This article provides information to consider and recommendations to follow when planning to use the Management History feature.
The Management History feature is designed to help promptly investigate what changes were recently made to directory data, as well as when it was done and by whom. As such, this feature is not intended for data change auditing nor is it intended to explore large volumes of data changes that occurred during a long period of time. For this reason, in addition to the Management History feature, Active Roles provides a suite of reports for change tracking and auditing, which is part of the Active Roles Report Pack. There is also the InTrust Knowledge Pack for Active Roles to handle and analyze change tracking logs of very large volume. The InTrust product is sold separately from Active Roles. Each of these three options: Management History, Report Pack and Knowledge Pack, has its own advantages and limitations. Follow the recommendations in this article to choose the one that best suits your needs.
The Management History feature can be used to examine changes that were made to directory data via ActiveRoles Server. The feature is designed to help answer the following typical questions:
- Who made the most recent changes to a given user or group object?
- Who modified a given user or group object during the last X days?
- What changes were made to a given user object last night (yesterday, the day before)?
- Have any planned modifications of a given user or group object actually been performed?
- What objects did a given delegated administrator modify during the last X days?
Management History can be instantly accessed whenever there is a need to quickly investigate or troubleshoot a problem that results from inappropriate modifications of directory data. The Management History feature includes a dedicated repository to store information about data changes, referred to as the Management History Log, and GUI to retrieve and display information from that repository. No additional actions such as collecting or consolidating information are required to build Management History results based on the Management History Log. However, the advantages of the Management History feature also entail some limitations.
Before using the Management History feature, consider the following recommended best practices and limitations of using this feature:
- The Management History Log is somewhat incomplete in that it does not reflect data changes made by certain policies, such as 'Member Of' Rules. When a 'Member Of' Rules-based policy adds or removes users from groups, information on those policy actions is missing from the Log and, consequently, from the Management History results. If you need information on all data changes, including those that occur due to policy actions, use change tracking reports, which are discussed later in this article.
- One more factor to consider is the size of the Management History Log. To ensure real-time update of the Log on all Administration Services, the Log is stored in the Active Roles configuration database. This imposes some limitations on the Log size.
By default, the Management History Log is configured to only store information about changes that occurred within last 30 days. If this setting is increased the following problems may occur:
- Excessive increase in the Log size significantly increases the time required to build and display Management History results.
- As the Log size grows, so does the size of the associated SQL database. By default, this is the Configuration database, although it is possible to separate Management History off to a dedicated database. A larger database considerably increases the time required to back up and restore the database, and causes high network traffic replicating the database when you join an additional Administration Service to Active Roles replication.
- Having large databases will significantly increase the run-time of the Active Roles Collector.
- The GUI is not suitable to represent large volumes of Management History results in a manageable fashion. Since there is no filtering or paging capabilities, it may be unwieldy and difficult to sort through the results.
To address these limitations, Active Roles provides a different means for change auditing-change tracking reports, included in the Active Roles Report Pack. These reports are designed to help answer the following questions:
- What management tasks were performed on a given object within a certain period of time?
- What management tasks were performed on a given object during the object's entire life time?
- When was a certain attribute of a given object modified?
To work with reports, Active Roles provides an advanced viewer, the Reporting Console. The Reporting Console eases the management of reports containing large volumes of data as it contains the following features: configure and apply filters, browse by page, and export reports to a wide variety of formats. These reports are based on data collected from event logs. A separate log is stored on each computer running the Administration Service, and each log only contains events generated by one Administration Service. Therefore, to use reports, the events from all event logs need to be consolidated to form a complete audit trail. The process of consolidating events, referred to as the data collection process, is performed by a separate Active Roles component Collector. The Collector wizard, allows for configuring and executing data collection jobs, and scheduling them to run on a regular basis.
The main limitation of change tracking reports is the fact that the information needs to be collected and consolidated in a separate database before using the Reporting Console. The data collection process exhibits the following disadvantages:
- Collecting data may be a very lengthy operation and the database size may grow unacceptable when collecting all events that occurred within a long period of time in a large environment.
- Collecting data is impossible over slow WAN links. This limitation is inherent to the Active Roles component intended to collect data for reporting.
If these limitations are encountered use InTrust Knowledge Pack for Active Roles to consolidate and analyze event logs from computers running the Administration Service. The Knowledge Pack is designed to store, manage, and analyze very large volumes of change tracking data. This product uses sophisticated techniques to gather and consolidate information from event logs, even over slow WAN links.