Better Together: AD security with One Identity Active Roles + Safeguard + Change Auditor

This is Dan Conrad from One Identity and today I'm going to show you three solutions working together to make Active Directory more secure. Going to talk about One Identity active roles, Quest Change Auditor for Active Directory, and One Identity Safeguard. I'm going to show you how Active Roles works with Change Auditor so that you can audit changes, make changes to Active Directory and audit those changes. And the difference doing it from native tools. And then I'm going to show Active Roles working with Safeguard for just in time provisioning, which will actually be audited by Change Auditor, as well. And then Active Roles working with Safeguard and then all of that will be enforced by Change Auditor for Active Directory through protection templates. So, let's start off by looking at Active Directory uses computers compared to the Active Roles console. I have them both opened to the same OU looking at the same set of user objects. So, let's go through and make a change to say, Allen's account here in Active Directory using Active Directory uses computers. I'm logged in with a domain admin account so I can override permissions just to show you what this would look like. So, if I go through and just do something like disable the account. And then I'll just re-enable it. So, I've made a couple of changes right there and then I'll do the same thing in active files. Disable it and then re-enable the account. And then I have change editor you're running here as well. I have a search going that's showing me everything that happens in the last five minutes. Give it a second to pick up the change. So, now we have two different actions. You can see right here the user is ADM Dan, which is my account, and in this case, this is where I made the change using Active Directory uses computers. You can see at the bottom the who has got it populated and the source is Change Auditor. If I look at the change that was made through Active Roles, it will look like this. So, you see the SVC.ar is my Active Role service account because Active Role's proxies all changes to Active Directory. But then the source has my ADM Dan account on it. So, a little bit different. What I can do in the tools is I can come through and based on the protection policies that I have, I can do something like try to add Allen to the domain admins group. So, I'll go through and do that. And I have the domain admins group protected with change auditor. So, if I go through and do that and then hit apply, I'm going to get a note that I don't have permissions to do that. Now, I am a domain admin so in Active Directory it looks like I do have permissions to do that. Change Auditor has actually blocked that for me. But if I go through Active Roles to do it, I can fire off a workflow to do that. If I wanted to do that or set it up for approval. But the Active Role server service account is the one account that has permissions to do this. So, if I go through Active Roles and try to add this person to the domain admins group it should work just fine. When I hit apply it or work just fine. So, let's go look at Change Auditor and see what Change Auditor's showing us now. Let me refresh real quick. So, you can see right here the member was attempted to be added to the critical enterprise group and a result was protected. This is where the ADM Dan account, which is a domain admin tried to add somebody to the domain admins group as a direct member. And Change Auditor blocked that through a protection template. And then you can see where it was actually successful here because Active Roles did it for me. And that's Change Auditor and Active Roles working together. Now, let's take a brief pause here and I'm going to let this environment refresh so that this screen is clear and I'll show you the next step. Now, I'm going to show you Active Roles and Safeguard working together in what's known as just in time provisioning. So, I'm going to log in to Safeguard right here and I'm going to check out a temporary, one of these domain admin accounts. As you can see by the big red X they're disabled and they're not members of any group membership other domain users. So, what's going to happen is when I check that out, it's going to populate the group membership for me. Switch from the one 1qw domain, going to select the account, and I'll take temp dom admin 1. And this could be a session or this could be a password. In this case, I'm just going to take a password. So, now the account says pending account restored, now it's available. So, Safeguard reached in and enabled the account. And then it told Active Roles to populate the group membership for me. So now it's in this temp dom admins group. So, now I can go do my work, whatever I'm going to do with this account. If I needed the password, I can go grab the password, and put it on my clipboard or whatever I was going to do with that account whether it's a password recession. And then when I'm done, I'll simply check it back in. And that reverses the process. So, it pulls the group membership and it disables the account. So, the account is pretty much useless. And it also cycled the password. So let's just give that a second for Change Auditor to catch those changes. So, we can see all of this information happened as a result of those actions. So, you can see the account was enabled right here by my Safeguard account and then it was added to a group. And that was done by Active Roles, you can see the service account for Active Roles. And then that's nested in a critical enterprise group which is nested in the domain admins group. And then we get up to about here and we can see where it's undoing all of those actions and it's removing the group. Let me refresh one more time. So you see the password was changed when it was checked back in by a non-owner, which was the Safeguard service account and then the account was actually disabled by Safeguard. That's Active Roles and Safeguard working together and it's being monitored by Change Auditor. So, if you know that you need to be in one of those privileged groups to do something like this domain admins group or this temp domain admins group, you could try to do that with Native Tools for instance. So, if I wanted to go add somebody to this group using Active Directory users computers, I can just open the group like this and go add somebody. Now, this is going to be stopped two different ways and I'll show you. So let's just take anybody that starts with A here. And we'll take this account right here, Alexi and we'll try to add him into the account or into the group and then we'll hit apply. So, what happened right here is Change Auditor blocked that change because the group is protected. The SG temp dom admins is the members attribute is protected by Change Auditor. Additionally, if that protection weren't there, that is a dynamic group created by Active Roles and Active Roles would simply flip it back had been bypassed. So, that's Active roles and Safeguard working together with Change Auditor both auditing and enforcing what we do in the background. So, let me wrap up and show you what we just saw. I walked through Active Roles working with Change Auditor for AD and then I showed Active Roles working with Safeguard for just in time provisioning, which was audited by Change Audit for Active Directory. And as part of that act I showed Active Roles working with Safeguard and all of that being enforced by Change Auditor for Active Directory through protection templates. I'm going to give you a couple of links here and we'll wrap up. So, the Active Roles link, the Safeguard, link and the Change Auditor for Active Directory link.