Define collection scope for an AD Change Collection job

This article describes how to define the collection scope of an AD Change Collection job by including or excluding objects and containers. Inclusion rules define a positive scope, where only matching objects are monitored. Exclusion rules suppress change records for matching objects. You can combine both rule types on the same job.

By default, an AD Change Collection job monitors all objects in the domain. When you add one or more inclusion rules, only objects that match at least one inclusion rule generate change records. Exclusion rules continue to suppress records for matching objects.

Include objects and containers

The Add inclusion action lets you define which objects or containers should be monitored.

To add an inclusion rule:

1. Open the Cayosoft Guardian web portal.

2. Go to Change Monitoring > Jobs.

3. Find an AD Change Collection job for your domain, select it, and click Properties.

4. Open the Collection scope tab.

5. Click Add inclusion.

6. Select whether the rule targets a Container/OU or a single object.

7. Specify the distinguished name (DN) of the target.

8. Select the scope:

   • This object only

   • This object and its children

9. Optionally, select the object types, change types, and modified properties that the rule applies to.

10. Click Add.

Exclude objects

The Add objects action lets you exclude individual objects.

To exclude specific objects:

1. Open the Cayosoft Guardian web portal.

2. Go to Change Monitoring > Jobs.

3. Find an AD Change Collection job for your domain, select it, and click Properties.

4. Open the Collection scope tab.

5. Click Add objects.

6. Specify the distinguished names of the objects to be excluded.

7. Select the change types and modified properties to be excluded.

8. Click Add.

Exclude containers

The Add containers action lets you exclude a container together with its child objects.

To exclude specific containers:

1. Open the Cayosoft Guardian web portal.

2. Go to Change Monitoring > Jobs.

3. Find an AD Change Collection job for your domain, select it, and click Properties.

4. Open the Collection scope tab.

5. Click Add containers.

6. Specify the distinguished names of the containers to be excluded.

7. Select the object types, change types, and modified properties to be excluded.

8. Click Add.

Collect nested group memberships

By default, Cayosoft Guardian collects only direct group membership changes. You can additionally enable collection of nested group memberships. When this option is enabled, a change record is also created for every parent group that a user or group effectively joins or leaves through group nesting.

To enable nested group membership collection:

1. Open the Cayosoft Guardian web portal.

2. Go to Change Monitoring > Jobs.

3. Find an AD Change Collection job for your domain, select it, and click Properties.

4. Open the Nested group memberships tab.

5. Select one or both of the following options:

   • Collect nested group memberships for AD groups

   • Collect nested group memberships for cloud groups

6. Click Save to apply the settings.

NOTE: Nested membership collection is off by default. After you enable it, transitive changes are detected during the next collection run. Enabling this option can increase collection volume in environments with deep or wide group nesting.

How inclusion and exclusion rules are evaluated

• When a job has no inclusion or exclusion rules, it monitors every object in the domain.

• When inclusion rules are present, an object must match at least one inclusion rule to be eligible for a change record. Objects outside the included scope are not monitored.

• When both an inclusion rule and an exclusion rule apply to the same object, the most specific rule wins. The rule whose DN is deeper in the hierarchy takes precedence.

• Removing all inclusion rules reverts the job to monitoring the full environment.

Rule conflicts

Cayosoft Guardian rejects conflicting rules with an error. You cannot add a duplicate rule of the same type for a DN and kind that already exists. You also cannot add an inclusion rule and an exclusion rule for the same DN and kind.

For example, to monitor only your Healthcare OU while skipping a nested Contractors OU, add the following rules:

1. Add an inclusion rule for OU=Healthcare with the scope set to This object and its children.

2. Add an exclusion rule for OU=Contractors,OU=Healthcare.

Objects in OU=Contractors are skipped, while objects in sibling OUs, such as OU=Nurses,OU=Healthcare, are still monitored. Objects outside OU=Healthcare, such as objects in OU=Finance, do not generate records because they are outside the included scope.