ActiveRoles Server: Securing the registry

It is always important to safeguard access to powerful AD groups, such as Domain admins, Enterprise admins etc. Tools like ActiveRoles Server can make that a breeze. ActiveRoles Server itself also have an almighty AD group, which gives members full access to everything within ActiveRoles, including the Active Directories it is managing! It is therefor vital that you safeguard this group and only add a bare minimum of users. It is also recommended that the group is given a non-related name, to protect it from intruders. However, by default, is possible to view the name of this group directly in the registry of the server running ActiveRoles. The group name is listed here: HKEY_LOCAL_MACHINE\SOFTWARE\Aelita\Enterprise Directory Manager\DSAdministrators.

The guide below will show you how to change this:

  • Open the ActiveRoles Server Console
  • Right click Configuration
  • Click Properties
  • Go to the Object tab
  • Click Advanced Properties
  • Set checkmark in ‘Show all possible attributes’ and ‘Include attributes with empty values’
  • Search for “edsvaDSAdministrators” and double click it to edit
  • Enter the domain\group name and click okay:

  • Click OK 3 times
  • Restart the “Quest One ActiveRoles Administration” Service

Before:

After:

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s