Change Management for Active Directory
Just about everyone wants to be able to take a look at the changes that occur to important objects that reside in Active Directory to ensure that the security of the objects is kept intact. From a user account and the associated properties, to a group and the members of the group, to a Group Policy Object (GPO) and the settings contained within the GPO… change management is key for Active Directory. I will give Microsoft a pat on the back for the changes that they have made over the past iterations of the server operating systems that handle the domain controller roll. The concept of tombstoning objects, the recycle bin, and the ability to bring a deleted object back from the dead is a long time coming technology that all Active Directory environments have wanted. Even with these radical and innovative technologies, there are still some items missing in your change management of Active Directory. In this article we will cover what is there by default, as well as what you might want to keep an eye for in other products that can make your change management of Active Directory a complete solution.
Ability to Restore a Deleted Object
As a seasoned Active Directory administrator, I know that it is not that difficult to delete a single object from Active Directory. The deletion can be “on purpose” or “by accident”. Regardless, deleting a user, group, or even a GPO is very easy to do.
The issue is when you want to bring that object back from the dead. Historically this is not an easy task. To be honest, the task to bring an object back from being deleted from a Windows 2000 domain is rather painful. If you have not used the NTDSUTIL in your Active Directory administrative life, feel lucky! This is a command line tool that can only be run in a specific state of the domain controller. It is not easy to use, not intuitive, nor all that easy to know what you are doing.
Microsoft has made great strides and now with the latest Active Directory domains you have a Recycle Bin, which allows for much easier restoration of deleted objects (compared to NTDSUTIL). The Recycle Bin now keeps the object “alive” for some time so that it can be brought back into the production environment with just some simple key strokes.
I guess the issues that I have with this technology that is built in is first of all the fact that the Recycle Bin is not enabled by default. Nope! Not even on a Windows Server 2012 domain. After you enable it, you can’t disable it! Finally, restoring objects is not a click, rather it is a command you must run.
Obtaining a tool that extends this feature to a GUI and click is something you should really look for!
Restoring a Changed Object
There are really two different tasks you can perform on an existing object. You can delete it, which is covered in the previous section. You can also just change a property (attribute) of the account (object). For example, let’s say that the administrator is given a task to change the Department attribute of 50 users that are located in Active Directory. In order to make the change more efficient, the administrator uses the search option in the Active Directory Users and Computers (ADUC) tool and selects all of the user accounts that the search feature finds. Then, with just a quick keystroke changes the Department for all of these users to HR. Right after the change, the administrator realizes that the search selected 150 users, not just the 50 anticipated! How can the administrator recover from these errant changes?
Unfortunately, the Recycle Bin discussed in the previous section is of no use. The reason is that the Recycle Bin only records deleted objects, not changed objects.
If the administrator was tracking changes to Active Directory via the built-in auditing, the log would show that some objects were changed, but the task of finding which ones would be tedious. Not to mention the fact that the audit trail is ONLY on the domain controller which committed the changes.
This is a very difficult concept and one that most organizations don’t consider. Tools such as PowerBroker Auditor by BeyondTrust are the only tools that allow for this type of recovery.
Managing Active Directory Changes
Both of our previous sections deal with the idea that something was altered with the Active Directory object. A deletion or a change are both equally valid and reasonable for an object in Active Directory. Now, how about managing these changes such that you want to find out who made the change, what detail was changed, and you want to run a report on all changes in the past week.
I know… I am really asking for a lot here! However, I am not asking for anything that ANY company that runs Active Directory would not want! I, like you, want to know when any change to any object within Active Directory changes. I want to know who made the change, when the change was made, what change was made (new setting and old setting), and why the change was made. Ok, I will be honest, the last “why” is a bit greedy! However, the first few are not.
Ideally, I want to be able to run any report asking about specific objects, the past week of changes, changes to groups, changes to users, etc. I expect to get the results such that I can see exactly what has been changed including all of the required details. This is not asking for much!
Unfortunately, nothing that comes with Microsoft Server, Active Directory, RSAT, Resource Kit, etc has this ability. Nothing!
However, this is something that is easily obtained by a third party vendor. PowerBroker Auditor by BeyondTrust does this with ease. Not only do you get these amazing reports (that you can 100% customize), but you have the rollback of deleted or changed object directly tied to the reported objects and changed attributes. What could be better?
Well, what could be better is the ability to also have the option to use ADUC to look at the history of an object and rollback to any change. Well, that is possible too!
I might be a dreamer when it comes to change management of Active Directory changes, but I don’t think so. There is nothing in this article that every one of you reading it does not want. I am sure that you don’t have it… unless you have the right tools in place. The Recycle Bin by Microsoft is awesome. However, it lacks some key capabilities that every Active Directory domain needs. I need to be able to rollback a changed object. That is simple! I also need to be able to view what has changed in an object, a type of object, or objects in a timeframe to know where my Active Directory changes are coming from. Without these reporting capabilities, I am left with the event logs that shotgun the logs across all domain controllers and I must manually try and track down changes. That is no way to efficiently manage Active Directory! Oh, don’t forget the ability to tie all of these together so that the change management is easy, fast, and efficient!