Quest® Access Manager
Version 1.6
Release Notes
May 2010
Welcome to Quest Access Manager
Quest Access Manager eliminates the complexity of resource management, secures your Windows infrastructure, and allows you to maintain operational efficiency and sustain continuous compliance.
Specifically, Access Manager:
Note: To configure an Access Manager Management Server, the user must belong to the Administrators group of the computer hosting the Management Server.
System Requirements:
Software Requirements:
Account Requirements:
System Requirements:
Software Requirements:
System Requirements:
Note: Quest provides both 32-bit and 64-bit agents for
Quest Access Manager. Ensure that the agent installed on a given
machine uses the correct agent to match the installed operating system.
Software Requirements:
Note: Quest provides both 32-bit and 64-bit ActiveRoles Server Web Integration components for Quest Access Manager. Ensure that the components installed on a given machine uses the correct ActiveRoles Server Web Integration components to match the installed operating system. (32 bit or non-Itanium 64 bit)
System Requirements:
Note: Quest provides both 32-bit and 64-bit Self-Service clients for Quest Access Manager. Ensure that the client installed on a given machine uses the correct client to match the installed operating system.
Software Requirements:
The following is a list of issues known to exist at the time of release for Quest Access Manager version 1.6
|
Feature |
Known Issue |
Defect ID |
|
Managed Host |
Computer name changes are not automatically handled through Access Manager.
If a computers name is changed after it has been registered as a Managed Host within Access Manager, some functions will cease to operate correctly. If a Managed Host computer is renamed, it must be removed and added again with the new computer name. |
TFS# 42129 |
|
An exception occurs when attempting to register a computer as a remotely managed
host through Active Directory Users and Computers.
When the Manage Access menu item is selected for a computer which is not registered as a Managed Host within Access Manager, an exception will occur if you attempt to register the computer as a remotely managed host. This can be avoided by registering the managed host through the Access Manager MMC console. |
TFS#: 123162 | |
|
The Add Managed Host dialog may be hidden when context menus are
displayed.
When adding Managed Hosts through the Add Managed Host wizard, displaying the context menu in either data list may cause the entire window to be hidden. Closing the context menu (by left-clicking off the menu) and selecting the Add Managed Host dialog's entry on the task bar will bring it back to the front. |
TFS# 42259 | |
|
Non-Windows systems can incorrectly report that they are able to host a local
agent. When adding Managed Hosts, computers registered with Active Directory as having the OnTap operating system are incorrectly displayed as being able to host agents. Only systems running Windows Server operating systems are able to host Access Manager agents. |
TFS#109085 | |
|
Manage Hosts data state may display "Performing Initial Scan" when in fact there
is no scan being performed on a remote agent. If the data roots cannot be scanned successfully, then the agent will report the state as Performing an Initial Scan. |
TFS#109514 | |
| Managed Domain |
Managed Domains with no online Domain Controllers can cause performance
issues in the Access Manager console.
If a Managed Domain cannot contact a Domain Controller some operations, including the viewing of domain properties in the Managed Domain view, can take longer than normal to complete. Ensure that all Managed Domains have at least one Domain Controller online that they can contact. Domains with this issue will have a status of Network Issue displayed in the Access Manager console. |
TFS# 42132 |
| Installation |
System may require restart after client upgrades from version 1.5 or later to
version 1.6
When the version 1.5x client is uninstalled, the system must be restarted prior to installing and using either the 1.6 Security Editor or Self-Service Explorer extensions. |
TFS# 122973 |
| Refresh |
When a grid within the Access Manager console is grouped, refresh operations may cause unexpected selection changes when the data is repopulated. Also, any expanded data rows may be collapsed. |
TFS# 42136 |
| Agent |
Agent update service remains registered when agent is manually uninstalled on
host computer When all agent instances are removed from a Managed Host, or computer which otherwise hosts agents, the Quest Access Manager Agent Update Service service will remain present on the system. This service can be safely deleted. |
TFS# 64367 |
|
Agent deployment fails when downlevel computer names cannot be resolved
If a computers downlevel name cannot be resolved to an IP address, the Access Manager agent deployment system will not be able to deploy agents to it. Ensure that downlevel names for computers can be resolved from the Management Server computer. |
TFS#48878 | |
|
Manual installation of a local agent is not supported on computers that already
host a remote agent service.
You cannot manually install a local agent on a computer that has an existing agent installed to manage remote computers. To install a local agent on a system already hosting remote agents, you must deploy the agent using automatic deployment through the Quest Access Manager console. |
TFS#114246 | |
|
Network configuration changes may not be reflected in the agent
connection information.
If the network configuration of a Managed Host changes such that outgoing connections become blocked, the Access Manager agent on that computer may be incorrectly reported as operating in Active mode. Additionally, queries against this agent may not be processed. To resolve this situation, restart the agent to renegotiate the connection. |
TFS# 45912
|
|
|
Manually removing an installed agent through Add\Remove Programs may
not remove the Agent Update Service.
When agents are deployed during the registration of Managed Hosts, a secondary helper service, the Quest Access Manager Agent Update Service, is also deployed. This service is used to perform agent installation, removal, and maintenance. If the agent is manually removed from a computer, without removing it through Managed Host removal in the Access Manager client, the Agent Update Service will be left on the computer. This service can be deleted on Windows Server 2003 and Windows Server 2008 computers using the "SC" command line tool. |
TFS# 56086 | |
|
Remote change watching not detecting change at the root level.
When watching for change on remote computers, the Access Manager agent will not register changes which are made to scan root objects themselves. (All child objects are properly checked.) |
TFS#105557 | |
|
When deploying agents to Windows 2008 R2, install will fail when UAC is enabled.
If you attempt to install an agent to Windows 2008 R2 the install will fail if UAC is enabled. As a workaround you can turn off UAC and then install the agent. |
TFS#108323 | |
|
Agents can report as being available even though access has been denied. If an agent is unable to read the security information from its configured file system data roots, it may report data as being available. This can occur if the service account specified is unable to read the security of the target. |
TFS#110237 | |
|
Quick Search |
||
|
Grouping the Quick Search view during a search can lead to unexpected
results.
When performing a directory search using Quick Search, leaving the view in a grouped state can lead to unexpected and unstable results. Blank rows and instability can occur. It is recommended that the Quick Search view be left in the default list format while searches are being executed. |
TFS# 56524 | |
|
Deployment Removal |
On full deployment teardown, an agent installed on the same computer as the
Management Server will not be removed automatically.
When running a deployment removal, if an agent is installed on the same computer as the Management Server, it will not be removed. It is recommended that you remove the Managed Host entry for this computer before running the deployment removal tool, or manually uninstall the Access Manager agent after teardown has completed. |
TFS# 48250 |
| ActiveRoles Server Integration |
Leaving the Manage Access extension page in the ActiveRoles Server web
interface idle will lead to an error.
If the Manage Access extension page in the ActiveRoles Server web interface is left idle for an extended period of time, attempts to view other computers and resources will generate an error. Refreshing the page will resolve this issue. |
TFS# 48496 |
|
The Access Manager Web Components for ActiveRoles Server do not provide builtin group membership filtering (specifically, BUILTIN\Users and BUILTIN\Administrators). This causes the data returned by the web component to be verbose. |
TFS# 56531 | |
|
Quest
Access Manager web integration for ActiveRoles Server may not work when
configured to use integrated authentication. |
TFS#91383 | |
| Security Modifications | ||
|
Do not manipulate security on the computers recycle bin. The Access Manager client allows for the manipulation of security on the recycle bins on computers. These operations are not recommended, as they can cause consistency issues with the content of the recycle bin itself. |
TFS#105477 | |
|
Security manipulation status only visible in Access Manager console or Resource
Security Editor extension for Windows Explorer
When using the Manage Resources menu in either Active Directory Users and Computers or ActiveRoles Server to manipulate security, it is not possible to see the status of change operations. To see this information, use either the Access Manager console or the Access Manager Resource Security Editor extension for Windows Explorer. |
TFS#109824 | |
|
Do not attempt to make security changes while the resource browser is being
populated. If you attempt to navigate away from a pending security change and select another resource, you may be presented with a large number of confirmation dialogs until enumeration is finished. |
TFS#107470 | |
| Editing security on shortcuts is not supported. | TFS#95895 | |
| Resource Security Editor |
Removal of inherited and explicit entries in the Resource Security Editor should
be performed as two separate operations. When removing permissions from the Resource Security Editor, if both explicit and inherited permissions are present in the selection, you will be prompted to confirm how to remove the inherited permissions. If the Copy from Parent option is selected, the permissions originally selected for removal will not be removed. A subsequent removal of the explicit permissions will properly remove the rights. |
TFS#99724 |
|
Pending changes in the Resource Security Editor may be lost if you click the
white space on the top pane. If you click the white space in the top pane while modifying resources in the Resource Security Editor, you will not be prompted to commit changes before navigating away and the pending changes will be lost. |
TFS#102060 | |
|
Blank Security Editor displayed on access denied
If either the client or the service account reading security information from a resource is denied access, a blank Security Editor will be displayed. |
TFS#110229 | |
| Active Directory Integration |
Removing a forest from the list of registered forests will not automatically
remove display specifier integration.
When forests are removed from the Managed Domains view in the Access Manager console, any display specifiers written during directory integration are not automatically removed. Before removing a forest, ensure that it is not directory integrated. Removing directory integration from the Managed Domains view will remove all Access Manager modifications to the forests display specifiers. |
TFS# 53479 |
| Object Naming |
Managing users or groups with the “\/” character sequence in their names is not
supported.
If a user or group has the \ character, followed by the / character anywhere in their distinguished name, many features of Access Manager will fail to work properly when focused on them, including group membership expansion and access management. |
TFS# 55258 |
|
Builtin groups may appear with with an incorrect name
Access Manager may incorrectly represent the names of certain builtin groups, such as Administrators and Power Users, if these groups have been renamed. Note that this does not effect the underlying functionality of Access Manager, just the display names of these groups. |
TFS#114243 | |
| Manage Access |
Inconsistent trustee names are displayed when managing access from
different locations.
When managing trustee access, the location from which the operation was launched can change the display name of the trustee in the manage access view. When managing access from the Quick Search, Active Directory Users and Computers, or ActiveRoles Server, the Active Directory name property is displayed. From the Users and Groups, and Managed Hosts views, the downlevel (pre-Windows 2000) name will be displayed. To reduce confusion, it is suggested that pre-Windows 2000 names and display names be kept the same for users and groups whenever possible. |
TFS# 56507 |
|
"Self" ACLs not checked properly when a user is performing an access query
against their own account. When configuring security for allowing/denying the management of trustee access through Active Directory, the SELF SID is not properly considered when performing access checks. |
TFS#106221 | |
| Trustee Access Reports |
Report generation may not complete if agent upgrades are being
performed.
When performing agent upgrades through the Access Manager console, it is recommended that reports against those agents not be run. The report may fail to finish if it is run against an agent while it is upgrading. Once the agent has upgraded successfully, reports can be run against it. |
TFS# 56573 |
|
Machine
local group membership information for machine local users not
available in reports. When performing a Trustee Access Report for machine local users, neither the Exclude Specific Groups section nor the Group Section in the report will include machine local group membership information. Note that machine local group membership information will still be used to generate access information when managing trustees. |
TFS# 78816 | |
| SID History |
Access points relating to SIDs only present in SID History, are
considered as being from an unlicensed domain.
When managing access points for SIDs, which only exist in the sidHistory property of Active Directory users and groups, queries against these SIDs will not be allowed, even though it appears that they come from domains that are licensed. This is because the domain housing the original SID no longer exists, and cannot be licensed. |
TFS#: 56725 |
| Extensions |
Quest Access Manager menu extensions are not available when a relevant language
pack is also not available
If folders are created with language characters different than the operating system and you do not have the language pack installed for the foreign language, the Access Manager menu extensions will not be present from the right-click context menu. |
TFS#106140 |
| Console Notification |
Invalid "All windows must be closed" message. In some cases, the Access Manager console may display a notification stating that all windows must be closed prior to exiting, when there are no additional windows. In these cases, the console must be closed by ending the hosting MMC.exe task using Task Manager. |
TFS#107475 |
| Audit Logs |
Inherited and System derived changes are not tracked in Audit logs. When Access Manager performs audits for security changes made by the server, the information is audited prior to writing to disk. In these cases, ACLs which are inherited from a parent as a result of changing DACL inheritance settings, as well as changes made by the system due to security constraints, are not logged with the audit information. |
TFS#107480 |
| UAC | Access Manager server is not supported on a Windows server 2008 R2 computer with UAC set above the lowest level. When running Access Manager Server on a windows server 2008 R2 computer ensure UAC is set to the lowest level. | TFS#108218 |
| Authenticated Users |
Authenticated users are treated as a builtin\ user on the target host. Authenticates users are treated as the users group when checking client access. |
TFS#108975 |
| Builtin Filter |
Only well knows accounts are returned when the builtin filter is selected. Only well knows accounts (such as Everyone and Authenticated Users) are returned when the builtin filter is selected. Builtins (such as administrators and users) are returned as groups. |
TFS#109347 |
| Data Roots |
Data
roots with semicolon characters are not supported. Access Manager does not presently support adding data roots for Managed Hosts with semi-colons in their paths. To scan a folder with a semi-colon in its name, ensure that one of its parents is selected as a root, or share the folder with a name not containing a semicolon, and add the computer as a remotely Managed Host. |
TFS# 63673 |
|
Able to select data roots when deploying remote agents when agent's service
account may not have proper access to read data. When deploying remote agents, it is sometimes possible to select roots that the specified service account cannot access. Ensure that the service account being selected for agent deployment can read the target. |
TFS#110236 | |
| Machine Local Groups |
Renamed
machine local groups and users do not have their name changes reflected
in the Access Manager client. If a machine local user or group is renamed after it has been originally added to the Access Manager index, any subsequent name changes will not be properly reflected in the client. |
TFS#70422 |
|
Manage Local Groups will not work on a 2K3 Cluster
Due to the fact that Windows 2003 Virtual Cluster Nodes do not have an associated Computer object in AD, selecting to manage local groups on a Windows 2003 Cluster host will not display any local groups. An error message will display that indicates that access is denied to perform that operation |
TFS#: 123143
|
|
| Group Membership | ||
|
Remotely managing group memberships from a German Server operating system may
cause inconsistent results. Issues can occur managing the membership of builtin groups when the management server is running on a German language operating system. It is recommended to run the server on a non-German operating system. |
TFS#110489 | |
| Server Connection |
You will receive an error when attempting to connect to
1.5.x server with pre 1.5 clients
If an Access Manager MMC client with a version number older than 1.5 attempts to connect to a management server with version 1.5 or greater, you will receive an error. To avoid this error, upgrade the client to version 1.5.1. |
TFS# 114065 |
This section contains information about installing and
operating this product in non-English configurations, such as those
needed by customers outside of North America. This section does not
replace the materials about supported platforms and configurations
found elsewhere in the product documentation.
This release is Unicode-enabled and supports any character set. It
supports simultaneous operation with multilingual data. This release is
targeted to support operations in the following regions: North America,
Western Europe and Latin America, Central and Eastern Europe.
The Quest Access Manager release package contains the following products:
Refer to Quest Access Manager Quick Start Guide for installation instructions.
| info@quest.com | |
| Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 |
|
| Web | http://www.quest.com |
Refer to our Web site for regional and international office information.
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com.
From SupportLink, you can do the following:
Retrieve thousands of solutions from our online Knowledgebase
Download the latest releases and service packs
Create, update and review Support cases
This guide is available in English only.
© 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. The software described in this document is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
If you have any questions regarding your potential use of this material, contact:
| Quest
Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656
Email: legal@quest.com |
Refer to our website for regional and international office information.
This product includes patent pending technology.
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
|
Component |
License or Acknowledgement
|
| Agent | Boost 1.34.1 |
| Agent and Server | zlib 1.2.3 |
| Agent/Server/Client | Windows Installer XML toolset (aka WIX) 3.0.5419 |
| Server/Client | Microsoft Enterprise Library 3.1 (May 2007) Contains software or other content adapted from Microsoft patterns & practices ObjectBuilder, © 2006 Microsoft Corporation. All rights reserved. |
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.