Needs for auditing and recovery in Active DirectoryLet’s take a look at the core requirements necessary in a comprehensive AD auditing and recovery solution.
- Tracking of changes: The AD admin needs to have the ability to check manually, as well as be notified immediately, when a change occurs to any aspect of AD.
- Entitlement reporting: The AD admin must know who has access to which resources to identify potential exposures of sensitive information and intellectual property.
- Granularity of objects rolled back: The AD admin must know exactly what was modified or deleted in order to recover from the issue quickly.
Native optionsMicrosoft has made tremendous headway in providing auditing for AD changes and the ability to bring an object back once it has been deleted. Although Microsoft provides both of these capabilities separately, neither one is a complete solution for the administrator who needs to manage AD.
- Auditing via Event Viewer logs: While auditing controls will create entries in the security log within Event Viewer when a change triggers a setting, limiting factors include decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old setting, and the inability to recover the object/configuration from the audit log.
- Recovery via System State: When the System State is backed up, it must backup the entire System State, including all of the other aspects (Registry, COM+, etc.), including all of the AD objects that have not changed. For large organizations, this wholescale backup can take a long time, not to mention filling up terabytes of space. With such a large backup to work with, the efficiency to find what you are looking for and the ability to restore just what you need can be a complicated task, especially if you are relying squarely on the auditing to indicate what was changed and when it was changed.
- Recovery via Recycle Bin: The technology does provide the administrator the ability to restore one or more deleted objects, along with all of their properties. Unfortunately, there are limitations with the Active Directory Recycle Bin, including time limitations for restore, no auditing of behavior, and no recovery from changed properties.