Quest® InTrust Plug-in for Active Directory
Version 3.2
Release Notes
September 29, 2008
Welcome to InTrust Plug-in for Active Directory
Resolved Issues and Enhancements
InTrust Plug-in for Active Directory helps track changes to vital Active Directory, Group Policy and ADAM objects, and prevent unwanted changes.
New features in InTrust Plug-in for Active Directory 3.2:
The following is a list of issues known to exist at the time of InTrust Plug-in for Active Directory release.
|
Feature |
Known Issue |
Change Request |
|---|---|---|
| General | The object restore functionality of Quest Recovery Manager for Active Directory will recover deleted objects to their original OU location in AD regardless of protection rules that are configured for that OU. | CR0150390 |
| If you upgrade the InTrust Plug-in for Active Directory Service from version 2.7 to version 3.2 with the Рreserve old audit filters option turned on, and then install the InTrust Plug-in for ADAM Service on the same domain controller, you may lose your old Active Directory auditing filter settings. | CR44016 | |
| When the InTrust for AD log or InTrust for ADAM log is cleared, the user account that performed this action is not written to the log. | CR41580 | |
| The list of accounts excluded from protection cannot be correctly changed through pre-3.0 versions of the API. | CR40726 | |
| In some situations, Windows adds DNS records under the local SYSTEM account. If the logging level for the InTrust Plug-in for Active Directory Service is at the default value, such events are not logged. For more information about logging levels, see Appendix B in the InTrust Plug-in for Active Directory User Guide. | CR0187367 | |
| When you use the Group Policy Object Editor snap-in on Windows XP to change administrative templates on a Windows 2000 domain controller, this may produce events in an incorrect format. This happens because administrative templates introduced in Windows XP are not recognized by Windows 2000. | CR20017 | |
| Active Directory | If you set a protected group as the primary group for a user, then the user's properties will show two instances of this group on the Member Of tab. Likewise, the group's properties will list the user twice on the Members tab. If you try to set a different group as primary for the user after that, protection will prevent this. | CR0153904 |
| AD objects protected from WRITE only can be renamed with a script or application that performs the 'Move and rename' operation over that object. The only way to protect objects from being renamed in this way too, is to enable the Protect from Move option. | CR0140457 | |
| MS Exchange RUS cannot process AD users protected with InTrust Plug-in
for Active Directory , and may fail to process other users after a failure on a
protected account. Don't enable InTrust Plug-in for Active Directory protection for a newly created mail enabled user or a user you have just added an Exchange mailbox to. Make sure RUS has processed such an account before you protect it. Make sure to disable protection for all mailbox enabled accounts before you make changes to Exchange policies or take any other action that results in RUS automatically re-processing AD accounts. |
CR0108145 | |
| Before a mailbox-enabled Active Directory user first logs on to their mailbox, changes to permissions on that mailbox are performed under the user account that initiates the change. After the first mailbox logon, they are performed under the computer or SYSTEM account. Therefore, the initiators of permission changes on existing mailboxes cannot be tracked reliably. | CR0194737 | |
| If an account that is excluded from protection makes a user, contact or group mail-enabled, some attributes of that object (such as textEncodedORAddress, mail, msExchPoliciesIncluded, proxyAddresses, and showInAddressBook) are not set. These attributes are set by Exchange Server, not by the account that makes the change. | CR20153 | |
Events about successful mailbox rights modifications may not be produced in the following situation:
|
CR21757 | |
| On the first logon to a mailbox, changes to inherited permissions are not audited. On subsequent changes to mailbox permissions, these changes are captured correctly. This behavior is due to the way Exchange works with Active Directory. | CR24158 | |
| Group Policy Objects | If a protected Group Policy object has settings in the Software Settings | Software Installation folder, then protection works partially: these settings cannot be changed, but they can be removed | CR54783 |
| Cannot audit changes to group policy settings for administrative templates if a computer is running Windows 2008 Server Core installation. | CR50318 | |
| The following Group Policy computer and user settings are audited as Active Directory objects: Public Key properties, Wireless network, IP Security. | CR0103906 | |
| If you protect a Group Policy object immediately after creation, attempts to modify the object are not audited. | CR38624 | |
| When you use the Group Policy Object Editor snap-in on Windows XP or Windows Server 2003 to change Group Policy settings on a Windows 2000 domain controller that are not supported by Windows 2000, the names of the unsupported settings are not audited correctly. | CR44379 | |
| If you add a group to a Group Policy object's list of accounts excluded from protection, this does not affect the members of this group: their change activity is still prevented. On 64-bit domain controllers, auditing of such users' change activity does not work. | CR38807 | |
| If you change the location of a domain controller's SYSVOL share, and then an attempt is made to modify a Group Policy template directly (e.g. by editing the corresponding file on the SYSVOL share) the change will not be controlled by the protection rules. To restore protection, disable it before and enable it after SYSVOL relocation, and then restart the InTrust Plug-in for Active Directory Service. For details, see Microsoft KB article 842162. | CR0163185, CR0185562 | |
| If you change the location of a domain controller's SYSVOL share, and then a regular attempt is made to change a protected Group Policy object (e.g. using the Group Policy Object Editor snap-in), Group Policy templates will be removed for that object. To avoid this problem, disable protection for Group Policy objects before moving SYSVOL. Enable protection again after the move is complete. | CR0162721 | |
The InTrust for AD log may contain incorrect information about Group
Policy object changes that involve the following groups of settings:
|
CR0164532, CR0196425, CR0180736, CR0180735, CR40530, CR50644, CR50811 |
|
| If changes to Group Policy objects fail because the initiator account does not have the required privileges, no events are logged for these failed attempts. | CR0184363, CR0194126, CR37652 |
|
| GPO protection can behave non-intuitively. For example, protection of objects from attribute changes may in fact prevent creation of objects. | CR0191785 | |
| When the permissions are changed for the first time on a newly-created GPO, extra events are logged in addition to the actual permission change event. | CR0184396 | |
| Putting an encrypted file in a GPO-containing folder on the SYSVOL share may cause InTrust Plug-in for Active Directory protection to stop working for the related GPO. Protection of other objects is not affected by this. | CR20011 | |
| If a protected file on the SYSVOL share uses NTFS compression and an attempt is made to delete the file, it is restored uncompressed. | CR30251 | |
| If the connection between the InTrust Plug-in for Active Directory and the GPO backup location is temporarily lost and then restored, any changes to GPOs made while there was no connection will bypass backup. To back up those changes, restart the InTrust Plug-in for Active Directory Service as soon as the connection is restored. | CR29569 | |
| InTrust Plug-in for Active Directory Service | On DCs that have McAfee VirusScan Enterprise antivirus software, InTrust Plug-in for Active Directory service may sometimes be not able to start correctly. | CR0145700 |
| On 64-bit domain controllers, when the service starts, events about the SYSTEM account enabling and disabling object protection are written to the InTrust for AD log. | CR42899 | |
| The format of some InTrust for AD log events changed between versions 2.7 and 3.2. As a result, after upgrade to version 3.2, data may be missing from the descriptions of events logged by previous versions of the service. | CR43161, CR39299 |
|
| After upgrade of the InTrust Plug-in for Active Directory Service, auditing filter settings for the ntSecurityDescriptor attribute may differ from the original registry-based settings. | CR42578 | |
| If you try change the User cannot change password option for a user account while using an account with insufficient privileges, or if the account you are trying to change is protected, this change attempt is prevented, but not written to the InTrust for AD log. | CR44594 | |
| On 32-bit domain controllers, the New Value field in InTrust for AD log events about changes to the userCertificate attribute may contain incorrect information. | CR30221 | |
| On 64-bit domain controllers, the Old Value field in InTrust for AD log events about changes to the userCertificate attribute contains incorrect information. | CR31782 | |
| On 64-bit domain controllers, if you try to create an object that is identical to an existing object, this is not allowed, but the InTrust Plug-in for Active Directory Service logs success events. | CR41754 | |
| On 64-bit domain controllers, modifications of the Process List setting for features in the Administrative Templates | Windows Components | Internet Explorer | Security Features group are audited incorrectly. | CR20671 | |
| If there is an abnormally large number of Active Directory object modification requests, the domain controller may become unstable. This happens if the maximum size of the InTrust for Active Directory log is set to around 200MB or more. See Microsoft KB article 329095 for details and a suggested resolution. | CR0184690 | |
| If changes to specific user attributes fail because the initiator account does not have the required privileges, no events are logged for these failed attempts. | CR0180214, CR0180257, CR0180294, CR0180923 | |
| If you change the password of a user account from an Active Directory Users and Computers snap-in running on a member server, the initiator of the change appears in the InTrust for Active Directory event log as "NT AUTHORITY\ANONYMOUS LOGON". | CR0181135, CR0187367 | |
| If you add accounts from a child domain to the list of excluded accounts, an "invalid excluded object" error is written to the log, and the accounts cannot be processed. | CR0182861, CR30213 |
|
| Accounts are not excluded from protection immediately after you add them to the excluded account list. Restart the InTrust Plug-in for Active Directory service to make sure the list change takes effect. | CR0183486 | |
| If built-in accounts are removed from a group or added to a group, the names of these accounts may not be resolved successfully, and their GUIDs may appear in the corresponding events. | CR0192784, CR30264, | |
| When you use a root domain account to change protection settings for objects in a child domain, or a child domain account to change protection settings for objects in the root domain, these changes are not audited. | CR0183302, CR0182861 | |
| In ACE addition events, information about the trustee type can be incorrect. | CR0154132, CR0180275, CR0180244 | |
| On Windows 2000, changing the properties of protected Active Directory or Group Policy objects through MMC does not appear to be prevented in some cases. However, prohibited changes are not actually applied when you close property sheets in MMC or click Apply. | CR20048, CR20057, CR20051 | |
| When permissions are modified for an Exchange 2003 mailbox, additional events related to mailbox SACL modification may appear in the log. | CR20973 | |
| For protected user accounts, prevention of mailbox rights changes may not work correctly, even though success events may be written. This happens because the current mailbox security descriptor is located in the Exchange store, which is not watched by InTrust Plug-in for Active Directory. | CR20082 | |
| If you disable protection for many objects at once as soon as you start the InTrust Plug-in for Active Directory Service, this change may not be applied to part of the objects. Before doing so, you should wait a few minutes for the service to update its cache on start. | CR21317 | |
| When a user account is created, this may produce events that incorrectly specify the operator as “Everyone”. | CR20088 | |
| In event 43 of the InTrust for Active Directory log ("AD object security descriptor was successfully modified"), the name of the object in the Trustee field has no domain prefix if the object's name contains special characters such as backslashes. | CR30249 | |
| If the set of parameters is manually extended in the Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options group, changes to the extended parameters are not audited. | CR30278 | |
| Changes to the TTL for this record setting in the Start of Authority configuration options for DNS zones are not audited. | CR30239 | |
| If the Active Directory schema is extended in an environment where DCs have the Quest InTrust Plug-in for Active Directory service running, the names of new Active Directory attributes are logged incorrectly. | CR30265 | |
| InTrust Plug-in for Active Directory Tools | By default, the rights to protect AD objects in InTrust Plug-in for Active Directory are granted to security principals from the forest root domain only. When an administrator in a child domain tries to protect an object in the domain, he or she receives the 'Access is denied' object. To make administrators of a non-root domain able to change protection for AD objects in their domain, it is necessary to explicitly specify, with the InTrust Plug-in for Active Directory Tools snap-in, administrators of this domain in the Security settings of the Protected Objects container. | CR0103509 |
| A successful installation of Administrative Tools on 64-bit Windows may be accompanied by a Dr. Watson message about an msiexec.exe error. | CR0189122, CR41735 |
|
| When you add attributes to a non-empty list on the Attributes tab, the Attribute Selector dialog box does not show information about property sets and classes of the attributes that are already in the list. | CR34651 | |
| InTrust Plug-in for ADAM Service | If you install the InTrust Plug-in for ADAM Service on a computer running Windows Server 2008 with Internet Protocol version 6 enabled (this option is enabled by default), changes made to ADAM directories cannot be captured. | CR51876 |
| On 64-bit ADAM servers, when a user with insufficient privileges tries to modify the SACL of an ADAM object, there is no information about the kind of change that was attempted. | CR34149 | |
| Protection of the ForeignSecurityPrincipals container does not always work. | CR35755 | |
| If you add the first ADAM instance in a configuration set to the list of managed instances for the first time, use the ldifde utility to extend the schema of that instance with the quest-ITAD-Protection-Level.ldf and quest-ITAD-Descriptor.ldf files. After that, restart the InTrust Plug-in for ADAM Service. | CR44396 | |
| If you rename or move an ADAM object that is specified in an audit fiter, auditing stops working for that object. | CR41638 | |
| On 64-bit ADAM servers, the Trustee Type field in InTrust for ADAM log events may contain incorrect information. | CR34320 | |
| On 64-bit ADAM servers, events about ownership change on ADAM objects may be logged incorrectly. | CR34321 | |
| If you add a new ADAM instance to those managed by InTrust Plug-in for ADAM, the corresponding registry key is added for that instance, but this key does not have the necessary parameters. | CR33665 | |
| InTrust Plug-in for ADAM Tools | Protection groups in InTrust Plug-in for ADAM Tools cannot have names that contain punctuation characters such as \"+. | CR33021 |
| InTrust Manager | If you install the InTrust Plug-in for Active Directory Manager Extension together with the InTrust Plug-in for Active Directory Knowledge Pack on the InTerust Server computer, the Configure Active Directory Audit node will not be displayed. To resolve this issue, restart the Quest InTrust Server service. | CR55560 |
| If you cancel the installation or uninstallation of the InTrust Plug-in for Active Directory Service in the Active Directory audit configuration wizard, the installation or uninstallation still completes successfully for the domain controller where it is happening. If any more domain controllers are queued for service setup, the installation is canceled for them. | CR37395 | |
| The Create a Reporting Server snap-shot option in the report delivery configuration dialog box has no effect if credentials are not specified explicitly for the reporting job in the "ITAD: Scheduled log gathering and reporting" task. | CR0194521 | |
| During upgrade of the InTrust Plug-in for Active Directory Knowledge Pack from version 2.7 or 3.0 to version 3.2, the Exchange-specific change tracking only option in the "ITAD: Activate service" data source is turned off if it was enabled. | CR30279 | |
| InTrust Plug-in for Active Directory Report Pack | Objects with long distinguished names cannot be displayed in the following reports:
|
CR30269 |
| If you click the "OTHER" field in the "All changes by object class" chart of the "Summary view of changes" report, an empty subreport will be shown. | CR55488 | |
| The "Security options changes made by..." reports will be generated correctly only in the Computer Configuration | Windows Settings | Security Settings| Local Policies | Security Options group. | CR53812 | |
| When you install the InTrust Plug-in for Active Directory Report Pack (ITAD32.1.0.280.00.msi ) over the previous version and select the Backup only reports which were customized check box on the Upgrade Options step of the report pack installation wizard, the "Cannot upload report pack" error may occur. | CR55600 |
InTrust Plug-in for Active Directory 3.2 supports upgrade from versions 2.7 and 3.0. See the InTrust Plug-in for Active Directory Quick Start Guide for details about upgrading the following components:
Before installing InTrust Plug-in for Active Directory, ensure your system meets the hardware and software requirements listed in the InTrust Plug-in for Active Directory Quick Start Guide.
This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.
This release is Unicode-enabled and supports any character set. In this release, all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan.
The InTrust Plug-in for Active Directory 3.2 CD contains the following:
The InTrust Plug-in for Active Directory 3.2 Web package contains the following:
InTrust Plug-in for Active Directory can be installed in an InTrust 9.6 or InTrust 10.0 environment.
Refer to the InTrust Plug-in for Active Directory Quick Start Guide for installation instructions.
| info@quest.com | |
| Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA |
|
| Web |
Refer to our Web site for regional and international office information.
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com.
From SupportLink, you can do the following:
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures.
The guide is available at: http://support.quest.com/pdfs/Global Support Guide.pdf.
This document contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
© 2008 Quest Software, Inc. ALL RIGHTS RESERVED.
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, Internet Weather Report, InTrust, IT Dad, JClass, Jint, JProbe, Knowledge Xpert, LeccoTech, LiteSpeed, LiveReorg, Matrix Insight, Matrix.Net, MIQ, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
This product includes third-party software. For a list of this software and its licenses see the third_party_licenses.htm document provided with your distribution of InTrust Plug-in for Active Directory.
If you have any questions regarding your potential use of this material, contact:
|
Quest Software World Headquarters
LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 Email: legal@quest.com |
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.