This is the Change Auditor for Active Directory video tutorial. In this session, you will learn how to create a protection template for an organizational unit in Active Directory.
In order to use this feature, you must own a valid Change Auditor for Active Directory license. To access the protection templates, open the Change Auditor client. Then, access the View menu from the uppermost toolbar. From the View menu, select Administration. This will open the Administration Tasks tab. Once it's open, in the lower portion of the left navigation pane, select Protection. Then in the upper portion of the left navigation pane, select Active Directory. Once Active Directory is bolded, you're ready to create your template.
So, in the right pane, click the Add button from the blue toolbar. And this opens the Creation Wizard. Give your template a short descriptive name that identifies its purpose. For my example here, I'm just going to use Test. And you want to find your OU. I'm going to select a top-level OU that's just under the domain structure. But if you need to find one at a sub level, simply type the name or part of the name, and it will find it for you so that you could avoid manually navigating through your OU structure.
But once you've found it, select it, click the Add button. And, now, this adds your selection and allows you to manage the protection options for operations and scope. For OUs, Scope is particularly important. By default, the Scope that's selected is this object only. If you leave the default, it's only going to protect the OU, none of the objects below it. If you want to protect more than just the OU, then select one at the other options. You have a choice of selecting to protect the OU and its immediate objects, such as groups, users, and computers, or you can select to protect all of that plus the other OUs and their child objects underneath. So the entire structure of the organizational unit. For this example, I'm going to select the entire structure.
Then, you want to select the operations. By default, Create, Modify, and Delete are selected for you. This is configurable. Simply select the drop down arrow next to it, and then deselect or select the options that you want to protect. In this example, I'm going to also select Move in addition to Create, Modify, and Delete. So I'm basically select protecting this entire organizational unit structure from any type of change. Once you've selected these features, click Next.
This particular option doesn't apply to an organizational unit protection template. This is to select specific attributes of users, groups, or computers to protect. Since you don't have attributes on an organizational unit, you can skip past this one.
This is a particularly important part of the protection wizard creation. This is asking who do you want to allow to still manage the organizational unit and it's structure after the template has been created. So let's say, you're trying to create and protect the finance OU, and maybe only the finance manager should be managing objects inside there. You would want to give them access here, so that you're not having to disable the protection template every time they need to do something in their organizational unit.
However, if you do want to have complete security here, leave this blank because literally no one will have access, not even the CA admins. And, then, when you do need to manage the organizational unit, disable the protection template temporarily, allow the person to make the changes, and then re-enable it. That does create some administration overhead, of course, so if you prefer, you can select users and/or groups that have permissions to the object you're protecting. There's two ways that you can do it. You can say allow. So, in other words, you're denying every one except for who you specify here. Or you can say deny, and that means allow everyone, except for who you are specifying here in this part of the template. I'm going to leave it at allow, and I prefer the Search tab feature to finding out who the groups and users I want to add to the template.
In this case, I'm going to choose the help desk group and add them. So, now, basically I'm saying no one, not even CA admins, are allowed to access this organizational unit, except the members of the help desk group. Now it's important to remember that you could create a security gap here. If you've got account operators, or domain admins, enterprise admins, who have the ability to modify the membership of this group that you're specifying, they could potentially modify that membership and get around the actual people that should have access to it by adding themselves or somebody else to the group. So, when you can, select individuals instead of groups because they you shore up that security gap. But if you do need to specify a group, then also protect the help desk group, in this example, or whatever groups you you're specifying. And then only add a couple of people who have access to those groups. That way, you eliminated the security gap.
Once you've selected the correct users and groups, it's going to ask you who's now allowed to manage this protection template. If you specify no one here, by default anyone who's in the CA admins group, which is an Active Directory group, will have access to Disable, Edit, Delete, or Re-enable this particular template. So, again, be careful how you're assigning access here because you could create a security gap.
In this example, I'm going to select a single person, who is one of my main CA admins in my environment, to be the only account that has access to manage this particular template. When you select someone, it overrides the default behavior of all CA admins. So even if I
12:37