quest access manager 2support-public.cfm.quest.com/16a621e8-5fe6-462b... · quest access manager 8...

Quest® Access Manager 2.1

Quick Start Guide

© 2011 Quest Software, Inc. ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

Disclaimer: The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: [email protected]

Refer to our Web site for regional and international office information.

Patents

This product includes patent pending technology.

Trademarks

Quest, Quest Software, the Quest Software logo, and ActiveRoles are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks and registered trademarks are property of their respective owners.

Access Manager Quick Start GuideUpdated - October 2011Software Version - 2.1

http://www.quest.com

mailto:[email protected]

http://www.quest.com/legal/trademarks.aspx

http://www.quest.com/legal/trademarks.aspx

CONTENTS

About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Quest Access Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Quest’s Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Software, System, and Account Requirements. . . . . . . . . . . . . . . . . . . . . . 7Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Agent Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Quest ActiveRoles Server Web Integration Components Requirements . . . . . . . . . . . 9

Self Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Getting Started with Quest Access Manager . . . . . . . . . . . . . . . . . . . . . . 10Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Server Configuration/Database Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Domain Identification and Service Account Credentials . . . . . . . . . . . . . . . . . . . . . 10

Managed Host Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installing Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Upgrading Quest Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Deploying Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Add a Forest to the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Add a Domain to the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Add a Managed Host to the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Add a Remote Agent to a Managed Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Add a Cluster (Managed Host) to the Deployment. . . . . . . . . . . . . . . . . . . . . . . . . 18

License a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Delegate Access to the Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Integrating Access Manager with Active Directory Usersand Computers or Quest ActiveRoles Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Step-By-Step Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Investigating and Modifying Resource Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Gathering Group Membership Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About Quest Software, Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Contacting Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Contacting Quest Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Third Party Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

iii

Quest Access Manager

iv

Quick Start Guide

About This GuideThis document has been prepared to assist you in becoming familiar with Quest Access Manager, an integral component of Quest Windows Management Suite. The Quick Start Guide contains the information required to install and use this product.

This document is for network administrators, consultants, analysts, and any other IT professionals responsible for deploying Access Manager in their organization. It provides information about system requirements, licensing and installation, and includes scenarios with step-by step instructions to help you better understand Access Manager functionality.

The Quick Start Guide is supplemented with the Quest Access Manager User Guide, which provides more detailed information about the Access Manager user interface and features, and includes instructions to help administrators perform day-to-day administrative activities.

5


Quest Access Manager OverviewThe management of computer resources is a complex and time-consuming process. There are numerous manual steps and disconnected management applications that must be leveraged before a resource can be safely deployed and made accessible to the appropriate users. Once deployed, there are concerns that granted access is neither increased nor removed inadvertently. To exacerbate this challenge in many organizations, the content owners have to rely on IT administrators to manage resource access without knowing the implications of their actions. Ultimately, this leaves an organization unable to maintain operational efficiency or sustain continuous compliance.

Quest’s Solution

Quest Access Manager takes the following approach to meet the challenge:

• Unify resource management

Access Manager allows you to view overall resource access — both directly applied access and access obtained through group membership. Without this information, visibility is limited and could result in security breaches through inadvertent access.

• Evaluate resource access

Access Manager provides a real-time view of network resource access and provides an immediate and ongoing ability to modify resource access. This helps enforce your corporate network access policy.

6

Quick Start Guide

Software, System, and Account RequirementsAccess Manager consists of three main components: the Management Server, the Client, and the Agent.

Figure 1: Access Manager Deployment

Review the following section to ensure that you meet all rights and permission requirements.

For requirement details, see:

• Server Requirements

• Client Requirements

• Agent Requirements

• Quest ActiveRoles Server Web Integration Components Requirements

• Self Service Requirements

Server Requirements

System Requirements

• Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 or Windows Server 2008 R2 (32-bit or non-Itanium 64-bit)

• 1 GHz+ Processor

• 1024 x768 screen resolution with 16-bit color

For more information on Access Manager’s key components and concepts, see the Quest Access Manager User Guide.

To configure an Access Manager Management Server, the user must belong to the Administrators group of the computer hosting the Management Server.

7


• 1 GB free disk space

• 4 GB RAM

Software Requirements

• .Net 3.5 Service Pack 1 or later

• An SQL 2005, SQL 2008, or SQL Express database server that is contacted by the Management Server

Note: You cannot use resource activity tracking with MS SQL Express; you must use SQL Standard or Enterprise Edition. For information about resource activity tracking, see the Access Manager User Guide.

• MMC 3.0

Account Requirements

• The account used must be an administrator of the computer on which you are installing the Management Server.

• The account used must have credentials to create a database on the SQL server used by the Management Server.

• The account used must have the credentials to be used as a Service Account for your initial Managed Domain. Consult the Access Manager User Guide for more information on the rights required by this account.

Client Requirements

System Requirements

• Windows XP, Vista, 2003, 2008, Windows 7 (32 bit or non-Itanium 64 bit)


• 1024 x 768 screen resolution with 16-bit color

• 100 MB free disk space

• 4 GB RAM



• MMC 3.0

Quest provides both 32-bit and 64-bit servers for Quest Access Manager. Ensure that the server installed on a given computer uses the correct architecture to match the installed operating system.

For best performance, Quest recommends using a 64-bit server with 8 GB of RAM and 4 GB of free disk space.

Quest provides both 32-bit and 64-bit clients for Quest Access Manager. Ensure that the client installed on a given computer uses the correct architecture to match the installed operating system.

8

Quick Start Guide

Agent Requirements

System Requirements

• Update Rollup 1 for Windows Server 2000 with Service Pack 4, Windows Server 2003, Windows Server 2008 (32 bit or non-Itanium 64 bit)

• Network Attached Storage (NAS) devices: NetApp 7.2 and 8.x(Data ONTAP)*, EMC Celerra 5.6 with Server Message Block 1.0 Note: These entities need to be managed by a remote agent, located on a machine running a Windows O/S which is supported by Access Manager.

• 500 MHz+ Processor

• 256 MB RAM

• 100 MB free disk space for every 1,000,000 files / folders scanned.

* Change Watching is not supported on versions of ONTAP NetApp filers earlier than 7.3.

Quest ActiveRoles Server Web Integration Components Requirements


• IIS 6.0 or IIS 7.0

• ActiveRoles Server 6.5 or 6.7 Web Components


• Microsoft Internet Explorer 8.x or 9.0

Self Service Requirements

System Requirements

• Windows XP, Vista, Windows Server 2003, Windows Server 2003 (R2), Windows Server 2008, Windows Server 2008 (R2), or Windows 7 (32-bit or non-Itanium 64-bit)


• 1024 x768 screen resolution with 16 bit color

• 100 MB free disk space

• 1 GB RAM

*Quest provides both 32-bit and 64-bit Self-Service clients for Quest Access Manager. Ensure that the client installed on a given machine uses the correct client to match the installed operating system.



• MMC 3.0

• ActiveRoles Server ADSI Provider (Access Manager Server and Self-Service Client)

9


Getting Started with Quest Access ManagerTo deploy Access Manager you must have the following in place:

Server Installation

• The server is the central hub for communication and therefore should be installed on a reliable and secured computer.

Server Configuration/Database Creation

• Be sure to install Access Manager using an account which holds SysAdmin rights across the network, including the domain controller and the SQL server. If you use an account without full SysAdmin rights on the key system components, you will not be able to successfully configure Access Manager.

• Before the server is operational, an SQL database must be created for its use. Please see “Server Requirements” on page 7 for further detail.

Domain Identification and Service Account Credentials

• Before you can start managing resources, you must first identify the domains in which those resources reside (Managed Domains), and provide the credentials (service account) that can perform operations on those resources.

Managed Host Identification

• Before you can start managing resources, you must add Managed Hosts (typically computers) to the deployment. Please see “Agent Requirements” on page 8 for more detail.

Client Installation

• Once the Client and Server are installed and configured, domains have been added, managed hosts have been added, and access has been delegated, users can start gathering security

information on the enterprise resources.

It is important that the Administrators group on the Management Server be very secure in order to ensure the protection of the encryption key.

You will be prompted to register a domain and service account with Access Manager when you initially configure an Access Manager deployment during the installation.

When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server.

To use the Access Manager MMC client to access the application, the user must be delegated access through deployment security. For more information, see “Delegate Access to the Management Server” on page 19.

10

Quick Start Guide

Installing Access ManagerTo install Access Manager

1. From the Autorun, select the Setup tab, click Quest Access Manager Server (32 bit) or Quest Access Manager Server (64 bit), and follow the installation instructions.

2. Click Run to accept the file’s source.

3. Click Next to begin the install.

4. Tick the box as indicated and click Next to read and accept the license information.

5. Enter a location for the install and click Next.

6. Click Install.

7. Click Finish.

The Quest Access Manager client will open.

8. Enter the name of the Management Server and confirm that the port number is 8722. Click Connect.

A dialog box indicating that the Management Server is not configured will appear.

9. Click Yes.

The Configuration Wizard opens to guide you through the Management Server setup.

10. Specify a valid license and click Next.

11. Specify the database server, database name, enter the database access credentials, and click Next.

These credentials are used both for database creation and subsequent access.

12. Enter the Deployment name and the required Deployment Key information, and click Next.

13. Enter the initial Managed Domain (a domain that has an associated Service Account, in which you can manage resources), the Service Account credentials, and click Next.

The Service Account information is used by the server to take actions within the domain. The Service Account credentials should have Administrative access to the Managed Domain. When added in the configuration, the service account is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server.

14. Review the Summary page, and click Finish.


The default port is 8722 and should not be changed. If you need to alter the port number, contact Quest Support for more information.

11


Upgrading Quest Access ManagerThe process of upgrading Quest Access Manager has been made as easy as possible. During the uninstallation of your current version, the option to retain database information regarding the current deployment allows you to simply update the Access Manager software without losing any data.

To upgrade from Quest Access Manager

1. Remove Quest Access Manager from the server. (Select Add or Remove Programs from the Windows Control Panel.)

2. Select Quest Software | Quest Access Manager, and follow the uninstall directions.

3. Select I am upgrading and want to leave my deployment intact.

4. When the previous version of Quest Access Manager has been uninstalled, insert the Quest Access Manager CD and allow the Autorun to run.

5. From the Autorun, select the Setup tab, click Quest Access Manager Server (32 bit) or Quest Access Manager Server (64 bit), and follow the installation instructions.

The Quest Access Manager client opens.

6. Enter the name of the Management Server, confirm that the port number is 8722, and click Connect.

If you are installing to the same path, the update process is complete. If not, a dialog box indicating that the Management Server is not configured opens.

7. Click Yes.

The Configuration Wizard opens to guide you through the Management Server setup.

8. Browse to the location of your license file, select it, and click Next.

9. Select the database server and specify the database to upgrade.

10. Supply the necessary credentials and click Next.

SPECIAL UPGRADE CONSIDERATIONS

• You must uninstall previous installations of Quest Access Manager before installing the latest version of Quest Access Manager.

• Previously, you were not required to provide the deployment key to perform and upgrade. As of the 2.0 release, you must provide the key to upgrade the Server.

• You must upgrade the client to version 2.1.

• The supported upgrade paths are only 1.5+ to 2.1. Upgrading directly from version 1.0 to 2.1, or upgrading any versions prior to 1.5.x, are not supported.


The default port is 8722 and should not be changed. If you need to alter the port number, contact Quest Support for more information.

12

Quick Start Guide

11. If the deployment key is not found in the new installation path (for example, you are installing the Management Server to a new location, or you are upgrading a previously 32 bit Management Server on a 64-bit OS), browse to find your backup deployment key, enter your passphrase, and click Next.

You may be prompted to restart the Management Server during the configuration process. If you are prompted more than once to restart the server, click the drop-down button in the bottom-left of the dialog box to view an error report.

12. Review the summary information, and click Finish.

Once the application has been upgraded, the agents scanning the managed hosts will no longer be able to communicate with the server. The agents must be updated to the same version as the application.

Upgrade Agents

If the agent version that you are running is older than the current installed Management Server, you can update the agent from the Access Manager console.

When an upgrade is available for an agent, the status of the Managed Host will display as Agent Update Required. If your Agents are version 2.0 and higher you will not see this status.

You will have the option to upgrade or keep the current version. To help organize which agents you may want to upgrade you can group your Agents by the Agents Versions column in the Managed Host view.

To upgrade an agent

• Right-click the Managed Host, and select Upgrade Agent.

As of version 1.6.1 of Access Manager, it is possible to connect a server to an existing database without a backup of the deployment key information and its associated passphrase. However, when this operation is performed, all service account password information held in the Access Manager database is lost, and must be re-entered.

When you upgrade a Remotely Managed Host, the agent settings for real-time file system updates will be disabled by default for versions below 2.0.

You can select the number of Agents you want to upgrade, either by using Ctrl + click to select multiple items, or Shift + click at the top and bottom of a contiguous series of items to select them all.

You can also upgrade the Agent through Managed Host Properties.

13


Deploying Access ManagerDeploying Access Manager involves the following steps:

• Add a Forest to the Deployment

• Add a Domain to the Deployment

• Add a Managed Host to the Deployment

• Add a Remote Agent to a Managed Host

• Add a Cluster (Managed Host) to the Deployment

• License a Domain

• Delegate Access to the Management Server

• Integrate Access Manager with Active Directory Users and Computers or Quest ActiveRoles Server

Add a Forest to the Deployment

When you add a Managed Domain and its forest is not already added, Access Manager will automatically register it using the Service Account provided for the domain.

You also have the option of registering the forest and providing its own Service Account.

To add a forest to the deployment

1. Expand Quest Access Manager, Configuration, and select the Managed Domains nodes.

2. Click in the right-pane, right-click the Managed Domain node, and select Add Forest.

3. Enter the DNS Name, select a Service Account, and select Add.

– OR –

Click New to create a new Service Account, and click Next.

4. Click Finish.

The Service Account must have sufficient access required to query group membership within the forest.

When a new service account is added in the configuration, is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server.

You can right-click a Managed Forest in the right pane to view its properties and change the associated Service Account.

14

Quick Start Guide

Add a Domain to the Deployment

To add a domain for management

1. Expand Quest Access Manager, Configuration, and select Managed Domains.

2. Click in the right-pane, right-click the Managed Domain node, and select Add Managed Domain.

3. Enter the domain DNS name, and select an existing Service Account to associate with the domain, and click Finish.

– OR –

4. click New to create a new service account to associate with the domain, enter the account name and credential, and click Finish.

If required at a later date, you can easily associate a different Service Account through the Managed Domains Properties.

Add a Managed Host to the Deployment

When you add a Managed Host, you have the option of installing a locally managed agent on the same computer or a remote agent installed on another computer. If you install a locally managed agent, you have the option of automatically installing the agent with the host, or doing a manual install later.

An initial domain is configured during setup. If you would like to add more domains and their associated Managed Hosts, you will need to register them with Access Manager.

When a domain is brought under management, the following operation is performed to ensure Access Manager functions with resources from that domain:

Only domains that have a trust relationship with the Management Server’s domain can be managed.

An Access Manager container is created in the domain’s System container named Quest Access Manager. This container holds a set of Service Connection Point objects, which are used by the components of Access Manager to find one another. Agents and clients use this information to determine where the Management Server they should connect to exists.

When a new service account is added in the configuration, is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server.

When a new service account is added in the configuration, it is automatically granted the required Log On as a Service local user right on the Quest Access Manager Management Server.

You can right-click a managed domain in the right pane to view its properties and change the associated service account. When a managed domain service account is changed, remote agents in that domain will have their service accounts updated by the Management Server. The agents will be restarted.

Only computers, clusters, and net application filters in Managed Domains can be added as Managed Hosts.

If you choose to deploy a remote agent to a Managed Host, the first remote agent must be configured during the addition of the Managed Host. You can add more remote agents later, if needed.

15


To add a managed host with a local agent

1. Expand Quest Access Manager, right-click the Managed Hosts node, and select Add Managed Host.

2. In the Select Management Method, select Locally managed through a locally installed agent, and click Next.

When you add a Managed Host, you can choose to automatically install an agent or choose manual installation to defer the agent installation to a later date.

By default, these entities will be ready to have the agent installed and will be connected to the server immediately when this is done.

3. In the Agent Deployment box, choose between Automatic installation from the Management Server or Manual installation, and click Next.

4. Select the domain in which the host resides, select the host, and click Add.

If you have chosen the manual agent installation, the task of adding a managed host is now complete.

5. In the Resource Activity Tracking box, decide if you want to Enable resource activity tracking.

Resource activity tracking is used to collect data on reads, writes, creates, and other actions performed on the targeted computer. This information is used in several report types, including the Resource Activity report. For more information, see the section on Locally Managed Host Properties in the Access Manager User Guide.

6. In the Settings box, select the Granularity for the resource activity tracking.

The granularity specifies how often resource activity data is captured.

7. To limit network traffic, select Synchronize only between these times and set the From and To values.

This setting specifies when the agent sends the resource activity data to the management server.

8. To change the identities and objects that are excluded from tracking, click the Manage Exclusions button, click Add and select the objects to exclude. This box also includes tabs to exclude file extensions and folders.

Certain administrative identities, file extensions, and folders are excluded by default. You can see the full list by clicking the Manage Exclusions button. If the list is empty, click Default to populate the exclusions with default values. For file extensions, you can enter a Category name to group any extensions you add to the exclusions list.

An agent must be configured for the managed hosts to communicate with the server and gather resource information. Until this is done, no resource access will be reported for this computer.

More than one remote agent may be used to scan a Managed Host. This is particularly useful if the host has a large set of data roots. Multiple agents may not scan the same data root.

Only computers with Windows 2000 Server operating systems or later, or certain Network Attached Storage (NAS) devices will be displayed while adding managed hosts to be managed by Quest Access Manager. For information about supported platforms, see “Software, System, and Account Requirements” on page 7.

16

Quick Start Guide

Use the Export and Import buttons on their respective tabs to export and import a list of SIDs, file types, or folders to exclude. (For information on the file syntaxes, see the parameter descriptions in the topic Add-QManagedHostByAccountName in the Access Manager User Guide.) For folders, you can also drag and drop from Windows explorer.

9. Click Finish.

The agents will now be installed on the selected Managed Hosts. To view users and groups associated with the new Managed Host, select the Refresh menu option.

To add a managed host with a remote agent

1. Expand Quest Access Manager, right-click the Managed Hosts node, and select Add Managed Host.

2. In the Select Management Method box, select Remotely managed through an agent on another computer, and click Next.

For remotely managed hosts, the first remote agent must be added during the host’s initial deployment. You can manually add more remote agents later, if needed. For information about agents, see the Quest Access Manager User Guide.

3. Select a Host cluster, net application filter, or windows host (on which to install the agent) from within the same forest as the target computer, and select a Service Account with sufficient permissions to access the target computer.

4. Define a schedule for the agent to scan the target computer, and select the required real-time file system updates settings.

For information about the real-time file system updates settings, see the topic "Remote Agent Settings" in the Access Manager User Guide.

5. Select the data roots that will be indexed by this agent, and click Finish.

Only one agent can scan a given data root.

The agent will now be installed on the selected computer. To view the users and groups associated with the new Managed Host, select the Refresh menu option.

Add a Remote Agent to a Managed Host

If you added a remote agent when deploying a Managed Host, you can manually add more remote agents to that host.

You can remove Managed Hosts from the deployment by selecting the Managed Host node, right-clicking the required computer, and selecting Remove.

Some NAS devices may not provide reliable remote change detection. Enabling the remote change detection feature on these agents may lead to frequent complete scans.

You can manually add more remote agents to the computer after the first one is configured by selecting the Managed Host node, right-clicking the required computer, and selecting Add an Agent.

When adding a remote agent, ensure a trust exists between the host and the resource domains.

17


To add an additional remote agent

1. Expand Quest Access Manager and select Managed Hosts.

2. Right-click the Managed Host to which you want to add the remote agent and select Add Agent.

3. Select a host cluster, net application filter, or windows host from within the same forest as the target Managed Host.

4. Select a service account with sufficient permissions to access the target Managed Host.

5. Define a schedule for the agent to scan the target Managed Host and click Next.

For more information about real-time file system updates settings, see Remote Agent Settings in the Access Manager User Guide.

6. Select the data roots that will be indexed by this agent and click Finish.

7. Click Finish.

The agent will now be installed on the selected computers. To view the users and groups associated with the Managed Host, select the Refresh menu option.

Add a Cluster (Managed Host) to the Deployment

To add a cluster

1. Expand Quest Access Manager and select Managed Hosts.

2. Right-click and select Add Cluster Host.

3. Select the Managed Domain containing the cluster from the list.

Once the domain has been selected, the wizard will enumerate the clusters available in the domain.

4. Select the cluster to be added to the Managed Domain, and click Finish.

The managed cluster has been added to the Managed Domain. However, no agents have been deployed to the managed cluster.

More than one remote agent may be used to scan a Managed Host. This is particularly useful if the host has a large set of data roots. Multiple agents may not scan the same data root, however.

The agent cannot scan a data root that is already being scanned by another agent.

Once installed, a Managed Cluster is functionally identical to a remotely Managed Host. However, the nature of clusters require that they only be managed remotely. Additionally, the remote agent must be configured after the cluster has been added to the deployment as a Managed Host.

Only Windows failover cluster configurations are supported.

18

Quick Start Guide

License a Domain

Once a domain is added to the deployment, it is automatically licensed for use and only users, groups, and computers within these domains are available to manage. When a forest is added all domains in the

forest are automatically licensed.

Because the license agreement is calculated on the number of licensed users, you can choose to remove

the license on those domains that you do not want to query for access information.

To remove the license for a specific domain

1. Expand Quest Access Manager, Configuration, and select the Managed Domains node.

2. Right-click the required domain, and select Remove from Management.

3. Select the domain and select Remove License.

To license a domain

• Expand the Managed Domains node, select an unlicensed domain, right-click and select License.

Delegate Access to the Management Server

When you install Quest Access Manager, only the built-in administrator’s group on the computer where the Management Server is installed will have full access default.

Before other users can take advantage of Access Manager functionality, they will need to be delegated permission.

When the number of enabled users in registered domains exceeds the number of licensed users, you will be notified of the license violation.

To correct this violation, contact Quest Sales, and purchase additional licenses, or remove domains from being licensed.

Only domains that are not managed (for example, external domains that do not have agents deployed or Managed Hosts) can be unlicensed.

PERMISSION DESCRIPTION

Application Access Allows basic read access to Quest Access Manager. This is the base permission required to use Quest Access Manager.

Manage Configuration Allows users to modify the configuration of Access Manager.

Bypass Active Directory Delegation

Allows users to bypass all Active Directory delegation and grants full access to the application. This includes querying trustee access and local group management features.

Allow Directory Browsing Permits users to browse licensed domains for trustees to be added to machine local groups.

Manage Resource Auditing Settings

This permission is required for client users to make changes to the SACLs of resources.

19


Active Directory Permissions

When a domain is marked as integrated, Access Manager adds extended right objects to the forest to which the domain belongs. This allows the delegation of rights over various Access Manager operations using native Active Directory delegation. If a user has the "Bypass Active Directory Delegation" permission, then they will not be subjected to any Active Directory access checks any access delegations made in Active Directory are ignored. The following rights are added to each domain in an integrated forest:

To set the level of access

1. From the Access Manager client, right-click the Access Manager node and select Deployment Security.

2. Add and remove users and groups as required, and click OK.

Integrate Access Manager with Active Directory Usersand Computers or Quest ActiveRoles Server

• ActiveRoles Server Web Integration

• Self-Service Request Client

Self-Service Access This permission allows trustees to use Quest Access Manager Self-Service functionality.


QAM Query Trustee Access This permission is available to users, INetOrgPerson, groups, and computers. If a user has this permission with respect to a user, group, or InetOrgPerson, they will be permitted to see the full access information related to that user or group.

QAM Manage Machine Local Group

This permission is available on computers. Access Manager users are permitted to manage the machine local groups of any computer over which they have been granted this permission.

QAM Read Local Groups This permission is available on Computers. Access Manager users are permitted to enumerate and view the memberships of computers over which they have been granted this right without being able to natively view those groups.

QAM Manage Machine Local Admins Group

The Manage Machine Local Groups permission allows management of all local groups on the computer except the Administrators group. To manage the Administrators group, the Manage Machine Local Admins Group permission is required.

For ActiveRoles Server integration you must have Read access in Access Manager and the running account must have the proper rights in ActiveRoles Server. No actual changes are made within Access Manager for the integration; all changes are made within ActiveRoles Server.


20

Quick Start Guide

ActiveRoles Server Web Integration

The web integration allows you to use Access Manager and detailed resource security information directly from ActiveRoles Server. You can view access on selected resources from both the ActiveRoles Server MMC Client and from the Web client.

When extending the ActiveRoles Server Web Interface, you must install the Access Manager Web Integration package, ARSWebIntegration.msi, on all IIS servers hosting the ActiveRoles Server Web Interface.

Once the web integration has been installed and configured, you can view user and group access to files, folders, and shares. You can manage resources from the Access Manager console, from Active Directory

Users and Computers and from Quest ActiveRoles Server once they have been integrated.

To integrate with Active Directory Users and Computers

1. Expand Quest Access Manager, Configuration, and select the Managed Domains node.

2. Right-click the forest where the Access Manager extensions will be registered, select Integrate with Active Directory, and click Finish.

To integrate Access Manager with ActiveRoles Server MMC Console and Web Client

1. Expand Quest Access Manager and select the Applications node.

2. Right-click ActiveRoles Server, and select ActiveRoles Server Integration.

You have the option of integrating Access Manager capabilities with both the ActiveRoles Server MMC Console and the Web Client.

3. Check the appropriate options and click Apply.

For the Access Manager management options to display in the MMC Console, you must have the Access Manager client installed and you will need to restart the Quest ActiveRoles Server service. To view access through the ActiveRoles Server MMC, simply right-click a resource and choose Show Access.

To access Access Manager functionality from Active Directory Users and Computers, you must have the Access Manager client installed on the computer and register the computer’s Active Directory forest.

Only forests that are added to the Managed Domains can be registered for Active Directory integration. For details on adding a forest, see “To add a forest to the deployment” on page 14.

When integrating with Active Directory, the credentials of the user running the client are used. The user must have the required permission to modify the contents of the Display Specifiers container in the forest’s configuration partition. This is usually only the Enterprise Admins account.

• When extending the ActiveRoles Server Web Interface, the Access Manager Web Integration package, ARSWebIntegration.msi, must be installed on all IIS servers hosting the ActiveRoles Server Web Interface. The ARS Web Interface must be run with basic authentication. Integrated authentication is not supported by Quest Access Manager.

• For ActiveRoles Server integration you must have Read access in Access Manager and the running account must have the proper rights in ActiveRoles Server. No actual changes are made within Access Manager for the integration; all changes are made within ActiveRoles Server. For more information, see “Delegate Access to the Management Server” on page 19.

• After upgrading your ActiveRoles Server web components, you must uninstall and re-install the Quest Access Manager Web Integration Package on all upgraded web servers.

21


For the Access Manager options to display in the Web Client, you will need to select Customization | Reload from within the Web Client.

To view user and group access through the ActiveRoles Server Web Client

1. Select the Directory Management option in the ActiveRoles Server web client.

2. Select the Menu tab, and the required user or group.

3. Select Show Access.

You will see the resources to which the selected user or group has access. As you browse through the access, you will see all the specifics such as whether the access is obtained directly through the ACL or indirectly through group membership, the resource and trustee name, the rights over the resource, and how inheritance has been applied.

4. Right-click to filter the results to remove common built-ins (built-in Administrators and Users groups) and those resources where access is obtained indirectly through group membership.

You have the option of customizing the way in which the web client displays and sorts the information. Specifically, you can change the order in which the information is displayed, select the columns to display, and group the information by the column that suits your needs.

Self-Service Request Client

The Access Manager Self-Service Request client allows users to request access to resources while maintaining the approval process included in ActiveRoles Server.

To allow users to use the Self-Service Access Request client, the Access Manager Self-Service package (QuestAccessManager_SelfServiceClient_x86.msi or QuestAccessManager_SelfServiceClient_x64.msi) must be deployed. You must also configure its options, and delegate the Self-Service Access right.For information on delegating access, see “Delegate Access to the Management Server” on page 19.

To configure the Self Service Client

1. Expand Quest Access Manager, and select the Applications node.

2. Right-click ActiveRoles Server, and select Access Manager Self-Service Configuration.

3. Select to allow users to request access to resources, and enter the ActiveRoles server that will be used to satisfy self-service requests.

For a user to make use of the Access Manager Self-Service functionality, they must be from a forest that is registered in the Managed Domains view, in addition to being granted the right to access self-service on the deployment.

22

Quick Start Guide

4. Select to allow groups that have not been published on the ActiveRoles server.

5. Enter the Help Desk Information that will be displayed to the users. (Help message, Help Desk phone number and email address, email subject, and email body.)

6. Click Apply.

To use the Self-Service feature

1. Right-click a folder and selects Request Access.

2. Select either Read or Contribute access.

A list of groups, which will grant the user the requested access to the resource, will be displayed.

3. The user simply clicks the required group, enters a reason to join the group, and clicks OK to send a request to join the group.

Should any questions or issues arise, users have the ability to contact the Help Desk for support if an email application has been configured on the client.

Allowing non-published groups

If this option is selected, groups which have not been marked as published within ActiveRoles Server can be included in the list of groups to which a user can request access. When these groups are encountered, the requesting users rights are checked, and the group is only included in their list of available selections if one of the following two criteria is met:

• The requesting user has the ability to modify the membership of the group.

• The requesting user has the right to add themselves to the membership of the group granted through ActiveRoles Server.

If either of these two rights is held by the user, the group will be presented as a valid option for requesting access. For groups meeting this criteria, if the user has the right through ActiveRoles Server to add themselves to the group, the operation will be attempted, and subjected to any membership modification workflows specified by ActiveRoles Server. If no workflows have been defined, and the user is permitted to modify the membership of the group, they will be automatically added to its membership list.

Quest Access Manager uses a variety of criteria to determine suitability for group selection, based on Microsoft’s best practices for setting file and folder security in a distributed environment. Under certain conditions, a security group that would give users their requested access may be deemed to be inappropriate and therefore the group will not be displayed as an available option. Please consult Microsoft’s documentation for more information.

23


Step-By-Step Walkthrough• Investigating and Modifying Resource Access

• Gathering Group Membership Information

Investigating and Modifying Resource Access

As people join, depart, and shuffle throughout your organization, you will need to change their access to resources. With Access Manager, you can validate that users and groups have been granted access to all the resources they need, ensure they do not have access to excess resources, and remove their access when required.

The following scenario shows how you can locate and remove the access for a particular user who is no longer with your organization.

Scenario: Your company has had a contract employee, Joan Bloggins, working within your organization for the last 6 months and the project is now over. While she was on the project, she was granted access to various financial resources located on several servers throughout your network. As the work progressed, so did her access to various files. Access was incremental and not always granted by the same administrator. This resulted in both access being granted through groups and access being granted by placing Joan’s account directly in the Access Control List (ACL) of the resource. Now that Joan’s work is done, it is your job as the administrator to ensure that her account is removed from the network resources to which she had been granted access.

Figure 2: Access Details

• Joan was working out of the Calgary office and has a series of folders and a share created on the Calgary Server. She has full access to the share and the associated folders.

• Joan was performing a financial audit and analysis; therefore, she was added to the Financials Reader group in the Canada domain so she could review current financial records stored on the Canada Server.

• At a corporate level, Joan's account was created and added to the Finance Global Resource Group at the root Acme domain.

24

Quick Start Guide

To view and manage access

1. Select Start | Programs | Quest Software | Access Manager | Quest Access Manager Client.

From the Access Manager node you can view the status of current Access Manager deployments within your organization.

2. Enter Joan Bloggins in the Quick Search, and select Start Search.

3. Select Joan Bloggins, right click and select Manage Access.

Because user and group access may be the result of several layers of nested groups, the Access Manager console displays group membership, the computers, and resource types where the user or group has both direct access and indirect access by means of group membership.

25


You can now view the access by selecting the Resource Type in the upper-right pane.

4. To edit the rights to the selected resource, select the resource in the lower pane, then right-click and select Edit Security, and make the required changes.

In this example, we will:

• Right-click the Financial Analysis share in the Resource Security Editor, and select Remove Selected Permissions to remove Joan from this share.

• Select the Folder Permissions tab, to view Joan’s access. Through the console we will see that she has access through "Canada-Finance Readers" and "Canada-Finance Full Control" to the Financials folder. This highlights the fact that she was erroneously added to Acme\Finance, as it was not clear that this group had full control to Canada\Financials.

• Remove Joan’s access from the groups and directly from the ACL. (If the account was simply deleted, unresolved SID in ACLs may result, significantly increasing the time it takes to resolve whether a trustee can gain access to a resource.)

With Active Directory native tools (Members of property), you cannot see all domain local group membership in your enterprise and therefore, you are not getting an appreciation for the account’s real access.

You will also not be able to ascertain access that has been granted explicitly to this specific user.

If required, you can also multi-select numerous files, folders, and shares from within the Resource Security Editor at once, right-click and select to remove the user or group access.

Through the Access Manager console, we will also see that Joan has full access to Calgary\Financial Analysis. This type of direct access is sometimes desired when a single user needs access to specific files and shares. However, single user access is difficult to maintain and their visibility may be lost. Access Manager overcomes this limitation.

26

Quick Start Guide

Computer Investigation: Who has Access to a Specific Resource

To ensure a computer is secured in a way that meets your business requirements, you must be able to identify who has been given access to resources, and correct any errors.

With Access Manager, you can quickly:

• Determine where users have access and remove it if required

• Determine access for a user in a particular role within the organization in order to assist you in granting the same access to a new hire

• Perform a spot check on a particular user to ensure they have the correct access to resources

• Investigate who appears in the security settings on a specific computer to ensure that corporate policy is being followed

• Look for computers with high numbers of users, low numbers of groups

• Locate non-authorized users on a specific computer

• Remove unresolved SIDs to improve performance and security

To view and modify computer access

1. In Active Directory Users and Computers, right-click a computer, and select Manage Access.

– OR –

From the Access Manager console, expand a Managed Host.

The Access Manager console with Trustee View selected displays the available users and groups who have access to resources on the selected computer.

From here, you can view other computers where the selected user or group has access and manage specific access points by right-clicking the user or group, and selecting Manage Access.

27


From the Manage Access dialog box, you can choose to open the Resource Security Editor (through Edit Security) and alter the permissions as required, or multi-select access and clone, replace, or remove access all at once.

2. For the purpose of this example, we will select the resource from the Trustee View, right-click and select Edit Security.

From here you can easily edit the share and folder permission, select the auditing options, and alter the resource owner if required.

You can also right-click and select to further manage the user or group access, view group membership information, run group membership and trustee access reports, and add or remove users and groups to the resource ACL.

3. Make the required edits and close the Resource Security Editor.

You can also right-click a Managed Host and select the Resource View which allows you to view the file system and shares on the selected host. You can then browse through the resources, and modify their security through the Resource Security Editor.

28

Quick Start Guide

Gathering Group Membership Information

When examining and managing the access settings of a user or group, it is necessary to know to which groups they belong. Access Manager provides a comprehensive group membership visualization system to provide the information required to manage user or group access on the network.

The Access Manager group membership tree is displayed as an integral part of the information gathered during access queries. The membership tree allows you to see a list of all groups to which a trustee belongs, taking into account group nesting. While similar to the Member Of information maintained in Active Directory for users and groups (which can be seen using the Active Directory Users and Computers MMC snap-in), the information presented in the Access Manager group membership tree is much more complete. In addition to showing group nesting information, it shows domain group membership information, cross-forest group membership, and machine local group memberships of Managed Hosts.

Figure 3: Group Membership treeview

Detailed View of Group Members

Access Manager now provides a hierarchical view of group membership and the recursive list of who is contained in the group. It eliminates the need to navigate through group nesting to identify all group members which ultimately have access to a specific shares, folders, and files.

Enterprise group membership information allows you to identify all the groups to which a user belongs and all the members of a particular group. This allows you to quickly see network access to resources and alter it where required.

To view group membership for a specific trustee

1. From the Access Manager console, find the required group, right-click, and select Group Members.

You will see a hierarchical view of group membership and the recursive list of who is contained in the group.

– OR –

29


From the Access Manager console, find the required user or group, right-click, and select Manage Access.

You will see all the groups that the selected user or group is a member of (both explicitly and indirectly) and the associated access obtained through this group membership.

– OR –

From the Access Manager console, find the required group, right-click, and select Group Member of.

You will see all the groups that the selected user or group is a member of (both explicitly and indirectly).

2. You can now choose to manage the access where required or run reports that detail the access and membership for the selected group or trustee.

30

Quick Start Guide

About Quest Software, Inc.

Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers

worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com.

Contacting Quest Software

Refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com.

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase

• Download the latest releases and service packs

• Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at: http://support.quest.com.

Third Party Contributions

Quest Access Manager contains some third party components (listed below). Copies of their licenses may be found on our website at http://www.quest.com/legal/third-party-licenses.aspx

Email [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris WayAliso Viejo, CA 92656USA

Web site www.quest.com

COMPONENT LICENSE OR ACKNOWLEDGEMENT

Agent and Server zlib 1.2.3

Agent Boost 1.34.1

Agent/Server/Client Windows Installer XML toolset (aka WIX) 3.0.5419

31


http://support.quest.com

mailto:[email protected]

http://support.quest.com

http://www.quest.com/legal/third-party-licenses.aspx



Server/Client Microsoft Enterprise Library 3.1 (May 2007)

Contains software or other content adapted from Microsoft patterns & practices ObjectBuilder, © 2006 Microsoft Corporation. All rights reserved.

COMPONENT LICENSE OR ACKNOWLEDGEMENT

32

quest access manager 2support-public.cfm.quest.com/16a621e8-5fe6-462b... · quest access manager 8...

Documents