Review Accounts with AD Bridge Entitlement Reporting
Entitlement reporting can provide a detailed analysis of accounts. You can use it to help review how group memberships impact access for users. You can also use entitlement reports as part of your regulatory compliance efforts.
The AD Bridge agent includes a User Monitor service that logs entitlement changes detected from local accounts and groups on each end-point computer, as well as Active Directory (AD) changes that could affect account access and roles on computers.
All detected changes in entitlement are recorded in the Event Log subsystem for each AD Bridge agent. Using event forwarding, this data can be sent to an AD Bridge audit collector computer that can provide reporting across a centralized, enterprise-wide database.
The User Monitor only reports the AD groups of which at least one of the reported AD users is a member.
Schemaless mode is deprecated.
The following entitlement reports are a sample of the many reports available. View the full list under All Reports, in the BeyondTrust Management Console.
Access Privileges by User
This entitlement report, organized by user name, shows which users can log into which computers and how that list has changed over time. The state of access privileges at the start date and end date are compared. Intermediate changes are not shown, so if a new user is added then deleted in the middle of the reporting time span, no change is shown in the report.
The status date field indicates the date of the last change to the user during the report time span. If a user was added and later the user's UID was changed, the date of the UID change is shown in the report.
When all of the fields in multiple rows match except for Computer Name and Status Date, those rows are collapsed so that one row is shown with a space separated list of the computers to which it applies.
When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk (*).
Access Privileges by Computer
This entitlement report, organized by computer name, shows which users can log into which computers and how that list has changed over time. The state of access privileges at the start date and end date are compared. Intermediate changes are not shown, so if a new user is added then deleted in the middle of the reporting time span, no change is shown in the report.
The status date field indicates the date of the last change to the user during the report time span. If a user was added and later the user's UID was changed, the date of the UID change is shown in the report.
When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk (*).
Access Privilege Changes
This entitlement report shows changes to user privileges by date. Every change is shown, including changes that are later undone. This report does not provide a list of all users who can log into the computers, only those users for which there have been changes.
When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk (*).
Access Privilege Daily Changes
This entitlement report shows changes to user privileges on a daily basis. Every change is shown, including changes that are later undone. This report does not provide a list of all users who can log into the computers, only those users for which there have been changes.
This report provides the same information as the Access Privilege Changes by User report, but with simplified search criteria.
When the User Display Name, UID, or Account Type is changed, the new value is shown followed by an asterisk (*) .
Account Attribute Inconsistencies
This entitlement report shows conflicts between UID, username, and GECOS.
