Service Account node, you can access the following information:
COLUMN
DESCRIPTION
User Name
The Account being used to access the information on the
Managed Domain.
65
Quest Access Manager
COLUMN
DESCRIPTION
Description
The description provided when the service account was
created.
UPN
The User Principle Name of the user in Active Directory.
Default
Indicates whether the service account is the default
account Access Manager uses when contacting forests and
domains without a defined service account.
Note: Only one service account can be marked as the
default.
Can Manage Domains
Indicates whether the service account can be used when
configuring a Managed Domain. The service account must
meet the following criteria:
• It must have valid credentials specified.
• It must have the right to log on locally to the
Management Server. This right is configured
automatically when you add a new service account to
a domain.
If these criteria are met, this column will have a value of
“True,” and the service account will be available for
association with a Managed Domain from its Property
page.
If the service account cannot log onto the Management
Server, this value will be “False.”
Note: service accounts that cannot log onto the
Management Server are still available for use in domains
and forests that are not managed, but are not contacted
for group membership information.
Status
Account Not Found: The Active Directory account
represented by the service account has been deleted or
moved. To resolve this, change the name information of
the service account to match the new name of the Active
Directory account.
Account Not Resolvable: The Active Directory could not
be contacted to determine whether the service account
information is valid. To resolve this, ensure that the user
name and password are correct.
Network Issue: The Active Directory domain containing
the service account could not be contacted, and the
account could not be logged on.
OK: The service account is functioning properly.
66
Quest Access Manager Overview and Deployment
Service accounts are capable of the following tasks:
SERVICE ACCOUNT
Interactive Client
TASK
• Perform a quick search
• View Trustee Properties
• Integrate with Active Directory
• Integrate with ActiveRoles Server
• Modify Resource Security
Default Service Account
• Manage Trustee Access (*)
• Report on Trustee Access (*)
• Read Trustee’s Group Membership
Information (*)
Forest Service Account
• Manage Trustee Access (*)
• Report on Trustee Access (*)
• Register a Forest
• Read Trustee’s Group Membership
Information (*)
• Browsing for Machine Local Groups (**)
Managed Domain Service
Account
• Manage Trustee Access
• Report on Trustee Access
• Manage a Domain
• Read Trustee’s Group Membership
Information (*)
• Deploy an Agent
• Remove an Agent
• Synchronize Agent Service Accounts
• Restart an Agent
• Manage Machine Local Groups
• Browsing for Machine Local Groups (**)
Agent Service Account
• Remotely Indexed Security Information
* These accounts are used only to read the membership information of groups
to which the target trustee belongs.
** Because high-access service accounts are used to browse for members to add
to machine local groups, users must be delegated Browse Active Directory
permissions on the Access Manager deployment.
67
Quest Access Manager
For more information, see “Change the Service Account Used to Access
Information” on page 62 and “Manage Service Account Properties” on page 63.
Managed Domains Node
From the Managed Domains node, you can see a forest-based representation of
the entire enterprise, the status of the various domains within the enterprise (all
the forests and domains that have been registered with Access Manager).
From here you can also:
•
Add and remove forests and domains from management.
For information, see “Add a Forest to the Deployment” on page 31 and
“Add a Domain to the Deployment” on page 31.
•
Register additional forests to manage their resources with Active
Directory Users and Computers.
For more information, see “Active Directory Users and Computers” on
page 42.
•
Change the service account credentials for the Management Server
for an entire forest or on a per domain basis through its Properties
page.
For details, see “Change the Service Account Used to Access
Information” on page 62.
You can also quickly assess the following information:
COLUMN
DESCRIPTION
If the domain has been registered with Access
Manager, the state will display as Managed. If this
column is empty, the domain is not managed, and
computers in it cannot be added as Managed Hosts.
Managed State
Note: Only computers in domains that are managed
can be added as Managed Hosts and have their
security information gathered. To register a domain
with Access Manager, see “Add a Domain to the
Deployment” on page 31.
From here you can also remove a domain by
right-clicking, and selecting Remove from
Management.
68
Quest Access Manager Overview and Deployment
COLUMN
DESCRIPTION
For Managed Domains, this account is used to read
Active Directory information and perform agent
maintenance tasks.
Service Account
Note: If the domain is managed, then the service
account must be able to log onto the Management
Server. When a new service account is added in the
configuration, it is automatically granted the required
Log On as a Service local user right on the Access
Manager Management Server.
If the domain is not managed, then this account is
only used for reading information from Active
Directory.
Identifies if there are any problems with group
membership query operations in the domain.
Group Resolution Status
OK: There are no known issues with connecting to
and reading information from the domain.
Network Issue: There is a network connectivity
issue that is preventing Access Manager from
performing group membership queries.
69
Quest Access Manager
COLUMN
DESCRIPTION
Management Status
The status indicates whether Access Manager has
encountered any issues with management operations
in the domain.
OK: There are no known issues with connecting to
and managing resources in the domain.
Network Issue: There is a network connectivity
issue that is preventing the Access Manager server
from contacting any domain controllers in the domain.
Access Denied: The service account registered does
not have sufficient rights to read required information
from Active Directory. A Managed Domain’s service
account should at least have Read access to both the
domain and configuration partitions of the domain.
Service Account Logon\Impersonation Failure:
The service account registered for the domain cannot
log onto the Management Server. This can be caused
by a number of circumstances:
• The service account does not have Log on Locally
rights to the computer hosting the Management
Server. To fix this, ensure that the identified
service account has this right.
• The service account’s name has been changed. To
fix this, create a new service account with the
new name, and change the service account being
used to it.
• The service account is locked out/disabled. To fix
this, unlock or re-enable the service account.
• The service account’s password has changed. To
fix this, update the service account in Access
Manager with the new password from the Service
Accounts node.
Directory Integration
Forest and associated domains registered with Active
Directory Users and Computers, will have a Yes
status.
If the status is No, and you want to have the Access
Manager functionality available from within Active
Directory Users and Computers, right-click the forest
and select "Integrate with Active Directory".
70
Quest Access Manager Overview and Deployment
Applications Node
From the Applications node, you can register resources with Quest ActiveRoles
Server MMC console and Web Client and configure the Access Manager
Self-service Request client. For more information, see “Quest ActiveRoles
Server” on page 42.
Quick Search Node
From the Quick Search node, you can quickly locate resources within the entire
enterprise or a specific forest for computers, users, or groups and manage the
resource access.
You can search based on a number of parameters, as follows:
•
Asterisk characters (*) to specify wildcards to support partial
searches
•
First Name, Last Name, SAM Account Name, and Display Name
attributes
•
Description — Searches the description attribute
•
First Name — Searches the First Name field
•
Last Name — Searches the Last Name field
•
Custom LDAP Query — Allows the specification of a custom LDAP
query to use for searches.
LDAP Query Notes
Only attributes that are included in the global catalog can be searched.
In the Custom LDAP query string, do not include the objectClass clause,
because Quest Access Manager already searches classes based on your
selection in the user interface (Users, Groups, or Computers).
For information see
http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx
After you have located the required user or group, you can right-click to begin
to manage their access.
You can also right-click a trustee or resource and select a reporting option to
create a report. For more information, see “Creating Reports” on page 115.
71
Quest Access Manager
Columns Available in Quick Search
COLUMN TITLE
INFORMATION PROVIDED
Name
The name of the object returned by Quick Search.
Type
The type of item it is. This could be Computer, Builtin
Group, Domain Local Group, Global Group, Universal
group, or User.
Location
The UNC location of the object.
Right-click in the right pane and select Column Chooser to select extra columns
to display. To include them in the view, simply drag and drop onto the Title Menu
Bar. For more information on customizing your view, see “Grouping, Sorting and
Filtering Views” on page 58.
EXTRA COLUMN TITLE
INFORMATION PROVIDED
Class
Whether the item is a user, group, or computer.
Description
A verbose explanation of the item. For instance, Print
Operators group might have "Members can administer
domain printers".
Distinguished Name
This is a unique Identifier created by QAM to ensure a
one-and-only-one relationship to the item.
Managed
This is either set to Yes or No and details whether the
object is managed by QAM.
Operating System
The type of platform the system is running (such as
Windows Server 2008)
Pre Windows 2000 Name
The pre Windows 200 long identifier.
Sid
The system identifier.
For more information see the following:
72
•
“Grouping, Sorting and Filtering Views” on page 58
•
“Understanding Access Manager through Scenarios” on page 127
•
“Saving Customized Layouts” on page 59
Quest Access Manager Overview and Deployment
To search the enterprise for a specific resource
1.
From the Access Manager console, select Quick Search.
2.
From the Search In drop-down list, select a scope for your search,
and select the check box beside the types of objects you want to
search (Users, Groups, and/or Computers).
3.
From the Search For drop-down list, select the criteria by which you
want to search - Names, Description, First Name, Last Name, or
Custom LDAP Query.
4.
Enter a search string in the edit box and click Search to run your
query.
Remember to use an asterisk for partial searches.
5.
Right-click a user or group and select to manage resource access,
view their group memberships, run a report, or view their properties.
– OR –
Right-click a computer to restart an agent, remove the computer from
management, or view the computer properties.
Users and Groups Node
From the Users and Groups node, you can see all trustees with resource access
on computers being managed by Access Manager, as well as users and groups
who are members of machine local groups, and unknown SIDs.
From this view, you can edit the user or group security and quickly perform
network investigation and cleanup by removing (if appropriate) the unknown
SIDS. For more information, see “Manage Access for a User or Group” on
page 89.
Reporting
You can run reports from the Users and Groups node for one or more trustees.
To run a report
1.
Select one or more trustees, right-click and select Reporting.
2.
Choose from one of the available reports: Trustee Access, Trustee
Activity, Member Of, Member Of Comparison, Group Members, Group
Members Comparison.
The type of report you can choose depends on the number and type
of users or groups you have selected.
– OR –
73
Quest Access Manager
Alternatively, you can right-click a trustee and select Manage Access,
open a resource, and then run a report.
For more information, see “Creating Reports” on page 107.
Layouts, Filtering, Grouping, and Sorting
You can use Layout Options in the Users and Groups node. There are several
pre-defined layouts you can choose from to view your security index in different
ways. The Default layout is grouped by Resource Type and shows the Trustee
Name, Host Name, Trustee Type, and Keyword columns by default. Other
pre-defined layouts include:
•
Domain-level Trustees Only
•
Exclude Built-in, Well Known, and Special Trustees
•
Grouped by Host
•
Grouped by Resource Type
•
Grouped by Trustee
Create your own filters, group and sort the data, and then save your custom
layouts to have instant access to the views you need to understand and manage
your security data. For example, add a filter such as [Service
Identities][=][Unknown] to clean up old unused SIDs.
For more information see the following:
•
“Grouping, Sorting and Filtering Views” on page 58
•
“Understanding Access Manager through Scenarios” on page 127
•
“Saving Customized Layouts” on page 59
Special Trustee Types
In a Windows environment, sometimes files, folders, and share security is
configured without actually referencing users or groups. Shares on Windows
2000, for example, use a null security descriptor to grant everyone full control
by default. Some applications will define empty discretionary access control lists
on files or folders to ensure no access except by backup and restore operators.
74
Quest Access Manager Overview and Deployment
Access Manager reports these cases by using special alias trustees. The following
cases are treated as special trustee types:
TRUSTEE TYPE
DESCRIPTION
Null Security Descriptor
Resources configured with this value are treated as
Everyone having Full Control.
Null Discretionary Access
Control List
Resources configured with this value are treated as
Everyone having Full Control.
Empty Discretionary Access
Control List
Resources configured with this value are treated as
having no users with any access.
Administrative Share
When an Administrative Share is encountered by
Access Manager, it is reported as the alias
“Administrative Share Security Descriptor Alias.”
Generally, only administrators of the hosting
computer have access to administrative shares.
Managed Hosts Node
When you select the Managed Host node, you will be able to see at a glance all
the hosts registered with Access Manager. At the Manage Hosts node level, you
can choose between Managed Hosts View and Agents View. The Managed Hosts
View is the default view. From here you can add or remove computers for
management. The Agents View provides useful information about the
performance and activity of the agents.
For details, see “Add a Managed Host to the Deployment” on page 34 and “Add
a Cluster (Managed Host) to the Deployment” on page 40.
Managed Hosts View
When you select the node labelled "Managed Hosts", you are already at the
Managed Hosts view.
To display Managed Hosts View
1.
In the treeview, select Managed Hosts.
2.
Right-click and select Managed Hosts View.
The columns in the right pane will now reflect the default view.
75
Quest Access Manager
Columns Available in Managed Hosts View
COLUMN TITLE
INFORMATION PROVIDED
Host Name
The host on which data is being collected.
Keywords
Any keywords that have been entered in the Managed
Host’s properties.
Status
What the Managed Host is doing at the moment. For
details of Status, see “Managed Host Status
Descriptions” on page 48.
Management Method
Indicates whether the host is managed using a local
or remote agent.
Domain
The domain in which the host belongs.
Data State
The current state of the data from this host. For
details of Data State, see “Managed Host Data State
Descriptions” on page 47.
Right-click in the right pane and select Column Chooser to select extra columns
to display. To include them in the view, simply drag and drop onto the Title Menu
Bar. For more information on customizing your view, see “Grouping, Sorting and
Filtering Views” on page 58.
EXTRA COLUMN TITLE
INFORMATION PROVIDED
Forest DNS Name
Domain Name of the Forest containing the Managed
Host Node.
Host DNS Name
Domain Name of the Managed Host.
Managed Host Type
The physical configuration of the Host (such as
Windows Computer)
Managed Host ID
Displays a unique ID assigned to this host and stored
in the database.
Most Recent Activity
Displays the date and time of the last communication
received from the agent in UTC format.
Starts With
Displays the first letter of the Host name.
76
Quest Access Manager Overview and Deployment
Agents View
To display Agents View
1.
In the treeview, select Managed Hosts.
2.
Right-click and select Agents View.
The columns in the right pane will now reflect the Agents View.
Columns Available in Agents View
COLUMN TITLE
INFORMATION PROVIDED
Agent Host
The name of the host running the agent software.
Managed Host
The name of the computer being managed. It is the
same as the Agent Host for locally managed hosts,
but different for remotely managed hosts.
Agent Store Size
The total size of all files related to an agent instance
on its hosting system.
Items Scanned
The number of file system items scanned by the agent
during its last full file system scan.
Indexing Performance
(Items/sec)
The average rate of file system items indexed during
the last full file system scan. An average performance
of less than 1000 items\second can be indicative of a
poor network connection between the agent and its
target managed host.
Total File System
Operations
The total number of file system operations
encountered by the agent since change watching
started.
File System Scan Time
The duration of the last full file system scan. Note that
this value will not be filled in until at least one full
scan has been completed.
Agent Status
The current status of the agent. For details on Agent
Status, see “Agent Status Descriptions” on page 56.
Agent Version
The version of the Access Manager agent software on
its hosting computer.
Agent Host Type
Indicates whether the agent is local (indexing the
local computer), or remote (indexing a remotely
managed host.)
Items Stored
The total number of items stored for this Agent since
the last full scan.
77
Quest Access Manager
Right-click in the right pane and select Column Chooser to select extra
columns to display. To include them in the view, simply drag and drop onto the
Title Menu Bar. For more information on customizing your view, see “Grouping,
Sorting and Filtering Views” on page 58.
EXTRA COLUMN TITLE
INFORMATION PROVIDED
Activity Enabled
Indicates whether resource activity tracking has been
enabled on the agent.
Activity File Size
The total size of all resource activity store files (those
with a .qamrudb extension) on the agent. These files
are deleted upon successful synchronization with the
server.
Activity Files
The total number of resource activity store files (those
with a .qamrudb extension) currently on the agent.
These files are deleted upon successful
synchronization with the server.
Agent ID
A unique code generated by QAM to make sure it
knows which agent this is.
Agent Uptime
Indicates how much time has passed since the agent’s
last restart. Agents can restart for a number of
reasons, including restarts of their host systems,
restarts of the agent service itself, or install\upgrade
operations on other agents hosted on the same
system.
Aggregated Activities
The number of activities that have been recorded by
Access Manager, after duplicate events have been
removed. Aggregated Activities is based on the
granularity you have set on the Resource activity tab
in Agent Properties. The less granular the setting, the
lower this number will be.
Average Activities / Store
The average number of activity records recorded per
activity store. The higher the value, the more unique
activities being encountered by the Access Manager
agent.
Average Changes
(Changes/Flush)
The average number of changes that are being made
each time the system updates.
Changes Synchronized
The total number of resource activity records
synchronized with the server.
Failed Synchronizations
The number of times the agent has attempted to
synchronize resource activity information with the
server, but has failed.
78
Quest Access Manager Overview and Deployment
EXTRA COLUMN TITLE
INFORMATION PROVIDED
Keywords
Any keywords that have been entered in the Managed
Host’s properties.
Managed Host Type
The physical configuration of the Host (such as
Windows Computer)
Queue Flushes
The number of times the Access Manager agent has
flushed its internal change monitor’s queue. This
value is generally used only for diagnostic purposes.
Service Display Name
The display name of the Access Manager agent
service as displayed by the Service Control Manager.
Successful
Synchronizations
The number of times the Access Manager agent has
successfully synchronized activity information with
the server.
Usage Stores Synchronized
The total number of resource activity store files (those
with a .qamrudb extension) which have been sent
from the agent to the server. These files are deleted
upon successful synchronization with the server.
Reporting
You can run reports from both the Resource View and Trustee View of the
Managed Hosts node.
To run a report
1.
Select one or more resources or trustees (depending on the View),
right-click, and select Reporting.
2.
Choose from one of the available reports: Resource Activity,
Perceived Owners (Resource View), Resource Access, Trustee
Access, Trustee Activity, Member Of, Member Of Comparison, Group
Members (Trustee View).
The type of report you can choose depends on the number and type
of users or groups you have selected.
– OR –
Right-click a resource or trustee and select Manage Access, open a
resource, and then run a report.
For more information, see “Creating Reports” on page 107.
79
Quest Access Manager
Layouts, Filtering, Grouping, and Sorting
From the Managed Host node, you can quickly assess the information contained
in the table below. Right-clicking in the right pane provides display options such
as grouping on a specified column (Group by Box); saving, deleting and
retrieving custom layouts (Layout Options); and choosing the columns displayed
(Column Chooser).
You can also use the Keywords column to group managed hosts and then
configure and run reports on a group of hosts all at once. For information, see
“Saving Customized Layouts” on page 59 and “Configure and Report on a Group
of Managed Hosts” on page 60.
The Default layout shows the Host Name, Keywords, Status, Management
Method, Domain, and Data State columns. Other pre-defined layouts include:
•
Group by Data State
•
Group by Domain
•
Group by Keywords
•
Group by Status
Create your own filters, group and sort the data, and then save your custom
layouts to have instant access to the views you prefer.
For more information see the following:
•
“Saving Customized Layouts” on page 59
•
“Grouping, Sorting and Filtering Views” on page 58
•
“Saving Customized Layouts” on page 59
•
“Configure and Report on a Group of Managed Hosts” on page 60
The host may be managed by a local agent or by a remote agent residing on a
different computer. For details, see “Access Manager Agent” on page 13
Specific Managed Hosts
Select a specific managed host icon, then Right-click and select to view that host
individually. By selecting a specific Managed Host, you can:
•
Right-click and select to view the access either through the Trustee
view or the Resource View.
The Trustee View allows you to view users and groups who have
access to resources on the selected computer and modify their access.
80
Quest Access Manager Overview and Deployment
The Resource View allows you to view the file system and shares on
the selected host and modify their security.
•
Right-click and add a Managed Host.
For details, see “Add a Managed Host to the Deployment” on page 34.
•
Right-click and add a Cluster Host.
For details, see “Add a Cluster (Managed Host) to the Deployment” on
page 40.
•
Right-click and select to view the Managed Host properties.
For more information, see “Managed Host Properties” on page 46.
•
Right-click and select to restart agents on a locally Managed Host.
For more information, see “Restart Agents” on page 39.
•
Right-click and select to add an agent for a remotely Managed Host.
For more information, see “Add an Additional Remote Agent to a
Managed Host” on page 38.
•
Right-click a remotely Managed Domain and synchronize with service
account.
This updates the credentials used by the selected agent to match
those maintained by Quest Access Manager. This is useful in the event
of a password change for an account being used on a remote agent,
or if someone has inadvertently changed the account on an agent
directly through Microsoft Windows Service Control Manager.
•
Right-click and select to remove a computer from control.
For more information, see “Remove Forests, Domains and Hosts from
Management” on page 64.
•
Right-click and select to export the agent log
These logs are used for troubleshooting and when talking to customer
support. For more information, see “Where are the Logs?” on
page 136.
•
Right-click and select Reporting to run reports.
For more information, see “Creating Reports” on page 107.
•
Right-click and select to review the scanning activity on the selected
computer through the Properties page.
For more information, see “Grouping, Sorting and Filtering Views” on
page 58.
•
Double-click a computer to view and manage:
81
Quest Access Manager
a) users and groups who have access to specific resource types
b) resources with access (files, folders, shares)
c) rights (Local user rights, Operating System rights)
d) windows service identities (view only)
Reports Node
You can view and run the available report types in this node. When you select a
report type, the Configure New Report button appears. Select this button to start
creating a report.
When you save a report template, the template is saved under its report type
node. When you execute the template again, the report runs based on the saved
configuration but with the current data.
You can right-click a report template to:
•
Execute report
•
Schedule report
•
Delete report template
•
Rename report template
•
Add to ’My Reports’
When you Export a report, a copy of the report output is saved in the format and
location you choose. This is a snapshot of the data at the time that it was run.
To see the most current data in a report, execute the report template.
For more information, see the following:
•
“Creating Reports” on page 115
•
“Scheduling Reports” on page 125
Background Operations Node
Certain operations within Access Manager occur in the background. You can view
the progress of these operations by selecting the Background Operations node
in the Access Manager client.
Background operations include:
82
Quest Access Manager Overview and Deployment
•
Cloning, replacing, or removing access for a group of trustees
•
Changes for SACL, DACL, or owner security
•
Securing a share with no access control
•
Agent log file exports
If you close the client, any operations that have not yet started will be deleted.
For more information, see the following:
•
“Clone, Replace, and Remove Access for a Group of Trustees” on
page 96
•
“Edit Security” on page 94
•
“Find and Secure a Share with No Access Control” on page 97
•
“Where are the Logs?” on page 136
Removing Access Manager
Access Manager can be removed either as part of:
•
An upgrade
If you select this option, the deployment components will be
maintained. When you install Access Manager again, you can use the
Configuration Wizard to point to this existing configuration.
As of version 2.0, you must provide the deployment key when performing a
server upgrade.
•
A full deployment removal
If you select this option, all deployment components are removed.
This permanently removes the deployment from your environment.
To remove Access Manager as part of an upgrade
1.
Select Start | Programs | Add/Remove Programs.
2.
Select Quest Access Manager | Remove.
3.
In the Deployment Removal dialog box, select I am upgrading and
want to leave my deployment intact, and click OK.
83
Quest Access Manager
To perform a full deployment removal
• The Management Server must be running during the uninstall.
• Many of the uninstall operations are performed under the credentials of
the user running the tool, therefore, those operations will fail if the user
does not have the required permissions.
1.
Select Start | Programs | Add/Remove Programs.
2.
Select Quest Access Manager | Remove.
3.
In the Deployment Removal dialog box, select I am uninstalling
the application and want to remove all components. (Includes
the database, Managed Hosts, and Management Server
configuration), and click OK.
The Deployment Removal dialog box opens.
4.
Click Run.
As the removal proceeds, the actions and state are updated.
ACTION
PERFORMED BY
Remove Managed Hosts
Server
Remove Display Specifiers
User
Remove Managed Domains
Server
Unregister Forests
Server
Remove SCP Objects
User
Stop Services
User
Delete Server Keys
User
Delete Database
User
Errors and warnings are reported in the listview. You can double-click on an
item to get more details.
A log file, teardown_log.txt, is created for all of the removal steps. The file
location is: <install root>\Quest
Software\AccessManager\ManagementServer\Teardown. This file will remain
after the uninstall.
5.
84
Click Finish.
2
How To . . .
• Investigate Resource Access
• Manage Network Access
• Manage Machine Local Groups
Quest Access Manager
Investigate Resource Access
To ensure network resources are secured in a manner that meets your business
needs you must be able to easily identify who has been given access to those
resources and manage that access appropriately.
Using Access Manager you can quickly see who has been given access to specific
resources and identify and manage the permissions associated with shares,
folders, and files and run reports to save the information. You can also see where
a user is running as a Windows service on Managed Hosts.
86
How To . . .
To view and manage access from Access Manager
FOR A USER OR GROUP
• Search for the required user or
group, right-click the trustee and
select Manage Access, or
Reporting to run a report.
– OR –
Select the required user or group
from the Users and Group node,
right-click, and select Manage
Access, or Reporting to run a
report.
FOR A MANAGED HOST
• Select a Managed Host with the
Trustee View selected, browse
through the resources and locate the
user or group with access, right-click,
and select Manage Access, or
Reporting to run a report.
– OR –
Select a Managed Host with the
Resource View selected, browse
through the file system, and modify
the permissions associated with
shares, folders, and files or select a
specific user or group and select to
Manage Access, or Reporting to
run a report.
– OR –
Search for a computer through Quick
Search, right-click and select Manage
Resources, browse through the file
system, and modify the permissions
associated with shares, folders, and
files or select a specific user or group
and manage their access.
– OR –
Search for a computer through Quick
Search, right-click and select Manage
Access, browse through the
resources and locate the user or
group with access, right-click, and
select Manage Access, or
Reporting to run a report.
For details on managing access, see “Manage Network Access” on page 89 and
modifying security see, “Edit Security” on page 94.
87
Quest Access Manager
For information about running reports, see “Creating Reports” on page 107.
You can also view and modify access From Active Directory Users and
Computers or Quest ActiveRoles Server, right-click a user, group, or
computer and select Manage Access.
You must have integrated with Active Directory Users and Computers and
Quest ActiveRoles to access this option. For more information, see “Integrate
Access Manager with Active Directory Users and Computers or Quest
ActiveRoles Server” on page 41.
Search for a Specific User, Group, or Computer
From the Quick Search node, you can quickly locate resources within the entire
enterprise or a specific forest for users, groups, or computers.
To search the enterprise for a specific user, group, or computer
1.
From the Access Manager console, select Quick Search.
2.
Select the search scope and the type of object for which you are
going to search. Provide the search text, and click Search.
– OR –
Select a specific domain from the list to narrow your search for a
specific user or group, and click Search.
3.
Right-click a user or group and select to view and manage resource
access, view group membership information (group members and
the members to which the trustee belongs), run an access or group
membership report, or view their properties.
– OR –
Right-click a computer and select to manage its access (Trustee
View), manage resources (Resource View), manage a local group,
view the computer and Managed host properties, run a report, add an
agent, remove the computer from Access Manager control, or
synchronize with a service account.
For more information, see the following:
88
•
“Quick Search Node” on page 71
•
“Creating Reports” on page 107
How To . . .
Manage Network Access
Administrators must answer the following questions daily to ensure network
compliance:
•
Where do users and groups have access and is the access correct?
•
Through which groups do users have access?
•
Has access to resources been granted through group membership or
directly through the resource Access Control List?
The answers to these questions are easily attained through Access Manager.
More specifically, you can:
•
Manage Access for a User or Group
•
Manage Resources
•
View and Edit Trustee Properties
•
Edit Security
•
Clone, Replace, and Remove Access for a Group of Trustees
•
Find and Secure a Share with No Access Control
•
Add and Remove Rights
•
Assign Business Ownership
•
View Group Membership
•
Manage Machine Local Groups
•
Run a Trustee Access Report
•
Run a Group Members Report
Manage Access for a User or Group
When you right-click on a specific user or group and select Manage Access, you
are presented with the Trustee Access view, which shows:
•
Group Membership information in the left pane
•
Resource Access information in the top right pane
•
Detailed resource Access information in the bottom right pane (based
on the selection in the left and top right panes)
You can right-click a trustee or a resource in any of the panes to run a report.
For more information, see “Creating Reports” on page 107.
89
Quest Access Manager
User and Group Membership
The User and Group membership view displays a treeview with the selected
trustee at the root. The first level beneath the root will be all the groups for which
the trustee is a direct member. The groups contained beneath each of those
groups the trustee has gained access indirectly from the first level groups, and
so on.
For more information, see “Group Membership and Group Expansion” on
page 19.
Figure 3: This view allows you to select any group to see the resource access
granted by being a member of that particular group.
If there have been any issues with the retrieval of group membership
information, you can click the link in the lower-left to review details. Once
you have expanded the list, you can right-click and select to hide the details
pane.
90
How To . . .
Resources
This Trustee Access view shows all Managed Hosts (computers) where the
selected user or group has access.
Figure 4: This view displays the type of resource where the user or group has access and whether this access has been granted explicitly (Directly held —the account is in the ACL) or through group membership (Indirectly held—the account
belongs to a group that is in the ACL).
To get this view, select a user or group, right-click and select Manage Access.
This view is highly configurable and can be grouped according to Managed
Host, Resource Type, Account Name, and so on. Therefore, your view may be
organized differently than the one described here.
91
Quest Access Manager
Detailed Resource Information
When a resource is selected in the upper-right pane of the Trustee Access view,
the lower-right pane shows the individually accessible resources for the selected
computer and resource type.
Figure 5: From here, you can modify the security of a resource by right-clicking
and selecting Edit Security. For details, see “Edit Security” on page 94.
92
How To . . .
Manage Resources
When you select to view a Managed Host with the Resource View enabled, you
will quickly be able to see its shares and file system. Double-click through the
file system to locate the required resource. Once located, you can edit the
permissions or select to manage a trustee’s access.
Figure 6: Select the Resource View from the Managed Host node
For more information, see “Edit Security” on page 94 and “Manage Access for a
User or Group” on page 89.
View and Edit Trustee Properties
Before editing access to specific resources, you can view the user or group
properties.
To view trustee properties
1.
Use the Quick Search option to locate the required user or group.
– OR –
93
Quest Access Manager
Select the required trustee from the Users and Groups node.
2.
Right-click and select Trustee Properties.
3.
View the properties and edit as required.
Edit Security
Access Manager's Resource Security Editor allows you to edit the ACL, the SACL
(Auditing), the Owner, and Share Permissions.
The editor also provides an entry point to manage trustee access, view group
membership information (Group Members and Group Member of), run reports
such as the Trustee Access Report, and add and remove rights.
Figure 7: Access Manager’s Resource Security Editor
All changes are performed by the Access Manager server, using the service
account appropriate for the target computer. To ensure that unauthorized access
does not occur, Access Manager checks the client’s native rights to ensure they
are permitted to perform the requested operations. Additionally, clients must
have the Access Application right to the Access Manager deployment.
94
How To . . .
The following is a summary of the native rights required to perform various
security operations within the Access Manager client:
OPERATION
REQUIRED RIGHTS
View shares
No special rights required
View Administrative
shares\volumes
Membership in the Administrators group of the
computer
View or modify share security
Membership in the Administrators, Power Users,
or Server Operators group of the computer
View folder or file security
Read Permissions on the folder or file
Read on the share from which the folder or file is
accessed
Modify folder or file security
Write Permissions on the folder or file
Read on the share from which the folder or file is
accessed.
Navigate through a share or
folder
Read on the share from which the folder or file is
accessed
List Contents on the folder
All changes made within Access Manager from the Resource Security Editor
are logged in the Quest Access Manager Audit event log. For more
information, see “Where are the Logs?” on page 136.
To edit security from the Trustee View
1.
Right-click a user or group and select Manage Access.
For details on the various methods of locating trustees, see
“Investigate Resource Access” on page 86.
2.
Browse through the resource types, and select the required
computer.
A detailed list of all the resources with access will display.
3.
4.
Right-click the resource and select Edit Security.
Alter the security as required.
You can also right-click the user or group to manage the trustee
access, view group members, run a Trustee Access or other report,
add rights, or remove permission.
You can run one of the following reports, depending on the number
and type of trustees you have selected:
95
Quest Access Manager
Trustee Access, Trustee Activity, Member Of, Member Of Comparison,
and Group Member Reports.
To edit security from the Resource View
1.
Select a Managed Host, and browse through the shares and file
system and select the required resource.
The Security Editor displays in the lower pane.
2.
Alter the security as required.
You can also right-click the user or group to manage the trustee
access, view group members, run a Resource Activity or Perceived
Owners report, add rights, or remove permission.
For more information about reporting, see “Creating Reports” on page 107.
Clone, Replace, and Remove Access for a
Group of Trustees
To quickly make changes to a group of trustees and resources, you can select to
clone, replace, or remove access all at once.
You can view the progress of the operations by selecting the Background
Operations node in the Access Manager client.
You will not be prompted to accept the removal, the operation will run
automatically once the option is selected.
To clone, replace, or remove access for a group of trustees
1.
Right-click a user or group and select Manage Access.
For details on the various methods of locating trustees, see
“Investigate Resource Access” on page 86.
2.
Browse through the resource types, and select the required
computer.
A detailed list of all the resources with access will display.
3.
Right-click the resource and select Clone Trustee.
Select the object type, location, and name and click OK.
– OR –
4.
96
Right-click the resource and select Replace Trustee.
How To . . .
Select the object type, location, and name and click OK.
– OR –
5.
Right-click the resource and select Remove Trustee.
Find and Secure a Share with No Access
Control
This is a security measure to ensure all shares have access control. A share
without access control, whether through null security descriptor (SD), or null
discretionary access control list (DACL) is a potential security risk. Quest Access
Manager helps you find these resources and secure them by specifying specify
a trustee with Full Control.
To add a trustee to a null SD
1.
In the Treeview, select the Users and Groups node.
2.
Double click on Share to expand the view.
3.
Select Null Security Descriptor Alias.
If you do not see Null Security Descriptor Alias in the view, then you have no
null SDs.
4.
Right click and select Manage Access.
5.
Expand the Share node in the Direct Trustee Access dialog box and
select the host you wish to secure.
This will open a bottom pane with the available resources on that
trustee.
6.
Select the desired resource or resources (using Shift + Click) in the
bottom pane.
7.
Right click and select Add a Trustee to Null SD.
8.
A pop up dialog box will appear stating that a Background Operation
is in Progress. Click Close to remove this dialog box.
To see results, you can click the Background Operations node in the
treeview while the client session still exists. Alternately, you can see
a log of successful operations in the Quest Access Manager audit log
on the Management Server.
Each computer must be secured individually, using this process.
97
Quest Access Manager
To add a trustee to a null DACL
1.
In the Treeview, select the Users and Groups node.
2.
Double click on Share to expand the view.
3.
Select Null Discretionary Access Control List Alias.
If you do not see Null Discretionary Access Control List Alias in the view, then
you have no null DACLs.
4.
Right click and select Manage Access.
5.
Expand the Share node in the Direct Trustee Access dialog and
select the host you wish to secure.
This will open a bottom pane with the available resources on that
trustee.
6.
Select the desired resource or resources (using Shift + Click) in the
bottom pane.
7.
Right click and select Add a Trustee to Null DACL.
8.
A pop up dialog box will appear stating that a Background Operation
is in Progress. Click Close to remove this dialog box.
To see results, you can click the Background Operations node in the
treeview while the client session still exists. Alternately, you can see
a log of successful operations in the Quest Access Manager audit log
on the Management Server.
Each computer must be secured individually, using this process.
Add and Remove Rights
Through the Resource Security Editor you can easily give users and groups
access to a selected resource or remove access as required.
To add or remove resource access from the Trustee View
1.
Right-click a user or group and select Manage Access.
For details on the various methods of locating trustees, see
“Investigate Resource Access” on page 86.
2.
Browse through the resource types, and select the required
computer.
A detailed list of all the resources with access will display.
98
How To . . .
3.
Right-click the resource and select Edit Security.
4.
Right-click, select Add Rights, select the object type, location, and
name and click OK.
– OR –
Right-click a user or group and select Remove Selected
Permissions.
You will be prompted to accept or ignore the removal.
To add or remove resource access from the Resource View
1.
Select a Managed Host, and browse through the shares and file
system and select the required resource.
The Security Editor displays in the lower pane.
2.
Right-click, select Add Rights, select the object type, location, and
name and click OK.
– OR –
Right-click a user or group and select Remove Selected
Permissions.
You will be prompted to accept or ignore the removal.
Assign Business Ownership
Access Manager now enables you to manually set the business owner of a
resource.
Business Ownership is not the same as resource ownership, which is an Active
Directory security property. Business Ownership can be used to help your
organization clearly identify who owns folders and shares to meet security and
privacy compliance requirements.
For information on resource security ownership, see “Edit Security” on page 94.
To assign ownership:
1.
In the Resource View of a managed host, select the resource for
which you want to assign ownership.
You may have to open a higher-level object to see the resource list.
2.
In the bottom pane, select the Business Ownership tab.
99
Quest Access Manager
You can also open the tab through the Edit Resource Security dialog
box.
3.
Right-click and select Grant ownership.
4.
In the Grant New Ownership dialog box, select the trustees that you
want to assign to the resource and click Next.
5.
Enter a justification for the resource ownership change and click
Finish.
The owners you have selected now appear in the list.
6.
Click Save.
You can also report on Business Ownership. For more information, see “Owned
Resources Report” on page 108.
To revoke ownership:
•
On the Business Ownership tab, select the trustees you want to
remove, right-click and select Revoke ownership.
The trustees are removed from the list of owners for that resource.
View Group Membership
Enterprise group membership information allows you to identify all the groups
to which a user belongs and all the members of a particular group. This allows
you to quickly see network access to resources and alter it where required.
Any issues related to the network, specific access, or improper credentials for
the domain will be highlighted.
To view group membership for a specific trustee
1.
From the Access Manager console, find the required group,
right-click, and select Group Members.
You will see a hierarchical view of group membership and the
recursive list of who is contained in the group. It eliminates the need
to navigate through group nesting to identify all group members that
ultimately have access to a specific shares, folders, and files.
– OR –
From the Access Manager console, find the required user or group,
right-click, and select Manage Access.
100
How To . . .
You will see all the groups that the selected user or group is a member
of (both explicitly and indirectly) and the associated access obtained
through this group membership.
– OR –
From the Access Manager console, find the required group,
right-click, and select Group Member of.
You will see all the groups that the selected user or group is a member
of (both explicitly and indirectly).
2.
You can now choose to manage the access where required or run
reports that detail the access and membership for the selected group
or trustee.
For details, see “Manage Access for a User or Group” on page 89 and
“Creating Reports” on page 115.
Group Member Information
Details of group membership are available in the Group Membership display,
accessed by right-clicking on a group and selecting Group Members.
The Members Tree
The left pane displays all group members for the selected group — both direct
and indirect. The columns contain the following information:
COLUMN
CONTENT
Name
The common name (CN) of the group.
Location
The location in Active Directory where the group
resides.
Members
This column depicts two values: the first, the
number of directly included users and groups;
the second bracketed value is the total number
of members, both direct and indirect.
Group Type
The group type can be: Machine Local Group,
Universal, Global or Domain Local.
101
Quest Access Manager
The Members List
The right pane displays all members of the group selected in the left pane
(“Members Tree”). The columns contain the following information:
COLUMN
CONTENT
Member Name
The common name (CN) for the member.
Location
The location in Active Directory where the
member resides.
Via
An indication as to whether this member is a
“Direct” or “Indirect” member of the selected
group.
• Empty: This member is a group but the
group does not have any members.
Status
• Populated: The member is a group and the
group has at least one member.
• Non Group: This member is not a group and
could be a user, computer, contact or any
other entity allowed through normal Active
Directory group membership rules.
To identify all empty groups
• Right-click an empty group in the Status column, and select Group By
This Column.
To determine if a particular user is a member of a group
1. Select a group in the left-hand pane.
The right-hand pane contains a list of all members of the
selected group and all members of all the nested groups. By
filtering on the username, you can easily determine if a
given user is a member of a group.
2. Right-click on the column you wish to filter by and select Filter Editor.
3. Enter the user’s name and click OK.
102
How To . . .
View Group Membership from Active Directory Users
and Computers
You need to have the Active Directory integration enabled for this tab to be
present in Active Directory Users and Computers. For more information, see
“Integrate Access Manager with Active Directory Users and Computers or
Quest ActiveRoles Server” on page 41.
To view group membership
1.
2.
From Active Directory Users and Computers, right-click the required
user or group and select to view their properties.
Select the Group Membership tab.
If there have been any issues with the retrieval of group membership
information, you can click a link to see the list of issues. From here,
you can see the issue details and take the required corrective actions.
You can also run reports to view group membership information and
comparisons. For information, see “Creating Reports” on page 115.
Manage Machine Local Groups
Access Manager allows you to view the local groups present on any given server
within a Managed Domain. This allows for full machine local group management
including creation, deletion, and membership modification. Access Manager uses
the same delegation model as Managed Domains for machine local groups and
includes a granular set of Active Directory extended rights to control their
management on a per server basis.
View Local Machine Groups
You can view machine local groups through:
•
the Access Manager client
•
Active Directory Users and Computers
•
Quest Active Roles Server
A computer must be a member of a domain managed by Quest Access
Manager in order to view and manipulate its Local Machine Groups.
103
Quest Access Manager
If there have been any issues with the retrieval of group membership
information, you can click a link in the lower-left corner to see the list of
errors. From here, you can see the error details and take the required
corrective actions.
Delegated Access and Machine Local Groups
It is necessary to ensure that Access Manager has sufficient rights to properly
manage machine local groups. Below is a list of the extended rights that need to
be delegated to the user of the Access Manager client.
•
Application Access: Required by all users.
•
Bypass Active Directory Delegation: Allows full access to Access
Manager and is required for queries and local group management.
•
Allow Directory Browsing: Allows users to browse licensed domains
for trustees to be added to machine local groups.
•
QAM Manage Machine Local Groups: Allows users to manage the
machine local groups of any computer over which they have been
granted this permission. Users granted this permission do not need to
be in any of the groups on the target computer that would generally
allow them to manage machine local groups (Server Operators,
Administrators, and others), provided changes to machine local group
management is performed through Access Manager.
•
QAM Manage Machine Local Admins Group: Allows users to manage
the machine local Administrators group.
To view local groups from Access Manager
1.
Expand the Managed Hosts node, right-click the computer to be
examined, and select Properties.
2.
Select the Local Groups tab to view the local groups property sheet.
3.
Double-click any group to view its properties.
To view and manage local group membership from either Active Directory
Users and Computers and Quest Active Roles Server, you first need to
integrate with Access Manager. For more information, see “Integrate Access
Manager with Active Directory Users and Computers or Quest ActiveRoles
Server” on page 41.
To view local groups using Quest Active Roles Server
1.
104
Select the Active Directory node in the treeview.
2.
Right-click the required computer and select Manage Local Groups.
3.
Double-click any group to view its properties.
How To . . .
To view local groups using Active Directory Users and Computers
1.
Open Active Directory Users and Computers.
2.
Right-click the required computer and select Properties.
3.
Select the Local Groups tab with the Quest logo to view the local
groups.
4.
Double-click any group to view its properties.
To view local groups using the Quest Access Manager client Quick
Search
1.
Select the Quick Search node from the treeview of the Access
Manager client.
2.
Use the Search bar to find the group to be managed.
3.
Right-click on the group and select Properties.
4.
Select the Local Groups tab with the Quest logo to view the local
groups.
The Local Groups dialog box displays all of the local groups that exist
on the selected computer. The groups are divided into Built-in groups
defined by the operating system and Custom Local groups that are
defined by the administrator.
This dialog box allows you to create or delete local groups, and view
the properties of local groups. Right-click any group in the list to
access these features.
Create or Delete Machine Local Groups
To manage machine local groups, users must have the QAM Manage Local
Administrator Group privilege enabled. For more information, see “Delegating
Access to Access Manager” on page 27.
To create a new Machine Local Group
1.
Follow one of the procedures to view local groups (see “View Local
Machine Groups” on page 103).
2.
Right-click inside the dialog box and select Create.
3.
Provide a group name and description.
4.
Add members to the group by clicking Add. Click Advanced to
enable advanced search options.
5.
When all the required members have been added to the group, click
Create.
105
Quest Access Manager
To delete existing Machine Local Groups
1.
Follow one of the procedures to view local groups (see “View Local
Machine Groups” on page 103).
2.
Select the group that you wish to delete.
3.
Right-click a highlighted group and select Delete.
4.
Click OK.
If you find groups listed in the confirmation dialog box that you do not want
to delete, select them in the confirmation dialog box and remove them using
the delete key.
Adding Users or Groups to a Machine Local Group
To add users or groups to a machine local group
1.
Follow one of the procedures to view local groups (see “View Local
Machine Groups” on page 103).
2.
Select the group to which you would like to add users, right-click the
group, and select Properties.
3.
Click Add.
4.
Enter the object name to be added to this group and click OK.
– OR –
Click Advanced to launch the advanced search dialog box and
continue with step 5.
5.
106
When you have selected all of the users and groups to add to this
group, click OK.
3
Creating Reports
• Available Reports
• Creating Reports
• Scheduling Reports
Quest Access Manager
Available Reports
Reports are a powerful tool to help you summarize and analyze resource and
trustee access and activity. Any user who has been granted the Application
Access right can create reports in Access Manager. For information on delegating
access, see “Delegating Access to Access Manager” on page 27.
The following reports are available:
•
Owned Resources Report
•
Perceived Owners Report
•
Trustee Access Report
•
Resource Activity Report
•
Trustee Activity Report
•
Group Members Report
•
Group Members Comparison Report
•
Member Of Comparison Report
•
Member Of Report
•
Resource Access Report
•
Local Rights and Service Identities Report
Owned Resources Report
Through ongoing data governance activities, the assignment of ownership to
unstructured data will, over time, improve the overall health of your network.
The Owned Resources Report lists all the resources located on Windows File
Servers and NAS devices that have been assigned business ownership through
the Access Manager interface.
You can limit the scope of the report to one or more trustees, in which case the
report returns all the resources for which the selected trustees are set as the
business owner.
To see if the current business owner matches the activity patterns on the
resource, you can click a resource link to run a Perceived Owner report on
that resource.
You can run this report from the Reports node.
108
Creating Reports
For more information, see “Assign Business Ownership” on page 99.
Perceived Owners Report
Unstructured data can be quite substantial across an enterprise, so it is
important to have a grasp of who is responsible for managing that data. Access
Manager uses historical resource activity to provide guidance on who should own
a particular resource. With this information, business ownership can be assessed
and then set directly on the resource through the Access Manager application.
You can also select a trustee name in the report output to immediately set that
trustee as business owner for the resource in question.
This report offers two options for assessing perceived ownership. You can Find
Folders with High Activity, which looks at the activity on all sub-folders in the
selected resource and makes a recommendation based on the trustees with the
highest percentage of weighted activity. Actions such as writes and creates are
weighted heavier than reads. This query excludes resources that have a
Business Owner already assigned.
If you choose Calculate Perceived Owner option, this option uses historical
resource activity data on the selected folder (not sub-folders) to recommend
which trustees should be assigned ownership. This query includes resources that
have a Business Owner already assigned, and the owners are indicated in the
report output.
This report requires that Resource Activity Tracking be enabled on the locally
managed host (Windows computers) or remote agent (NAS device).
Resource activity tracking is not available for remotely managed Windows
computers. For more information, see “Locally Managed Host Properties” on
page 49.
You can run this report directly from a resource in the Managed Hosts node
by right-clicking the resource and selecting Reporting and then Perceived
Owners.
You can run this report from the Reports Node, Managed Hosts node, and the
Security Editor. If you are not running the report in context (you do not have
resources already selected), you can drag and drop from Windows Explorer to
select the resources to report on during report configuration.
For more information, see the following:
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
109
Quest Access Manager
Trustee Access Report
Using Access Manager you can view a report of a trustee’s resource access
across all Managed Hosts within the enterprise. The report provides a detailed
view of trustee group membership, and specific resource access.
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed
Hosts, Quick Search, and the Security Editor.
For a Trustee Access report on multiple trustees, a separate file is created for
each trustee. If you have grouped the view by computer, the report creates a
result for each trustee for the selected computer. Otherwise, it returns results
for all resources each trustee has access to.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Resource Activity Report
Network resources can be accessed frequently by many users over time.
Recording and reporting on this activity can help administrators determine
patterns of usage (who uses which resources regularly) and helps to spot
atypical behavior (for example, someone who is reading documents they should
not have access to). The Resource Activity Report provides a granular list of
activities recorded over a period of time that can then be used to verify proper
resource usage and make decisions on removing access for particular trustees.
When running the report, you can drag and drop from Windows explorer to select
the resources to report on and also exclude trustees for whom you do not want
to see activity.
This report requires that Resource Activity Tracking be enabled on the locally
managed host (Windows computers) or remote agent (NAS device).
Resource activity tracking is not available for remotely managed Windows
computers. For more information, see “Locally Managed Host Properties” on
page 49.
You can run this report from Reports node, or by selecting a resource and using
the right-click Reporting menu in the Managed Hosts node (Resource View),
Quick Search, and the Security Editor.
110
Creating Reports
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Trustee Activity Report
Constant provisioning and de-provisioning activities can leave your organization
open to security breaches and data leakage. Identifying the resource activity of
trustees is essential to determining where access should be removed. The
Trustee Activity Report shows you all the activity for a particular trustee (for
example file reads, writes, and creates) against specific managed hosts. With
this information, you can identify activities that are outside the scope of a
trustee’s roles, and take steps to secure your resources through the security
editing capabilities of Access Manager.
This report requires that Resource Activity Tracking is enabled on the locally
managed host (Windows computers) or remote agent (NAS device).
Resource activity tracking is not available for remotely managed Windows
computers. For more information, see “Locally Managed Host Properties” on
page 49.
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed Hosts
node (Trustee View), Quick Search, and the Security Editor.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Group Members Report
Active Directory security groups can become bloated over time due to
unrestricted provisioning and de-provisioning activities. This report displays a
group’s complete direct and indirect membership list. The report can help you
identify trustees that should be removed from a group membership list to ensure
least privilege within your network.
111
Quest Access Manager
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed Hosts
node (Trustee View), Quick Search, and the Security Editor.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Group Members Comparison Report
Administrators are often responsible for managing groups that have similar
membership requirements. A quick glance may not easily distinguish one group
from another. The Group Members Comparison report highlights where group
membership differs between two or more groups.
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed Hosts
node (Trustee View), Quick Search, and the Security Editor.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Member Of Comparison Report
Two users who have been provisioned for similar roles may find that they have
different levels of access due to differences in group membership. The Member
Of Comparison report helps identify these differences so they can be corrected.
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed Hosts
node (Trustee View), Quick Search, and the Security Editor.
For more information, see the following:
•
112
“Quick Search Node” on page 71
Creating Reports
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Member Of Report
In the native environment, it can be difficult to get an accurate representation
of nested group membership. Users can be a member of a group through many
levels of nesting, including local groups. This report shows a clear picture of a
trustee’s full membership in Access Manager’s indexed security groups.
You can run this report from the Reports node, as well as from any node in which
you can select one or more trustees: the Users and Groups node, Managed Hosts
node (Trustee View), Quick Search, and the Security Editor.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Users and Groups Node” on page 73
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Resource Access Report
You can use this report to determine who has access to the resources in which
you are interested. The data usage information in the report can help you meet
your compliance and audit goals.
When you run the report, you can set the parameters to report on the folders or
shares of interest to you. You can also isolate specific types of permission, such
as modify, full control, read, and execute. The report includes subfolders and
files of the identified resources if the security differs from the parent, such as
when inheritance of security is overridden or blocked.
113
Quest Access Manager
You can run this report from the Reports node, the Quick Search View (right-click
the context menu on computers added as a managed host only), the Access
Query View (right-click the context menu on your chosen resources), or from
the Managed Hosts Resource View (right-click the context menu on your chosen
resources).
You must run this report using the same roots by which your host is scanned.
On a locally managed host, use the admin path. On a remotely managed
host, you have the option of the remote shares or the admin paths.
When dragging paths into the Resource Access and Security report
parameters, the paths must point to indexed objects. Dragging non-scanned
folders or other objects into the window for reporting will result in a report
error.
For more information, see the following:
•
“Quick Search Node” on page 71
•
“Managed Hosts Node” on page 75
•
“Edit Security” on page 94
Local Rights and Service Identities Report
This report helps you understand who has local rights on a managed host and
which identities are being used to run Windows services. It is organized into
three key sections.
•
Service Identities - Lists the identities used to run services on
the selected Managed Host. An example would be the
"BroadwayAgentService".
•
Local User Rights - Lists the particular rights that a trustee has
on a given Managed Host. An example would be the "Allow Logon
Locally" right.
•
Admin Rights - Lists trustees with Operating System
Administrative rights on a given Managed Host.
You can run this report from the Reports node, the Managed Hosts node, or the
Quick Search node. For more information, see the following:
114
•
“Quick Search Node” on page 71
•
“Managed Hosts Node” on page 75
Creating Reports
Creating Reports
The options you have to configure a report depend on the type of report you are
running.
You may also be able to run reports from some or all of the following nodes:
•
Quick Search — For information, see “Quick Search Node” on
page 71.
•
Users and Groups — For information, see “Users and Groups Node”
on page 73.
•
Managed Hosts — For information, see “Managed Hosts Node” on
page 75.
•
Security Editor — For information, see “Edit Security” on page 94.
You must explicitly save or export the report to save the template or the
data.
When you save a report, the report definition is saved under the node for the
type of report you have selected. To see the data, run the report again.
When you export a report, a copy of the report output is saved in the format and
location you choose. To see the data, open the report.
After you save a report, you can also schedule it to run. For information, see
“Scheduling Reports” on page 125.
To run a report
1.
Click the Reports node in the left pane.
This opens the treeview, showing all available reports.
115
Quest Access Manager
2.
Select a report from the list then click Configure New Report.
IF YOU SELECT...
Owned Resources
PROCEDURE
1. Select one or more trustees to limit the report
scope to resources owned by the selected
trustees, if applicable, and click Finish.
If you have not limited the scope of the report
by selecting trustees, the report returns all
the resources in the Security Index that have
a Business Owner defined.
2. In the report output, you can click a resource
link to run a Perceived Owner report on that
resource.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
116
Creating Reports
IF YOU SELECT...
Perceived Owners
PROCEDURE
1. Click Add to enter the fully qualified URIs for
the resources on which you want to report,
and click Next.
For example, \\Server\c$\Folder
You can also drag and drop from Windows
Explorer.
– OR –
Click Import to import a text file with a list of
URIs on which to report.
Note: To import successfully, use a plain text file,
with a separate URI on each line and a hard return
at the end of each line. Do not include any
commas or headers.
2. On the Resources page, select one of the
following options, depending on how you want
to find perceived owners, and click Next.
• Find Folders with High Activity - this
option uses historical resource activity data on
the sub-folders of the selected folder, and
returns a business owner recommendation
based on the trustees with the highest
percentage of weighted activity.
Actions such as writes and creates are
weighted heavier than reads.
This query excludes resources that have a
Business Owner already assigned.
Set a value for the Number of resources per
data root.
This setting applies only to the Find Folders
with High Activity option. For example, if you
choose five, the results display the five
busiest folders.
• Calculate Perceived Owner - this option
uses historical resource activity data on the
selected folder (not sub-folders) to
recommend which trustees should be
assigned business ownership.
This query includes resources that have a
Business Owner already assigned, and the
owners are indicated in the report output.
117
Quest Access Manager
IF YOU SELECT...
PROCEDURE
3. Select a time range to report on and click
Next.
4. Select the trustees to be excluded from the
report, if applicable, and click Finish.
You can click a resource name at the top of
the report output to go to the page for that
resource.
Note: You can select a trustee name in the report
output to add the trustee as a business owner for
the resource in question. You are prompted to
specify a justification.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
118
Creating Reports
IF YOU SELECT...
Trustee Access
PROCEDURE
1. Select the object types by clicking the Object
Types button and selecting items to include,
then click OK.
2. You can modify the host by clicking Location,
selecting a specific host and clicking OK.
3. To select a trustee, you can enter some or all
of the letters in the name and click Check
Names, then select the trustee you want from
the results list and click OK.
– OR –
Click Advanced and use the query dialog to
find a particular name or description that
Starts With, Ends With, Is Exactly Or Contains
the string you type. Use the dropdown list to
select the best search type, then click Find
Now. Select the trustee from the results list
and click OK.
4. Click Next.
5. Clear the check box next to any resource type
you want to exclude from your report and click
Next.
6. If you only want to report on specific hosts,
select Specific hosts and then select the host
names on which you want to report, and click
Next.
7. Select the Group Expansion Options you want
to use when generating the report. You have
the option to select direct access only or
include the Trustees Group expansion. Further,
you can exclude specific groups to simplify the
report results. Make your selections and click
Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
119
Quest Access Manager
IF YOU SELECT...
Resource Activity
PROCEDURE
1. Click Add to enter the fully qualified URIs for
the resources you want to report on and click
Next.
For example, \\Server\c$\Folder
You can also drag and drop from Windows
Explorer.
– OR –
Click Import to import a text file with a list of
URIs to report on.
Note: To import successfully, use a plain text file,
with a separate URI on each line and a hard return
at the end of each line. Do not include any
commas or headers.
2. Select a Time Range to report on and click
Next.
3. Select the Trustees to be excluded from the
report, if applicable, and click Next.
4. Select the Display Options and click Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
120
Creating Reports
IF YOU SELECT...
Trustee Activity
PROCEDURE
1. Enter the name of a trustee to report on and
click Next.
2. Select the Host computers to report on and
click Next.
3. Select a Time Range to report on and click
Next.
4. Select the Display Options you want and click
Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
Group Members
1. Enter the name of one or more groups to
report on and click Next.
2. Select the Display Options for the report and
click Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
121
Quest Access Manager
IF YOU SELECT...
Group Members Comparison
PROCEDURE
• Enter the name of two or more groups to
report on and click Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
Member Of Comparison
• Enter the name of two or more trustees to
report on and click Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
Member Of
1. Enter the name of one or more trustees on
which you want to report and click Next.
2. Select the Display Options for the report and
click Finish.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
122
Creating Reports
IF YOU SELECT...
Resource Access
PROCEDURE
1. Click Add to enter the fully qualified URIs for
the folders and shares you want to report on
and click Next.
For example, \\Server\c$\Folder
You can also drag and drop from Windows
Explorer.
– OR –
Click Import to import a text file with a list of
URIs to report on.
Note: To import successfully, use a plain text file,
with a separate URI on each line and a hard return
at the end of each line. Do not include any
commas or headers.
2. Select the Permission types to report on and
click Next.
3. Select the types of trustee to include in the
report and click Next.
4. Select the display options for the report and
click Next.
A summary of all the trustees found is
displayed, grouped by type.
Note: Child objects are reported by default only if
their security differs from the parent, for example
a file that has different security settings from the
parent folder.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
123
Quest Access Manager
IF YOU SELECT...
Local Rights and Service
Identities Report
PROCEDURE
1. Select either All accessible hosts and click
Next.
– OR –
Select Specific hosts, click on each host you
want to include and click Next.
2. Select the Permission types to report on and
click Next.
3. Filter out any trustees you do not want in your
report by searching in the top pane. Type the
first few letters of the trustee and press
Search. Select any trustees you wish to
exclude and click Exclude.
You will see your list of excluded trustees in
the accumulator pane below the search
window.
4. Click Finish.
The Local Rights and Service IDs and Admin
rights are displayed, grouped by Managed
host and then by Trustee.
Once you have generated your report, you can:
• Right-click anywhere in the report, select
export and save it to an Excel, Word or PDF
file.
• Save the settings of your report for future use
by clicking Save Template as… and providing a
name and description. A new report appears
in the treeview. You can now run the report
with your selected settings at any time.
124
Creating Reports
Scheduling Reports
You can schedule a report to run after you have run that report at least once and
saved it.
You must have the following permissions to schedule reports:
•
Application Access in the Access Manager deployment permissions.
For information, see “Access Manager Deployment Permissions” on
page 28
•
"Logon as a batch job" privilege in the User Rights Assignments of the
Local Policies on the client to schedule a task in Task Manager
•
Write access to the folder where you will save reports
To schedule a report
1.
Open the Reports folder in the left pane and locate the saved report
you want to schedule.
You must run and save a report first before you can schedule it.
After you have saved the report, you can find it in the Reports item
under the type of report, for example, Group Members Report.
2.
Select the report name and click Schedule Report.
3.
In the Schedule Settings dialog box, choose a date and time, period
(weekly, monthly, and so on) as well as the start and finish, as
required, and click Next.
4.
Select a Format and Location for the report output, and click Next.
5.
Enter your password to save the schedule task, and click Next.
6.
Review the Description and Report Summary to ensure they are
what you want, and click Finish.
To view, edit, or delete scheduled tasks
1.
Open the Windows Administrative Tools group and select Task
Scheduler.
2.
Expand the Task Scheduler Library | Microsoft | Quest
Software | Access Manager | Scheduled Reports and find the
scheduled item by name.
If you are using an Access Manager client on Windows XP or Windows
2003, all scheduled tasks are kept in a single list within the Task
Scheduler.
3.
To edit the schedule, right-click the item name and select
Properties.
125
Quest Access Manager
4.
Open the Triggers tab and click Edit.
– OR –
Click New for a new Schedule item on the same report template.
You may be prompted for your password again to save any settings.
For more information about the Windows Task Scheduler, see the Task
Scheduler section of the Microsoft Management Console Help.
126
4
Understanding Access
Manager through
Scenarios
• Provision a User
• Deprovision a User
• Cleanup Resources
• Investigate User and Group Access
• Investigate a Specific Type of User Access
• Investigate Computer Access
• Assess Group Membership and Access
Quest Access Manager
Provision a User
Scenario:
Your organization has acquired a small company and as the administrator, you
need to ensure that all new employees in the various departments have the
required access to all of the applications, configuration settings, and material to
begin work effectively within your organization.
Administration Tasks:
•
Determine the required access and groups to which the new user
account should belong
•
Use Access Manager to ensure that the proper access has been
granted and make any alterations where necessary
To provision a user
1.
From the Access Manager console, use the Quick Search to find the
required group, right-click, and select Manage Access.
– OR –
From your Active Directory Users and Computers or Quest ActiveRoles
Server, right-click the required group, and select Manage Access.
128
Understanding Access Manager through Scenarios
2.
Expand the resource type and select a Managed Host.
The Access Manager console displays the computers and resource
types where the group has access.
3.
Right-click the required resource in the lower-right pane, and select
Edit Security.
4.
Add access to the specific resource by right-clicking in the Resource
Security Editor and selecting Add Rights.
5.
In the Add Permission Wizard, select a user or group, specify the
required permissions, and click Finish.
Using Access Manager’s Clone Trustee feature, you can quickly and easily copy
and apply the required permissions to a new user or group.
To clone access
1.
Locate the user or group whose access you would like to copy, and
select Manage Access.
2.
From within the Resource Security Editor, right-click the required
resource, and select Clone Trustee.
3.
Select the required user or group, and click OK.
The access to the resource will be cloned to the new user or group. To
view the success of the operation view the Background Operations
node.
129
Quest Access Manager
Deprovision a User
Scenario:
A contract employee, who has been given access to various financial resources
located on several servers throughout your network, is no longer required.
As the work progressed so did their access to various files. The access was
incremental and not always granted by the same administrator. As a result,
access has been granted both through groups and by placing the account directly
in the Access Control List (ACL) of the resource.
Administration Task:
•
Ensure the account access is effectively removed from all resources.
To remove a user’s access from a resource
1.
From the Access Manager console, use the Quick Search to find the
required user or group, right-click, and select Manage Access.
– OR –
From your Active Directory Users and Computers or Quest ActiveRoles
Server, right-click the required group, and select Manage Access.
The Access Manager console displays the computers and resource
types where the user or group has access.
2.
Expand the resource type and select a Managed Host.
3.
Right-click the required resource, and select Edit Security.
4.
Right-click the user in the Resource Security Editor, select Remove
Selected Permissions, and click Save.
You can also select to remove the user access quickly from multiple
resources by selecting all the required resources within the Resource
Security Editor, right-clicking, and selecting Remove Trustee. To view
the success of the operation view the Background Operations node.
Cleanup Resources
Scenario:
Access Manager facilitates the removal of SIDs that appear directly in ACLs. The
scenario presented below demonstrates this capability.
130
Understanding Access Manager through Scenarios
Administration Tasks:
•
Remove unresolved SIDs to improve performance
To remove unresolved SIDs
1.
From the Access Manager console, select the Users and Groups
node and expand the trustee type Unknown.
2.
Right-click the unresolved SID and select Managed Access.
3.
Right-click the required resource and select Edit Security.
4.
Right-click the unresolved SID in the Resource Security Editor, select
Remove Selected Permissions, and click Save.
You can also select to remove the access quickly for an unresolved
SID by right-clicking it within the Resource Security Editor, and
selecting Remove Trustee. To view the success of the operation view
the Background Operations node.
Investigate User and Group Access
Scenario: Where Do Users and Groups have Access on
the Network?
As people join, depart, and shuffle throughout your organization, you will need
to change their access to resources. With Access Manager, you can validate that
users and groups have been granted access to all the resources they need,
ensure they do not have access to excess resources, and manage their access
when problems arise.
Administration Tasks:
•
Investigate access for a user in a particular role within your
organization to help grant the same access to a new hire. For details,
see “Clone, Replace, and Remove Access for a Group of Trustees” on
page 96.
•
Investigate where users have access and modify it if required. For
details, see “Manage Network Access” on page 89, and “Creating
Reports” on page 107.
•
Perform a spot check on a particular user or group to ensure they
have the correct access to resources. For details, see “Manage
Machine Local Groups” on page 103.
131
Quest Access Manager
•
Evaluate a group’s access before deleting it. For details, see
“Investigate Resource Access” on page 86, “View Group Membership”
on page 100, and “Creating Reports” on page 107.
Investigate a Specific Type of User
Access
Scenario: Where are Domain-level Users Being Run as
Service Identities?
In the Users and Groups node, you can filter, group, and sort data from any
angle to zero in on very specific questions you need to answer. In this scenario,
you want to find Domain-level users that are being used as service identities, on
a specific set of server names that all start with the same prefix.
Administration Tasks:
1.
In the Users and Groups Node, open the layout panel and select the
pre-defined layout called Domain-level Trustees Only.
If the layout panel is not open, select Show Layout Options from the
Action menu. For information, see “Saving Customized Layouts” on
page 59.
2.
Use the Group By Box in the Layout Options to group the columns by
Resource Type and then by Host Name.
3.
In the Filter Editor, add an item for [Host Name] [Begins with]
[your filter criteria].
For example, filter for Host Names that begin with CAN.
For more information, see “Grouping, Sorting and Filtering Views” on
page 58.
You have grouped by Resource Type, so you can clearly see in the Windows
Service Identity node all the Managed Hosts where Domain-level users are being
run as Service Identities.
For more information, see the following:
132
•
“Users and Groups Node” on page 73
•
“Saving Customized Layouts” on page 59
Understanding Access Manager through Scenarios
Investigate Computer Access
Scenario: Who has Access to a Specific Resource?
To ensure a computer is secured in a way that meets your business
requirements, it is essential that you can easily and quickly see who has been
given access to resources (specifically users/groups who have explicit access to
a specific computer), and correct any issues identified.
Administration Tasks:
•
Investigate who appears in the security settings on a specific
computer to ensure that corporate policy is being followed.
•
Look for non-authorized users on a specific computer. For detailed
procedures, see “Investigate Resource Access” on page 86, “Manage
Resources” on page 93, and “Creating Reports” on page 107.
Assess Group Membership and
Access
Scenario: Where Does the Access Originate?
Because user and group access may be the result of several layers of nested
groups, it may be difficult to assess. Using Access Manager, you can easily see
group membership, computers, and resource types where the user or group has
both direct access and indirect access by means of group membership.
Administration Task:
•
Ensure group access is properly assigned.
For more information, see the following:
•
“Investigate Resource Access” on page 86
•
“View Group Membership” on page 100
•
“Creating Reports” on page 115
133
Quest Access Manager
134
5
Troubleshooting
• Where are the Logs?
• Why is the Managed Hosts Node Empty?
• Where is My Activity Data?
• Where are the Menus and Property Pages in
Active Directory Users and Computers?
• Why is an Agent not Connecting to the
Access Manager Server?
• Why are Groups Missing from the Group
Memberships Treeview?
• Why are Agent Leases Expiring?
• Why are My PowerShell Cmdlets not
Contacting the Access Manager Server?
Quest Access Manager
Where are the Logs?
Server Logs
The Access Manager server log files are located in the program directory, which
is by default:
c:\Program Files\Quest Software\Access Manager\ManagementServer
At any given point, you will see the following files:
•
QAM Service Log.txt
•
QAM Group Resolution Log.txt
•
QAM Lease Manager Log.txt
•
QAM Machine Local Group Log.txt
There may be two files because the Access Manager server maintains rolling
logs, in an effort to save space on the hosting computer. The first log file is the
active log, and is constantly being maintained by the server. When this file
reaches its threshold (20 MB), it is renamed with the current year, and a new
one is started. This second log file is overwritten each time the server starts a
new log. Both files are generally necessary when troubleshooting issues.
Agent Logs
Local agent log files are stored on the agent host computer in a subdirectory of
the agent installation folder named \BroadwayAgentService. Remote agent
instance logs are in subdirectories of the agent installation folder, named after
the agent ID on the host computers. A specific agent ID for a managed host can
be found on the Agent Details tab in the Agent Service section of the Agent
Properties page.
Note that the identity being used by each agent must be capable of creating
sub-folders and files beneath the agent's installation directory.
Agent log files are maintained as a binary file with the file extension .bwalog. To
view their contents, Quest has provided a command line tool,
BWAgentLogReader.exe. To convert an Agent log file into readable text, enter
the following from the command prompt:
136
Troubleshooting
bwagentlogreader /f <path to logfile> /full >> outputFile.
You can also export the agent log as a text file using the context menu on a
managed host and selecting Export Agent Log.
Why is the Managed Hosts Node
Empty?
There may not be any Managed Hosts configured in your deployment. To gather
information, Access Manager must be told which computers to index. For more
information, see “Managed Host” on page 13 and “Add an Additional Remote
Agent to a Managed Host” on page 38.
Resolution
Navigate to Access Manager, right-click the Managed Hosts node, and select Add
Managed Host. Select a management method. (Decide if you want to manage
the host using a remote agent on another computer or using a locally installed
agent.) Select the domain in which the host resides, select the host, and click
Add.
If the agent is hosted locally, the addition of the Managed Host is complete. If a
remote agent has been selected, you need to configure the remote agent. Select
a host computer from within the same forest as the target computer. Select a
service account with sufficient permissions to access the target computer. Define
a schedule for the agent to scan the target computer and click Next. Select the
data roots that will be indexed by this agent and click Finish.
Adding a Managed Host will deploy the Access Manager Agent to the computer.
The agent will index security information, and pass on requested information to
the Access Manager server. Most information is kept on the Agent, and retrieved
only when requested by a client to ensure a minimal impact on the network.
Where is My Activity Data?
When you run a Resource Activity, Trustee Activity, or Perceived Owner reports,
you may not immediately see activity in the report that you know you have
performed.
137
Quest Access Manager
Probable Cause:
•
There is some lag time between when an action occurs, such as a file
read or write, and when the data is sent from the agent to the server.
This delay is dependent upon the granularity setting, the update
schedule, and various internal processes.
•
It is possible you did not have resource activity tracking enabled for
that data root during the time span covered in the report.
•
If you have enabled resource activity tracking, it is possible you have
excluded some trustees, files, or folders where the activity occurred.
Resolution:
•
For a locally managed Windows computer, open the Managed Host
Properties, select the Resource Activity tab, and enable the activity
tracking.
•
To verify which trustees, files, or folders are being tracked, click
Manage Exclusions and check each tab.
•
For a remotely managed NAS device, open the Managed Host
Properties, and select the Agents tab. Then right-click to open the
Agent Properties, select the Resource Activity tab, and enable the
activity tracking or check the settings.
For information on all the resource activity settings, see “Locally Managed Host
Properties” on page 49.
Where are the Menus and Property
Pages in Active
Directory Users and Computers?
For Access Manager to place extension menus in Active Directory Users and
Computers, it must modify the DisplaySpecifiers container in all of the Active
Directory forests containing users and groups that you want to query.
The Access Manager client must also be installed on the computer from which
the user is trying to use Active Directory Users and Computers.
138
Troubleshooting
Resolution
Register all forests containing users that you want to query in the Access
Manager. When a forest is registered, Access Manager will extend the
DisplaySpecifiers of the forest with the required keys. This change will cause no
negative effects in the enterprise.
For details, see “Grouping, Sorting and Filtering Views” on page 58.
Why is an Agent not Connecting to
the Access Manager Server?
Probable Cause:
•
The Agent has not been able to find a Service Connection Point that
points to a valid server.
•
A firewall is active on the agent hosting computer, which is preventing
the Agent from connecting to the server.
•
The proxy settings on the agent computer are preventing it from
connecting to the server.
Resolution:
•
Ensure that the Service Connection Points of the agent computer's
Managed Domain are OK. (You can find this information by
right-clicking a Managed Domain, and selecting to view its Properties.
If the Service Connection Points are listed as Not Found, select
Create.)
•
Ensure that the following registry value contains the same
Deployment ID value present on the Access Manager snap-in’s home
page:
Registry Key: HKEY_LOCAL_MACHINE\Software\Quest
Software\Broadway\Agent\Services\communication
Registry Value: deploymentId (REG_SZ)
•
Configure the firewall on the Agent to allow outgoing traffic on TCP
port 8721, as well as incoming traffic on TCP port 18530. Also, ensure
that the Management Server firewall has the following exceptions
configured: incoming TCP 8721, 8722 and outgoing 18530.
139
Quest Access Manager
•
Configure the proxy settings on the Agent computer to either store
credentials for accessing your corporate HTTP proxy, or allow
bypassing of the proxy for local addresses.
Why are Groups Missing from the
Group Memberships Treeview?
To examine group membership in your enterprise, Access Manager requires
credentials that allow it to read group memberships in the domains that make
up your enterprise trust structure. These credentials are provided through
service accounts, and by adding domains. If Access Manager is having trouble
resolving group memberships, you will see a link in the lower-left pane (after
having selected Manage Access from the client), that you can click to see a list
of issues that details any problems encountered during group expansion.
Resolution
Ensure that all domains that contain relevant groups have a service account
specified in Managed Domains. This grants the ability to read all group
membership information in their associated forests.
For more information, see “Add a Domain to the Deployment” on page 31.
Why are Agent Leases Expiring?
Probable Cause:
•
The computer on which the Agent is running has rebooted.
•
The Agent service on the hosting computer has been stopped or
disabled.
•
The Server service has been restarted.
Resolution
•
140
Ensure the Quest Access Manager Agent service is running on the
hosting computer.
Troubleshooting
Why are My PowerShell Cmdlets not
Contacting the Access Manager
Server?
You must provide the PowerShell session with the location of the Access Manager
server. This setting is preserved so it need only be set once per user, per client
computer.
Resolution
After opening PowerShell and loading the cmdlets, execute the following
statement to allow the cmdlets to find the Access Manager server:
Set-QServiceConnection [-ServerName] <string> [-Port] <string>
141
Quest Access Manager
142
Appendix A: Configuring
EMC Celerra
• Configuring the CEPA Facility
• Configuring the Individual CEPA Pool
Servers
• Configuring Access Manager to Watch the
Data Mover
• Verifying the Status of the CEPA Facility
143
Quest Access Manager
Configuring the CEPA Facility
For EMC Celerra Network Attached Storage (NAS) devices, Quest Access
Manager Agents support connectivity to the Celerra Event Publishing Agent
(CEPA). With this support, the agent can read real-time file system events on
Common Internet File System(CIFS)-based Data Movers for the purpose of
real-time security indexing and activity (read/write) monitoring.
Configuring this support enables you to track both real-time security index
updates and activities on the device, and provides access to several reports in
Access Manager. For more information, see “Creating Reports” on page 107.
Due to the EMC architecture, you must complete the following procedures to
enable CEPA connectivity, as well as the procedures listed in these topics:
•
Configuring the Individual CEPA Pool Servers
•
Configuring Access Manager to Watch the Data Mover
•
Verifying the Status of the CEPA Facility
If you have upgraded your agents, you must restart the agent after you
configure the EMC Celerra device.
To configure the CEPA Facility on the EMC Data Mover
1.
Connect to the Celerra Control Station using telnet, logging in as the
NAS Admin user.
2.
Copy the current configuration file from the Data Mover:
$ server_file [movername] -get cepp.conf cepp.conf
Where: [movername] = name of the Data Mover where the
configuration file resides.
3.
Edit the cepp.conf file to ensure the postevents flags incorporate all
events:
postevents =*
If the CEPA Facility is not configured and you receive an error in step
2 above, then create a cepp.conf file using VI or other preferred text
editor and populate the file with the following configuration:
pool name=[poolname] servers=[server1]|[server2]|[…]
postevents=*
Where: [poolname] = The CEPA pool name alpha-numeric eg:
MyCepaPool.
144
Appendix A: Configuring EMC Celerra
[serverX] = The full DNS name or IP address of the Windows
computer hosting the Celerra Event Enabler software from EMC and
the QCEE connector software from Quest software.
4.
Stop the CEPA facility on the Data Mover:
$ server_cepp [movername] -service -stop
Where: [movername] = name of the Data Mover where the
configuration file resides.
5.
Publish the cepp.conf file to the Data Mover:
$ server_file [movername] -put cepp.conf cepp.conf
Where: [movername] = name of the Data Mover where the
configuration file resides.
6.
Start the CEPA facility on the Data Mover:
$ server_cepp [movername] -service -start
Where: [movername] = name of the Data Mover where the
configuration file resides.
7.
Verify the CEPA status using the following command:
$ server_cepp [movername] -service -status
Where: [movername] = name of the Data Mover where the
configuration file resides.
Configuring the Individual CEPA
Pool Servers
For CEPA pool servers, only 64-bit platforms are supported at this time.
To configure the pool servers
1.
Download the EMC Celerra Event Enabler software from the EMC
Web site.
You have the option to run the Complete or the Custom install. It is
recommended you install the Complete package.
2.
Install the software on each server found in the Servers attribute, as
defined in the cepp.conf file above.
3.
From the Quest Access Manager installation CD, find and install the
QCEE_x64 Quest connector software.
145
Quest Access Manager
Configuring Access Manager to
Watch the Data Mover
To configure the Access Manager server to watch the data mover
1.
In the Access Manager console, select the Managed Hosts node,
right-click, and select Add Managed Host.
2.
In the Select Management Method box, select Remotely managed
through an agent on another computer, and click Next.
For remotely managed hosts, the first remote agent must be added
during the host’s initial deployment. You can manually add more
remote agents later, if needed. For information about agents, see
“Access Manager Agent” on page 13.
3.
4.
Select the EMC Celerra file server and click Add to select it as the
target of the scan, and click Next.
Select the Enable resource activity tracking option.
Resource activity tracking is used to collect data on identities, reads,
writes, creates, and other actions performed on the target computer.
This information is required for several report types, including the
Resource Activity report. For more information, see “Creating
Reports” on page 107.
5.
In the Settings box, set the Granularity for the resource activity
tracking.
Granularity specifies how often resource activity data is captured.
6.
To limit network traffic, select Synchronize only between these
times and set the From and To values.
This setting specifies when the agent sends the resource activity data
to the management server.
7.
To change the identities, files, or folders that are excluded from
tracking, click the Manage Exclusions button and select the objects
to exclude. This box also includes tabs to exclude file extensions and
folders.
Certain administrative identities, file extensions, and folders are
excluded by default. You can see the full list by clicking the Manage
Exclusions button. If the list is empty, click Default to populate the
exclusions with default values. For file extensions, you can enter a
Category name to group any extensions you add to the exclusions list.
146
Appendix A: Configuring EMC Celerra
Use the Export and Import buttons on their respective tabs to export
and import a list of SIDs, file types, or folders to exclude. For
information on the file syntaxes, see the parameter descriptions in
“Add-QManagedHostByAccountName” on page 156. For folders, you
can also drag and drop from Windows explorer.
8.
Click Next.
9.
Select a Host Computer (on which to install the agent) from within
the same forest as the target computer, and select a service account
with sufficient permissions to access the target device.
10. Define a schedule for the agent to scan the target computer, and
select the required real-time file system updates settings.
For information about the real-time file system updates settings, see
“Agent Status Descriptions” on page 56.
Some NAS devices may not provide reliable remote change detection.
Enabling the remote change detection feature on these agents may lead to
frequent complete scans.
11. Select the data roots that will be indexed by this agent, and click
Next.
Only one agent can scan a given data root.
The agent will now be installed on the selected computer.
12. Enter the CEPA pool servers that were placed in the cepp.conf file
above, one per line.
13. Click Finish.
To view the users and groups associated with the new managed host,
select the Refresh menu option.
Verifying the Status of the CEPA
Facility
After the Quest Access Manager Agent completes the installation and the status
shows OK, return to the telnet session for the control station and enter the
following command to determine the status of the CEPA pool servers:
•
$ server_cepp <movername> -pool -info
Where: [movername] = name of the Data Mover where the
configuration file resides.
147
Quest Access Manager
The output should contain an entry for each server in the CEPA pool showing a
status of ONLINE.
148
Appendix B: PowerShell
Cmdlets
• What is Microsoft Windows PowerShell?
• Windows PowerShell Cmdlets
• Registering the PowerShell Cmdlets
• Adding the Snap-in Automatically to New
Sessions
• Quest Access Manager Cmdlets
149
Quest Access Manager
What is Microsoft Windows
PowerShell?
Microsoft® Windows PowerShell™ is a Windows command-line shell and
scripting language designed specifically for system administrators and built on
top of the Microsoft .NET Framework. Windows PowerShell can be installed on
Windows XP, Windows Vista™, and Windows Server® 2003, and is included with
Windows Server® 2008.
Windows PowerShell Cmdlets
Windows PowerShell has the concept of cmdlets. A cmdlet is a simple,
single-function command that manipulates objects and is designed to be used in
combination with other cmdlets.
If you already had Windows PowerShell installed on your computer before you
installed Quest Access Manager, then the Access Manager Windows PowerShell
cmdlets were automatically installed and registered with Windows PowerShell
when you installed Access Manager. This means that you are ready to start using
the Quest Access Manager cmdlets in Windows PowerShell.
Registering the PowerShell Cmdlets
If you installed Windows PowerShell on your computer after you installed Quest
Access Manager, you must register the cmdlets before you can start using them
in Windows PowerShell.
To register the Quest Access Manager cmdlets
1.
Open a Windows PowerShell window and type the following at the
Windows PowerShell command prompt:
Add-PSSnapin Quest.AccessManager
2.
Type the following at the Windows PowerShell command prompt to
verify that the snap-in was added:
Get-PSSnapin
All registered PowerShell snap-ins are listed.
150
Appendix B: PowerShell Cmdlets
Adding the Snap-in Automatically to
New Sessions
If you do not want to manually add the Quest Access Manager PowerShell
snap-in each time you start a new Windows PowerShell session, you can modify
the Windows PowerShell profile file so that it is added automatically for you.
To add the Quest Access Manager PowerShell snap-in automatically
when you start a new Windows PowerShell session
•
Add the following line to the Windows PowerShell profile file
(profile.ps1) file:
Add-PSSnapin Quest.AccessManager
The location of the Windows PowerShell profile file is as follows:
WINDOWS\system32\windowspowershell\v1.0
If you get the error message "...profile.ps1 cannot be loaded because the
execution of scripts is disabled" the next time you start a new Windows
PowerShell session, type the following at the Windows PowerShell command
prompt:
Set-ExecutionPolicy RemoteSigned
Then, type the following at the Windows PowerShell command prompt to
confirm that the execution policy has been changed:
Get-ExecutionPolicy RemoteSigned
Quest Access Manager Cmdlets
Before you can run any cmdlets, you must first call the
Set-QServiceConnection cmdlet.
Quest Access Manager includes the following cmdlets:
•
Set-QServiceConnection
•
Change-QDBAccessAccount
•
Export-QResourceAccess
•
Get-QManagedHosts
•
Get-QManagedDomains
151
Quest Access Manager
•
Get-QResourceAccess
•
Get-QServiceAccounts
•
Get-QTrusteesForHost
•
Add-QManagedHostByAccountName
•
Add-QManagedHostByAccountSid
•
Add-QManagedDomain
•
Add-QServiceAccount
•
Get-QAccessibleHostsForTrustee
•
Set-QAccountPassword
•
Get-QTrusteeAccess
Set-QServiceConnection
Sets the server name and port information used by the Access Manager cmdlets
to connect to the Access Manager server.
Parameters
•
Server Name (Quest Access Manager Server Computer Name)
•
Port (Port information used by Quest Access Manager cmdlets to
connect to the Quest Access Manager server.) This value is optional,
and should not be changed from 8722.
Syntax
Set-QServiceConnection [-ServerName] <String> [-Port] <String>
[-WarningAction] <ActionPreference> [-WarningVariable] <String>
Change-QDBAccessAccount
Changes the account used by the Access Manager server to communicate with
the SQL Server database.
Parameters
152
•
DomainName
•
AccountName
•
Password
Appendix B: PowerShell Cmdlets
Syntax
Change-QDBAccessAccount [-DomainName] <String> [-AccountName]
<String> [-Password] <String> [-WarningAction] <ActionPreference>
[-WarningVariable] <String>
Export-QResourceAccess
This cmdlet is used to export the security information retrieved using
Get-QResourceAccess into a CSV file.
Parameters
•
ResourceAccessQueryResults - Resource security information
retrieved using the Get-QResourceAccess cmdlet
•
OutputPath - The output path of the dumped CSV file
•
DisplayInheritedSecurity (*) - Flag. The presence of this flag indicates
that you want the full security information returned for all child
objects of the selected root. The default behavior when the flag is not
present is to show only security that differs from parent objects.
Syntax
Export-QResourceAccess [-ResourceAccessQueryResults]
<ResourceAccessQueryResults> [-OutputPath] <String>
[-DisplayInheritedSecurity]
Parameters marked with an (*) are optional.
Example 1
$resourceAccess | Export-QResourceAccess -OutputPath
"C:\Test1\ResourceAccess.CSV" -DisplayInheritedSecurity
Example 2
Export-QResourceAccess $resourceAccess
"C:\Test1\ResourceAccess.CSV" -DisplayInheritedSecurity
Get-QManagedHosts
Returns a list of all the registered Managed Hosts.
153
Quest Access Manager
No Parameters
Get-QManagedDomains
Returns a list of all the registered Managed Domains.
No Parameters
Get-QResourceAccess
This Cmdlet is used to retrieve the security information of the selected resources
from a specific managed host, as well as child objects whose security differs from
the parent (inheritance is overridden or blocked).
Parameters
•
ManagedHostId
•
ResourceType - Valid values: File, Folder, Share, AdminRight,
LocalOSRight, ServiceIdentity
•
Resources - Valid values: Comma-separated path list
•
ExcludeSubObjectDeviations (*)- Flag. The presence of this
parameter means the Cmdlet only returns the security data for the
root objects specified. If not present, the cmdlet returns security
information for children below the roots whose security differs from
the parent.
Syntax
Get-QResourceAccess [-ManagedHostId] <String> [-ResourceType]
<ResourceAccessQueryResourceType> [-Resources] <String>
[-ExcludeSubObjectDeviations]
Parameters marked with an (*) are optional.
Example
$resourceAccess = Get-QResourceAccess $managedHostId Folder
"C:\Test1","C:\Test2" -ExcludSubObjectDeviations
154
Appendix B: PowerShell Cmdlets
Example 2
This example explains a three-stage process for using this Cmdlet along with the
Get-QManagedHosts and Export-QResourceAccess Cmdlets for inputs and
outputs.
To use the cmdlet
1.
Run the Get-QManagedHosts Cmdlet to identify the managed host
you want to target. Next, you must determine if the managed host is
local or remote.
$managedHosts = Get-QManagedHosts
2.
Run the Get-QResourceAccess cmdlet, specifying the managed host
ID (use the array index of the managed hosts or directly enter the
managed host ID), the resource type (including Folder, File, Share,
LocalOsRight, AdminRight, ServiceIdentity), and the local path list if
the managed host is local or remote path list if the managed host is
a remote host.
Get-QResourceAccess $managedHosts[0].ManagedHostId Folder
"C:\Test1","C:\Test2"
3.
The result of the Get-QResourceAccess cmdlet can be stored in a
variable for later use, such exporting it into a CSV file.
$resourceAccessInfo = Get-QResourceAccess
$managedHosts[0].ManagedHostId Folder
"C:\Test1","C:\Test2"
$resourceAccessInfo | Export-QResourceAccess –OutputPath
"C:\ResourceAccessInfo.csv"
Get-QServiceAccounts
Returns a list of all the service accounts.
No Parameters
Get-QTrusteesForHost
Retrieves a list of the trustees with access on the specified Managed Host.
Parameters
ManagedHostId — ID of the Managed Host to retrieve trustees for
155
Quest Access Manager
Syntax
Get-QTrusteesForHost [-ManagedHostId] <string>
Add-QManagedHostByAccountName
Creates a Managed Host entry for a computer specified by AD account name and
sets the options for the agent.
Parameters
•
AccountName (Computer Account Name)
•
DeploymentType (*) — Valid values: External,
ManagementServerInstall
Default value: External
•
Keyword (*) - Add a keyword string if needed for grouping managed
hosts in the layout.
•
ResourceActivityEnabled (*) - Flag; no value required
•
Granularity (*) - Option for the Resource Activity Setting.
Valid values: A number (read as minutes, for example, 1, 5, 60, and
so on)
•
ExcludedTrusteesImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a trustee list import file
Valid file values: Comma-separated SID values
•
ExcludedFileTypesImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a file types import file
Valid file values: [file type name]:[semi-colon-delimited
extension list][cr]
Example:
Database files: lck;ldb
Temp files: tmp;temp
•
156
ExcludedFoldersImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a folders import file
Valid file values: [%Folder name%][cr]
Example:
%SystemRoot%
%Program Files%
%c:\temp%
Appendix B: PowerShell Cmdlets
Syntax
Add-QManagedHostByAccountName [-AccountName] <string> [-Keyword]
<string> [-ResourceActivityEnabled] [-Granularity] <integer>
[-ExcludedTrusteesImportFile] <string>
[-ExcludedFileTypesImportFile] <string>
[-ExcludedFoldersImportFile]<string>
Parameters marked with an (*) are optional.
Add-QManagedHostByAccountSid
Creates a Managed Host entry for a computer specified by SID and sets the
options for the agent.
Parameters
•
AccountSid (Computer Account SID)
•
DeploymentType (*) – Valid values: External,
ManagementServerInstall
Default value: External
•
Keyword (*) - Add a keyword string if needed for grouping managed
hosts in the layout.
•
ResourceActivityEnabled (*) - Flag; no value required
•
Granularity (*) - Valid values: A number (read as minutes, for
example, 1, 5, 60, and so on)
•
ExcludedTrusteesImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a trustee list import file
Valid file values: Comma-separated SID values
•
ExcludedFileTypesImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a file types import file
Valid file values: [file type name]:[semi-colon-delimited
extension list][cr]
Example:
Database files: lck;ldb
Temp files: tmp;temp
157
Quest Access Manager
•
ExcludedFoldersImportFile (*) - Option for the Resource Activity
Setting.
Valid value: Path to a folders import file
Valid file values: [%Folder name%][cr]
Example:
%SystemRoot%
%Program Files%
Syntax
Add-QManagedHostByAccountSid [-AccountName] <string> [-Keyword]
<string> [-ResourceActivityEnabled] [-Granularity] <integer>
[-ExcludedTrusteesImportFile] <string>
[-ExcludedFileTypesImportFile] <string>
[-ExcludedFoldersImportFile]<string>
Parameters marked with an (*) are optional.
Add-QManagedDomain
Creates a new Managed Domain entry and links a service account to it.
Parameters
•
DomainName
•
ServiceAccountId
Syntax
Add-QManagedDomain [–DomainName] <string> [-ServiceAccountId]
<string>
Add-QServiceAccount
Creates a new service account for use in group expansion and computer
management.
Parameters
158
•
AccountDomain
•
AccountName
Appendix B: PowerShell Cmdlets
•
Password
•
IsDefaultObjectResolution (*) - Valid values: true, false
Default value: false
Syntax
Add-QServiceAccount [-AccountDomain] <string> [-AccountName]
<string> [-Password] <string>
Parameters marked with an (*) are optional.
Get-QAccessibleHostsForTrustee
Returns a listing of the computers that a specified trustee has been found to
have access to by the security system. Access for each resource type is
displayed for each computer.
Parameters
•
TrusteeSid
•
Location (*)—Specify domain DNS or computer DNS name if the
trusteeSid is a BUILT-IN group or user.
Syntax
Get-QAccessibleHostsForTrustee [-TrusteeSid] <string> [-Location]
<string>
Get-QTrusteeAccess
Performs a detailed access query for a particular trustees access for a specific
resource type on a Managed Host.
Parameters
•
ManagedHostId
•
TrusteeSid
•
ResType – Valid values: Files, Folders, Shares, LocalOSRights,
AdminRights
159
Quest Access Manager
Syntax
Syntax: Get-QTrusteeAccess [-ManagedHostId] <string> [-TrusteeSid]
<string> [-ResType] <string>
Set-QAccountPassword
This commandlet lets you change the password of a service account, including
an option to resynchronize the new password with the appropriate agents.
Parameters
•
AccountName - <String> - The domain\service account whose
password you are changing.
•
Password - <SecureString> - The new password you want to
associate with the service account.
Note: You must enter this at the user prompt in order for it to be encrypted.
The cmdlet will fail if a non-encrypted password is passed as a string variable
when the cmdlet is invoked. If you do invoke Set-QAccountPassword with a
string of parameters, be sure to encrypt the password separately before
passing the string.
Note: Parameters marked with an (*) are optional.
•
Resynchronize (*)- <Flag> - Use this flag to invoke a
resynchronization of the applicable agents with the new service
account password.
Note: If you use the Get-Help function at the command prompt, you will see
two empty parameters, WarningAction and WarningVariable. These are set by
PowerShell itself. They are not needed to run this commandlet.
Syntax
Syntax: Set-QAccountPassword [-AccountName] <String> [-Password]
<SecureString> [[-Resynchronize]] [-WarningAction <ActionP
reference>] [-WarningVariable <String>] [<CommonParameters>]
160
Glossary
This glossary contains definitions taken from Microsoft publications.
A
Access Control Entry (ACE)
An entry in an access-control list (ACL) that contains a set
of access rights and a security identifier (SID) that
identifies a trustee, such as a user or group, for whom the
rights are allowed, denied, or audited.
Access Control List (ACL)
A list of access-control entries (ACEs) that define the
security protections on an object. There are two kinds of
ACLs that can appear in an object's security descriptor: a
discretionary ACL (DACL) that controls access to the
object, and a system ACL (SACL) that controls auditing of
attempts to access the object.
Active Directory (AD)
The Windows directory service.
Administrative rights
The rights granted to a member of the Administrators
local group. This member can perform such actions as
creating user accounts, creating groups, and adding group
members.
Authentication
The process required to log on locally to a computer.
Authentication requires a valid user name and password
that exists in the local accounts database. An access token
is created if the information provided matches the account
in the database.
161
Quest Access Manager
C
Child object
Container object
An object that is the immediate subordinate of another
object in a hierarchy. A child object can have only one
immediate superior or parent object.
An object that can logically contain other objects. For
example, a folder is a container object.
D
Database
An information store for storing critical application
information used by management servers. Access
Manager requires these application databases to be setup
on SQL Server 2005 or 2008 servers.
Distinguished Name (DN)
The fully qualified name of an object in a hierarchical
system. Distinguished names are used for all Active
Directory objects and in the Domain Name System (DNS).
No two objects in these systems should have the same
distinguished name.
Deployment
Domain
A conceptual installation of the system, which consists of
a Management Server and databases.
In relation to a Microsoft network, a logical collection of
resources consisting of computers, printers, computer
accounts, user accounts, and other related objects. The
domain also has a system of logon authentication of user
accounts, and computer accounts.
Domain Controller (DC)
A server that authenticates domain logon passwords and
maintains security policy and the security accounts master
database for a domain.
Domain Local Group
A domain local group can be used on access-control lists
(ACLs) only in its own domain. A domain local group can
contain as members the following: Accounts from any
domain, Global Groups from any domain, Universal Groups
from any domain, or Domain local groups (only from the
same domain as the parent local group).
162
Glossary
Domain Name System (DNS)
A hierarchical naming system used for locating domain
names on the Internet and private TCP/IP networks.
F
Forest
One or more domain trees that do not form a contiguous
namespace, but share a common schema, configuration,
and global catalog.
G
global catalog
A global catalog is a domain controller that stores a copy
of all Active Directory objects in a forest. The global
catalog stores a full copy of all objects in the directory for
its host domain and a partial copy of all objects for all
other domains in the forest. The partial copies of all
domain objects included in the global catalog are those
most commonly used in user search operations. These
attributes are marked for inclusion in the global catalog as
part of their schema definition, which is extensible.
A global catalog is created automatically on the initial
domain controller in the forest. You can add global catalog
functionality to other domain controllers or change the
default location of the global catalog to another domain
controller. A global catalog is replicated only to other
domain controllers that have been designated as global
catalogs.
M
Management Server
All Access Manager clients and agents communicate with a
Management Server to provide information and
functionality.
Managed Domain
An Active Directory domain that is configured for use by
the Access Manager deployment. Managed Domains
contain Managed Hosts. Each Managed Domain is
associated with a service account, which Access Manager
uses to access and manage security on objects within the
domain.
163
Quest Access Manager
Managed Host
Computer that is registered with Access Manager and can
have its resources queried and security managed.
O
Object
A Windows entity. Examples include users, groups, and
computers. Access rights to objects include create, read,
edit, and delete.
Organizational Unit (OU)
A container object used to organize the Active Directory
objects logically within a domain.
P
Parent Object
Permission
Property
The object that is the immediate superior of another
object in a hierarchy. A parent object can have multiple
subordinate or child objects.
A rule associated with an object to regulate access to a
particular object on the network. For example, a user may
have read and write access to a file on the network.
An attribute of a Windows network object. Examples
include a user's password, groups to which a user
belongs, and a group's description.
R
Registry
Resource
A hierarchical database in Windows operating systems that
contains configuration information about applications,
users, and devices.
A fundamental object that is operated on by Access
Manager. It is any entity within the Enterprise that can be
secured or managed. Common types of resource are files,
folders, and shares.
Resources are always associated with a Managed Host. For
instance, the Resource Host of a share would be the
computer where that share resides.
164
Glossary
Resource Security Editor
The Resource Security Editor allows for easy navigation
and management of shares, files, and folder permissions
by providing a consolidated security view that combines
features from the native simple and advanced views. You
can quickly view the complete security and easily modify
existing access, run Trustee Access and Trustee Group
Membership reports, and view a comprehensive group
membership display for all users and groups.
The editor is available from the Quest Access Manager
Client and through a convenient Windows Explorer
extension.
Resource View
Root directory
The Resource View allows you to view the file system and
shares on the selected host and modify their security. (You
access this view by right-clicking a Managed Host in the
Access Manager client treeview, and selecting Resource
View.)
The top-level directory on a computer, a partition, or
volume.
S
SACL
See Access Control List (ACL).
SAM-Account-Name Attribute
The logon name used to support clients and servers
running older versions of the operating system, such as
Windows NT 4.0, Windows 95, Windows 98, and LAN
Manager. This attribute is a Unicode string and must be
less than 20 characters to support older clients.
Schema
Server
Shares
In Windows, this describes the definition of the Active
Directory database, including all classes of objects, their
mandatory and optional attributes, and the data types
used for storing.
A computer on a network shared by multiple users.
Folders that can be accessed through the network from a
computer.
165
Quest Access Manager
Service accounts
Service accounts are registered credentials, used by Access
Manager, to perform a number of network operations on
the users behalf. The credentials provided for each service
account are stored in the Access Manager database in a
secure encrypted format, and cannot be decrypted by
anyone without the encryption key, which is stored on the
Management Server.
Security Identifier (SID)
In Windows operating systems, the SID is a unique
alphanumeric character string that identifies each security
principal (domain, user, group, computer). SIDs are used
by the Windows operating system to represent these
objects in resource permissions and other applications
requiring reliable security authentication.
166
INDEX
A
about Quest 175
access
clone 96
edit security 94
group membership, investigate 133
investigate 131
investigating 133
manage 86
manage for user or group 89
manage network 89
managing resources 93
remove 96
replace 96
Access Manager
client 15
client overview 64
configuration 24
delegate access 27
key components and concepts 11
node 64
PowerShell Cmdlets 151
remove 83
removing, upgrading 83
Self-Service Request Client 44
Active Directory
integrate 41
integration permissions 29
service account 16
view group membership from 103
ActiveRoles Server
integration 42
Web Integration 42
activity
tracking 50, 54, 109, 110, 111
activity enabled
agents view 78
activity file size
agents view 78
activity files
agents view 78
add
agents 52, 81
cluster 40
domain 30
forest 30
host 30
local agent 30
Managed Domain 30, 31
Managed Host 30
remote agent 30
user access 128
users to machine local group 106
Add a Remote Agent to a Managed
Host 38
add or remove
rights 98
adding
service account 62
Adding a Managed Host with a Local
Agent 35
Adding a Managed Host with a
Remote Agent 37
Adding a Trustee to a Null Security
Descriptor (Null SD)or a Null
Discretionary Access Control
List (DACL) 97
adding columns 58
additional remote agent
adding host with 38
agent 13
add 52
add an additional remote agent 38
add remote 37
adding 81
adding local 34
automatic shutdown 39
data roots 14, 49, 55
events 55
export log 82
for NAS devices 34
lease expired 140
local properties 50
logs 136
properties 53, 54, 55
real-time file system scan
settings 57
remote, properties 52
remove 52
resource activity tracking 50, 54
restarting 39, 52, 81
service account 17
update 40
agent deployment 35
agent host
agents view 77
agent host type
agents view 77
agent ID
agents view 78
agent properties 52
details 53
agent status
agents view 77
167
Quest Access Manager
agent store size
agents view 77
agent uptime
agents view 78
agent version
agents view 77
agents view 77
aggregated activities
agents view 78
Applications node 71
assign
business ownership 99
automatic agent safety check 39
available reports 108
average activities / store
agents view 78
average changes (changes/flush)
agents view 78
B
background operations 82
Background Operations node 82
C
changes synchronized
agents view 78
changing
service account 62
cleanup
resources 130
client 15
Access Manager node 64
Access Manager, overview 64
Applications node 71
Background Operations node 82
Configuration node 65
Managed Domain node 68
Managed Hosts node 75
Quick Search node 71
Reports node 82
service account node 65
Users and Groups node 73
clone access 82, 96
clusters
adding 40
column chooser
managed hosts view 76
columns
adding 58
changing order 58
configuring 48, 56
filtering 59
168
sorting 59
computer access
investigating 133
Configuration node 65
Configuration Wizard
setup a new Management
Server 25
configuring
Access Manager 24
business ownership 99
columns 48, 56
EMC Celerra 144
grouped managed hosts 60, 80
machine local access 103
reports 115
resource access 93
rights 98
user, group access 89
Configuring the Management
Server 24
connect to server 27
contacting Quest 175
Contacting Quest Software 175
contacting Quest support 175
creating
machine local groups 105
reports 115
credentials
and service accounts 17
D
data roots 14, 55
configuring 49
data state
managed host view 76
database
deployment 16
default Service Account 17
delegate access 27
for machine local groups 104
deleting
machine local groups 105
deleting report templates 82
deployment 19
database 16
ignore domain 32
key 19
planning 23
security 27
setup a new Management
Server 25
Index
Deployment Security 21
deprovision a user 130
devices
NAS 34
domain
managed hosts view 76
domains
viewing external 32
E
edit
security 21
trustee properties 93
Edit Deployment Security 21
EMC Celerra 34
configuring 144
empty security descriptors 74
encryption
deployment key 19
events 55
exclusions
for resource activity 36, 51
executing reports 82
F
failed synchronizations
agents view 78
file system scan time
agents view 77
filers 34
filter information
in Managed Hosts node 80
filtering 59
Find and Secure a Share with No
Access Control 97
forest 11
adding 31
removing 64
service account 16
forest DNS name
managed hosts view 76
FPolicies 34
G
group membership
comparison report 112
comparison report, steps 122
from Active Directory Users and
Computers 103
information 101
investigate access 133
local, properties 51
manage access 89
query issues 61
report 111
report, steps 121
viewing 100
grouping
in Managed Hosts node 80
managed hosts with keywords 60
groups
investigate access 131
machine local 103
H
host DNS name
managed hosts view 76
host name
managed hosts view 76
I
ignore domain 32
indexing performance (items/sec)
agents view 77
integrate
Active Directory Users and
Computers 42
ActiveRoles Server 42
items scanned
agents view 77
items stored
agents view 77
K
key
deployment 19
keywords
agents view 79
for managed hosts 80
managed hosts view 76
using to group managed hosts 60
L
layout options 59
in Managed Hosts node 80
in Users and Groups node 74
LDAP
queries in Quick Search 71
lease expiry 140
licensing
a domain 41
Access Manager 22
169
Quest Access Manager
local agent
adding host with 34
properties 50
local rights
local rights and service identities
report 114
local rights and service identities
report
steps 124
logs 136
agent, background operations 82
agent, exporting 137
teardown (uninstall) 84
M
machine local group 103
add users or groups 106
creating or deleting 105
manage access
add or remove rights 98
clone, replace, remove 96
edit security 94
network 89
Resource View 93
resources 86
trustee properties 93
user or group 89
Managed Domain 12
add 30
node 68
removing 64
service account 16
Managed Host 13
add 30
configuring and reporting 60
grouping 60
keywords for grouping 80
NAS devices 34
node 75
removing 64
managed host
agents view 77
managed host ID
managed hosts view 76
managed host status descriptions 48,
56
managed host type
managed hosts view 76, 79
Managed Hosts node
layouts, filtering, grouping,
sorting 80
170
management method
managed hosts view 76
Management Server 15
connect to 27
setup in a new deployment 25
member of report
steps 122
members
comparison report 112
investigate group access 133
manage access 89
report 113
viewing group 100
most recent activity
managed hosts view 76
MS SQL Express
and resource activity tracking 36,
50
N
Network Attached Storage (NAS) 34
EMC Celerra 144
NetApp 34
null security descriptors 74
O
owned resources report 108
steps 116
ownership
business, assigning 99
business, report 108
business, revoking 100
P
perceived owners report 109
steps 117
PowerShell
add the Snap-in Automatically to
New Sessions 151
available Cmdlets 151
registering Cmdlets 150
PowerShell Cmdlets 149
Set-QAccountPassword 160
properties
agent 54, 55
local agent 50
Managed Host 46
remote agent 52, 57
Service Account 63
trustee 93
Index
provision a user 128
Q
Quest ActiveRoles Server
integration 42
queue flushes
agents view 79
Quick Search 88
and reporting 71
node 71
queries 71
quick search
class 72
columns available 72
description 72
distinguished name 72
location 72
managed 72
name 72
operating system 72
pre windows 2000 name 72
sid 72
type 72
R
real-time file system scanning 57
and agent updates 40
register PowerShell Cmdlets 150
registered forest 11
remote agent
adding host with 37
and EMC Celerra 144
and NAS devices 34
and NetApp 34
properties 51, 52, 57
real-time file scanning 57
remove
access 82, 96
Access Manager 83
agent 52
business ownership 100
forest 64
Managed Domain 64
Managed Host 64
rights 98
user access 130
renaming report templates 82
replace access 82, 96
reports 108
creating 115
for grouped managed hosts 60
from Quick Search node 71
from Security Editor 94
from Users and Groups node 73
group members 111
group members comparison 112
group members comparison,
steps 122
group members, steps 121
local rights and service
identities 114
local rights and service identities,
steps 124
member of 113
member of comparison 112
member of, steps 122
owned resources 108
owned resources, steps 116
perceived owners 109
perceived owners, steps 117
perceived resource ownership 109
resource access 113
resource access, steps 123
resource activity 110, 114
resource activity, steps 120
scheduling 125
templates and saving 82
trustee access 110
trustee access, steps 119
trustee activity 111
trustee activity, steps 121
Reports node 82
resource
access report,steps 123
access, investigating 133
assigning business ownership 99
cleanup 130
revoking business ownership 100
view and manage access 86
resource access
report 113
resource activity 50
and MS SQL Express 36
and perceived owners report 109
and trustee activity report 111
exclusions 36, 51
report 110, 114
report, steps 120
setting for report 110
tracking 36, 54
tracking, configuring 50
Resource Security Editor 21
resources
managing 93
171
Quest Access Manager
restarting
agents 39, 52, 81
revoke
business ownership 100
rights
Access Manager deployment 28
account usage 17
Active Directory 29
add and remove 98
after installation 23
delegating 27
native, and security editing 95
to machine local groups 104
run and schedule reports 125
S
saving reports 82
scheduling
real-time file system scans 57
reports 125
scheduling reports 82
searching 88
security
and native rights 95
delegating deployment 27
deprovision a user 130
editing 94
for machine local groups 104
of Service Accounts 18
provisioning a user 128
removing a user 130
reports from editor 94
resource editing 21
security changes
background operations 82
security descriptors
null or empty 74
Service Account 16
account usage 17
changing 62
default 17
for forests 16
for managed domains 16, 69
for managed hosts 17
node 65
properties 63
security 18
status 66
synchronizing 52, 81
using 67
service display name
agents view 79
172
service identities
investigating 132
services
connection points 23
sorting 59
in Managed Hosts node 80
in Users and Groups node 73
special trustee types 74
SQL Server
and resource activity tracking 36,
50, 55
configuring 23
deployment database 16
starts with
managed hosts view 76
status
Active Directory integration 70
agent updates 40
agents 55
domains 68
group resolution 69
local agent 50
managed domain 70
managed host 48, 56
managed hosts view 76
Service Account 66
successful synchronizations
agents view 79
synchronizing
service account 52
service accounts 81
T
templates
reports 82
third party licenses 176
time stamps
and resource activity 50
total file system operations
agents view 77
troubleshooting 135
trustee
access report 110
access report,steps 119
activity report 111
activity report, steps 121
assigning business ownership 99
properties 93
revoke business ownership 100
types 74
Index
U
uninstalling 83
log 84
updating
agents 40
upgrading
Access Manager 83
usage stores synchronized
agents view 79
users
adding to machine local groups 106
as service identities 132
deprovision 130
investigate access 131
provisioning 128
Users and Computers integration 41
Users and Groups node 73
reporting from 73
V
viewing
access through ActiveRoles
Server 43
external domains 32
FPolicies 34
group membership 100
layout options 59
machine local groups 103
membership from Active
Directory 103
resource access 86
service account properties 63
173
Quest Access Manager
174
About Quest Software
Quest Software simplifies and reduces the cost of managing IT for more than
100,000 customers worldwide. Our innovative solutions make solving the
toughest IT management problems easier, enabling customers to save time and
money across physical, virtual and cloud environments.
For more information about Quest go to www.quest.com.
Contacting Quest Software
Refer to our Web site for regional and international office information.
Email
info@quest.com
Mail
Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Web site
www.quest.com
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest
product or who have purchased a Quest product and have a valid maintenance
contract. Quest Support provides unlimited 24x7 access to SupportLink, our
self-service portal. Visit SupportLink at http://support.quest.com.
From SupportLink, you can do the following:
•
Retrieve thousands of solutions from our online Knowledgebase
•
Download the latest releases and service packs
•
Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs,
online services, contact information, policies and procedures. The guide is
available at: http://support.quest.com.
175
Quest GPOADmin
Third Party Contributions
Quest Access Manager contains some third party components (listed below).
Copies of their licenses may be found on our web site at
http://www.quest.com/legal/third-party-licenses.aspx
COMPONENT
LICENSE OR ACKNOWLEDGEMENT
Agent and Server
zlib 1.2.3
Agent
Boost 1.34.1 (using most recent license - 1.0)
Agent/Server/Client
Windows Installer XML toolset (aka WIX) 3.0.5419
Server/Client
Microsoft Enterprise Library 3.1 (May 2007)
Contains software or other content adapted from
Microsoft patterns & practices ObjectBuilder, ©
2006 Microsoft Corporation. All rights reserved.
176