[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Default Domain
REG ADD has a disadvantage b/c it runs every time (thus adding to startup delay) but of course has one big advantage... it runs every time. Unless you configure the registry client side extension otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so you could still have a user from another domain change the domain, then the next user is logging on to the wrong domain... A startup script is useful to enforce that setting. However, I agree that educating users to log on with the upn is a much more viable answer for multidomain environments I would try to aim for that. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 19, 2005 3:37 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Default Domain We are using a startup script that has two reg add commands reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultdomainname /t REG_SZ /d DOMAINAME /f reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultdomainname /t REG_SZ /d DOMAINAME /f This has worked very well for us during and post migration. Most of our users came from small NT domains and we only finished the 1000 NT domains to 9 AD domains over the last 6 months. Where this does not work is if I choose to logon, then hit escape - for some reason when I hit ctrl alt del the second time the last domain I logged into shows up instead of the specified DOMAINAME above. This might have been specific to one machine or may be a problem with one of the entries - I only saw it the once and have not had time to go back and investigate. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service [EMAIL PROTECTED] Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Default Domain [EMAIL PROTECTED] tivedir.org 07/19/2005 11:59 PM ZE2 Please respond to ActiveDir got ya - makes sense in this case. however, you could also edjucate users to logon via UPN thus not requiring the selection of a domain at all, regardless of the domain-affiliation of the PC used during logon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 19, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain should work just like setting any other registry key on the client. The question is, if you really need it/want it. Most computer migration tools can set that value during the migration of the PC from source to target. But you might very well not want to change this value at the time of the computer-migration = you'll typically want to change it during migration/activation of the user accounts. This is often not done at the same time, so changing the value via GPO with the computer migration could actually be counter-productive. Further, it's not enough if you're implementing a new naming conventions for user-accounts or simply need to change logon-names due to duplicates during a domain-migration that consolidates multiple source domains to one AD domain. In this case you'll no only want to generically update the DefaulDomainName value to help your users, but at the same time you might want to update the DefaultUserName value with the new accountname for the target domain. Hardly doable with a GPO - I typically do this with custom scripts triggered centrally during account activation (quite independently from the computer migration). But nothing goes over edjucating your users about the changes in the infrastructure and specifically those related to their domain logon - otherwise
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] User with LDAP userPassword permissions and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Do this with ADSIEDIT more permissions, no fiddling ;) From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: 19 July 2005 09:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User with LDAP userPassword permissions I didnt see any responses to this dont know if I missed an answer but you should be able to ACL the Write permission to the userPassword property to any account you want and youre right to do it to a limited account, although Id be concerned about ANY code that could be accessed and leveraged to change passwords but thats a security discussion, not a delegation discussion Whats the actual PROBLEM? Is it the delegation or how to do it? Ive not dealt with that attribute recently, but I might have the piece (that most people miss) for you. Hopefully this is the answer: You need to expose the permissions for that property in order to delegate them. There are LOTS of properties of a user (and other objects) that are hidden to keep the ACL Editor clean. On the machine FROM WHICH YOU ADMINISTER, open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete it. (the =7 hides the permissions for this property in the ACL editor) Restart AD Users Computers. In ADUC View Advanced Features. Right-click the OU that contains the users for whom you want this PHP app to set the passwords for. Security Advanced Add Specify the account (or a group containing the account) used by the PHP app. In the dialog box, click the PROPERTIES tab. In the drop down list, choose USER OBJECTS. Scroll down and youll find Write userPassword. If this doesnt work, or wasnt quite the problem you were having, please reply. IN such case, please let us know what domain and forest functional level youre running and if you have SP1 on your W2K3 DCs. It makes a difference, as you might know. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Monday, July 18, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User with LDAP userPassword permissions Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Delegation of privilege and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, July 18, 2005 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give toone of my user "server operator" privilegeon only one DC, and not the whole DCs of my AD 2003. I know that DCs do not havesam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing thisallow my user to be server op for all DCs in my domain. The purpose of myquestion is; =to give one user the privilege to fully manage *only one* DCwith "server operator" privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] DC Backups and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Hi, Check if the exclusions definitions are the same in NTBACKUP (tools - options - exclude files) Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Sun 7/17/2005 11:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Backups I have something that is bugging me and maybe someone on this list knows. I have two 2003 DCs. DC1 has 3 drives C, D and E. I installed the database on E and the logs on D. On DC2 on a different site, it has 2 drives C and D. I installed the database on D and the logs on C with the OS. I am doing an all drives backup of both DCs with NTBACKUP on Sundays, separate from the daily System States. On DC1, I can drill down on the E drive and see NTDS.DIT file selected and I can chose to unselect it if I want. On DC2, I also see the E drive selected, however when I drill down I can NOT select the NTDS.DIT file and other files on the NTDS directory. I've read that the database is part of the System State backup and that it can not be backed up or restored individually. If that's the case I would expect to see the same kind of thing on both DCs. Anyone know why this is? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- If you use a startup script, it will run as local system and be able to fully install. If, however, it NEEDS to be run as a user, this won't work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 19, 2005 8:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon script with Admin rights How can I run a batch file logon script to map a drive and install an application on a user's PC as an Administrator? I don't want to expose the password using 'run as' Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Default Domain and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 19, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain should work just like setting any other registry key on the client. The question is, if you really need it/want it. Most computer migration tools can set that value during the migration of the PC from source to target. But you might very well not want to change this value at the time of the computer-migration = you'll typically want to change it during migration/activation of the user accounts. This is often not done at the same time, so changing the value via GPO with the computer migration could actually be counter-productive. Further, it's not enough if you're implementing a new naming conventions for user-accounts or simply need to change logon-names due to duplicates during a domain-migration that consolidates multiple source domains to one AD domain. In this case you'll no only want to generically update the DefaulDomainName value to help your users, but at the same time you might want to update the DefaultUserName value with the new accountname for the target domain. Hardly doable with a GPO - I typically do this with custom scripts triggered centrally during account activation (quite independently from the computer migration). But nothing goes over edjucating your users about the changes in the infrastructure and specifically those related to their domain logon - otherwise they potentially stare at another machine and wonder why they can't logon to this one, causing an increase in helpdesk calls... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 22:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Has anyone tried this? I got it off of another list I am a part of. The default domain name is stored in the DefaultDomainName registry value, but no built-in Group Policy setting to control its value. You can easily create a custom .adm file that will let you configure the default domain for computers that have the GPO applied. To do so, save this code as defaultdomain.adm in the C:\windows\inf folder. CATEGORY Logon Settings KEYNAME SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon POLICY Default Domain PART Default Domain EDITTEXT VALUENAME DefaultDomainName END PART END POLICY END CATEGORY You can then add this template to an existing or new GPO's Computer Configuration section. To do so, select Add/Remove Templates. Click Add and select the defaultdomain.adm file. Because this registry subkey isn't in a standard, managed portion of the registry, you won't see it until you select Filtering under the View menu and clear the Only show policy settings that can be fully managed check box, as the figure at http://list.windowsitpro.com/t?ctl=EA05:2C262 shows. The new policy will be available under Computer Configuration, Administrative Templates, Logon Settings, Default Domain. The policy sets the specified domain on computers that receive the policy, as the figure at http://list.windowsitpro.com/t?ctl=EA08:2C262 shows. During migrations between domains, this policy saves users from having to select a new domain from the drop-down list Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Small correction - Alain, not Adam. Unless, however, there is another WMI Guru out there with the surname Lissoir that I'm not aware of. Anything is possible, I suspect. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD event monitoring? TIA, Chuck -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Yes, exactly as joe wrote, this was a terminology thing. In my language, the base schema includes all the classes and attributes that ship with the OS, and in ~Eric's language, the base schema includes only those that are specifically marked as Category 1 (to have several protections). And well, he represents the guys who own Windows and AD, so I guess they get to define the terminology... Both me and ~Eric agree that you cannot set a Category 1 attribute as confidential, but you can set Category 2 attribute as confidential. Yours, Sakari PS. Then it's another story why an attribute such as the cost of a site link is not marked to be Category 1 (the base schema) and therefore doesn't have the protection of base schema attributes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 14, 2005 6:59 AM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) I think it is a terminology thing. I would guess that Sakari is considering anything shipped in the base product is considered base schema. Of course your definition should match perfectly because the underlying code should be that it tests that flag and if it matches it won't allow the update. Since that is the verification mechanism, it would be an extremely odd case where it wasn't correct and would indicate a very very odd error that is nigh impossible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, July 12, 2005 8:30 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) For clarity, this is the flag I'm making reference to: 1 systemFlags: 0x10 = ( FLAG_SCHEMA_BASE_OBJECT ); If that is set on a schema element, my contention is that on an SP1 DC it should not allow you to set the confidential bit. Show me a counterexample please. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, July 12, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) ~Eric wrote: We actually block all base schema elements if I remember correctly. No you don't. Of the 1070 base schema attributes, you only block the 1007 ones that are marked as category 1. The remaining 63 attributes, such as msDS-ExternalKey, are not marked and therefore don't have this or any other protection for base schema attributes. Looking at your example msds-externalkey, I don't see the base flags bit set. Therefore, it would not be blocked. Looking at the code, right now, I stand by the earlier statement: we block base schema elements. Base schema elements are defined as the elements with the base schema flag set. All of them should be blocked. Please show me an example of a base schema element with the base schema flag set where I'm wrong. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Tuesday, July 12, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) Hi Brett and ~Eric, Thanks for your comments on my confidential attribute post. Now I solved, how to set the confidentiality in a way where unnecessary permissions are not granted. Brett wrote: A) Small note, 0xF is 15 decimal and is equivalent to 4 bits set (0b) Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in decimal. Fortunately this part was not about setting bits, but just checking which base schema attributes have protection. Brett wrote (and ~Eric agreed): B) Why can't you grant the explicit extended right for reading the confidential attribute? I assume there is one, there has to be. No there isn't. I went through the 49 extended rights that exist in SP1, and none of them seems to be for controlling confidentiality. This is
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Just pull one of the drives out, put it in your other server and let the RAID 1 rebuild. Jeremy Waldrop Systems Engineer 4Front Systems, Inc.860 Aviation Parkway Morrisville NC 27560Main Line: (919)653-4400 Support Line: (919) 653- Web: http://www.4frontsystems.comemail:[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, July 19, 2005 6:13 AMTo: ActiveSubject: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. Hi all, Having read a few recent mails regarding server imaging, it's interesting to hear how 'easy' it has been for those who have responded. I have been having difficulties trying to create an image, I will explain further... I have 10xHP Proliant 380's G4, to save time I thought I would configure one of theProliant Servers (RAID 1 for OS), install a basic installation ofWindows 2003 Standard, sysprep it then create a ghost image of this file so I could install the image on the remaining 9 Proliant Servers. So I created a standard image, sysprep'd it then rebooted, I ran ghost and this is where the issue began, it did not recognise the disks (in RAID 1) for me to be able to ghost the drive, is there any docs or drivers or steps I have missed or need to look at? I know my information is vague, but I tried this over a month ago so my memory is pretty poor. Anyone with some advice where I should be looking? __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Delegation of privilege and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- This may be a rotten answer or a perfect answer Check out TWEAKUI for Windows XP. Its ACCESS CONTROL section gives you UI ability to change very specific activities permissions, e.g. creating a share, etc. You might try it (in a lab, first of course) as far as how it works on 2003 for the specific things you are trying to accomplish. Because the Access Control will be server (in your case, DC) specific, it might just work. Ive NOT tried it but I think itd be worth a shot. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give toone of my user server operator privilegeon only one DC, and not the whole DCs of my AD 2003. I know that DCs do not havesam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing thisallow my user to be server op for all DCs in my domain. The purpose of myquestion is; =to give one user the privilege to fully manage *only one* DCwith server operator privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- This installation also needs to be run from mapped drive. I would really like to run this in GPO via VB Script. If anyone knows the best way to this, lemme know. -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, July 19, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logon script with Admin rights There is simple way of doing this that works if a) the .exe has a quiet option (-q for example) with no gui output b) it is not necessary to install the program from a logon script Simply install the program from another machine using psexec.exe i.e logon remote machine with sufficient privileges and run psexec -c \\remotemachine install.exe -q where install.exe is the installation program This method has several advantages if you put it in a script 1) It can easily be extended to install over a range of computers 2) You can get feedback as to whether it has installed or not. As Rick points out preparing .msi files has it's drawbacks, not least of which is access to a clean machine to prepare it on. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Delegation of privilege and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- You have answered your own question. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Monday, July 18, 2005 1:39 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give toone of my user "server operator" privilegeon only one DC, and not the whole DCs of my AD 2003. I know that DCs do not havesam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing thisallow my user to be server op for all DCs in my domain. The purpose of myquestion is; =to give one user the privilege to fully manage *only one* DCwith "server operator" privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] GC availability issue? and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Hi Jeremy, If you have 5 DCs and 9 sites, do you have non-DC-related reasons to have sites? If not, you could remove all sites that don't have a DC, and link their subnet objects to some remaining sites. For example, if your DCs are on two AD sites, and then you have seven DC-less locations, you could add the subnets of those seven locations to either one of your AD sites. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor]Sent: Monday, July 18, 2005 9:34 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GC availability issue? Everyone, We have an empty root domain and a child domain with approximately 9 or so sites in the forest. The root domain has 2 DCs (1 GC) and the child domain has 3 DCs (1GC) both of which are located in our main site. At our main site where I am located we have approximately 500 users. The best scenario I can give you is we do PC rollouts where we take a large number of PCs 30-50 at a time and rename them with an old extension in the host name then we bring a new machine onto the network with the same name. Sometimes we get an error saying the computer account already exists in the organization when we try to name the new machine with the same name, but the issue is inconsistent. I did some traffic sniffing with a PC and found that approximately 50% of the time machines in our site are contacting servers in other site for directory service information instead of our site DCs. Even machines that have been on the network are not using local site DCs for information all the time but using other site DCs instead. I am wondering what could be causing this. This configuration has been static for sometime nothing new has been introduced except for Windows 2003 schema (could this be the cause?). I think it is because we do not have enough GCs in our site (2), but my boss disagrees. What does everyone think? Jeremy ---Jeremy BurkesStrategic Systems ProgramsManagement Information SystemsHelp Desk: 202-764-1442Work: 202-764-1270| Fax: 202-764-1503[EMAIL PROTECTED] ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Delegation of privilege and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I will read carefully all the docs. u forwaded me. I just noticed that when I do a whoami /all command on my DC with my domain admin account (for example), i found this privilege: SeChangeNotifyPrivilege activate SeImpersonatePrivilege activate SeCreateGlobalPrivilege activate I wonder if just giving a user these privileges, this user may have the same privilege but i thing it is a a naive thought :-) I will rather read the secdefs.doc, Active Directory Delegation Best Practices document, and the delegwiz.inf Thanks all for help. Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mark Parris Envoyé : mardi 19 juillet 2005 15:12 À : ActiveDir.org Objet : Re: [ActiveDir] Delegation of privilege Search microsoft.com for secdefs.doc The document is Default access control settings in Windows Server 2003 Mark -Original Message- From: TIROA YANN [EMAIL PROTECTED] Date: Tue, 19 Jul 2005 15:03:40 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Ok, Thanks Sakari and Dan for your answers :) I will test TWEAKUI for Windows XP. But in fact, my need is rather giving a user server op, or equivalent privilege, for only *one DC* and not the whole DCs of my Domain. Last question: Where all the privileges are defined for built-in accounts ? are they in a .ini file or whatever ? Ex: domains admin have the right to do this action. I'd like to find where those privileges are declared in an special ACL, a file, a registry ? Thanks for Input :) Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : mardi 19 juillet 2005 08:47 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delegation of privilege This may be a “rotten” answer or a perfect answer… Check out TWEAKUI for Windows XP. It’s ACCESS CONTROL section gives you “UI” ability to change very specific activities’ permissions, e.g. creating a share, etc. You might try it (in a lab, first of course) as far as how it works on 2003 for the specific things you are trying to accomplish. Because the Access Control will be server (in your case, DC) specific, it might just work. I’ve NOT tried it… but I think it’d be worth a shot. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give to one of my user server operator privilege on only one DC, and not the whole DCs of my AD 2003. I know that DCs do not have sam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing this allow my user to be server op for all DCs in my domain. The purpose of my question is; = to give one user the privilege to fully manage *only one* DC with server operator privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann [EMAIL PROTECTED] šŠV«r¯yÊý§-Š÷Š¾4™¨¥iËb½çb®Šà ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- One caveat to this - if you are going to be accessing a network resource, the default behavior is NOT to wait for the network stack to be initialized before completing computer startup. The obvious problem of not being able to AuthN the user or the computer against AD is handled via cached credentials, etc. However - this behavior can be changed to force the system to wait for the network stack to be loaded, inited, and available before the policies are run. To do this, you will need to set: \Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon == enabled. This will noticeably slow down the appearance of the logon dialog, but nothing that your users will not get over in a very short period of time. The added delay is small, typically. In environments with 10s of GPO's to process - 5 second delay is what I've experienced. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, July 19, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights If you use a startup script, it will run as local system and be able to fully install. If, however, it NEEDS to be run as a user, this won't work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 19, 2005 8:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon script with Admin rights How can I run a batch file logon script to map a drive and install an application on a user's PC as an Administrator? I don't want to expose the password using 'run as' Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Default Domain and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- not tried it myself, but it should work as I know Quest DMW does this (setting a different default domain) when migrating computers Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Tue 7/19/2005 10:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Has anyone tried this? I got it off of another list I am a part of. The default domain name is stored in the DefaultDomainName registry value, but no built-in Group Policy setting to control its value. You can easily create a custom .adm file that will let you configure the default domain for computers that have the GPO applied. To do so, save this code as defaultdomain.adm in the C:\windows\inf folder. CATEGORY Logon Settings KEYNAME SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon POLICY Default Domain PART Default Domain EDITTEXT VALUENAME DefaultDomainName END PART END POLICY END CATEGORY You can then add this template to an existing or new GPO's Computer Configuration section. To do so, select Add/Remove Templates. Click Add and select the defaultdomain.adm file. Because this registry subkey isn't in a standard, managed portion of the registry, you won't see it until you select Filtering under the View menu and clear the Only show policy settings that can be fully managed check box, as the figure at http://list.windowsitpro.com/t?ctl=EA05:2C262 shows. The new policy will be available under Computer Configuration, Administrative Templates, Logon Settings, Default Domain. The policy sets the specified domain on computers that receive the policy, as the figure at http://list.windowsitpro.com/t?ctl=EA08:2C262 shows. During migrations between domains, this policy saves users from having to select a new domain from the drop-down list Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] DC Backups and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I have something that is bugging me and maybe someone on this list knows. I have two 2003 DCs. DC1 has 3 drives C, D and E. I installed the database on E and the logs on D. On DC2 on a different site, it has 2 drives C and D. I installed the database on D and the logs on C with the OS. I am doing an all drives backup of both DCs with NTBACKUP on Sundays, separate from the daily System States. On DC1, I can drill down on the E drive and see NTDS.DIT file selected and I can chose to unselect it if I want. On DC2, I also see the E drive selected, however when I drill down I can NOT select the NTDS.DIT file and other files on the NTDS directory. I've read that the database is part of the System State backup and that it can not be backed up or restored individually. If that's the case I would expect to see the same kind of thing on both DCs. Anyone know why this is? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] DC Backups and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I'm sure you've figured this out on your own, but just in case, you're right... AD is part of the system state and even if you CAN back up NTDS.DIT 'separately' as a file, you shouldn't. You need the system state to do any kind of restore operation in Dir Svcs Restore Mode. So b/c you can't do anything with it, so you're wasting time, tape, and who knows what else. Don't get too caught up in why you can or can't see it or can or can't (de)select it... Instead (something COOL and not publicized enough) -- test your DC restore process on a 2K3 SP1 machine and check out the LDIF file that Auth Restore creates for you to help make restoring group memberships MUCH easier COOL! grin and off the subject, but cool... Dan Holme Intelliem List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- in addition: Ghost 9.0 supports only raid 0 (stripe) and raid 5 (stripe sets with parity) Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Quatro InfoVerzonden: woensdag 20 juli 2005 2:38Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. Ami i missing something here? Ghost and RAIDGhost is not compatible with computers that use RAID. That is, Symantec Ghost 8.x and earlier, and Norton Ghost 2003 and earlier, do not support RAID controllers on computers that are being imaged. In addition: http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999010613522725?Opensrc="">= Grtz J Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Brian DesmondVerzonden: woensdag 20 juli 2005 2:15Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. You have multiple problems here: The SmartArray card has no RAID config. The default varies though my experience is it RAID5s the first four drives and shuts down the remaining two in a DL380G4. Ghost likely does not have a driver enabling it to see the scsi disk. You will need to modify the config.sys and add CPQs dos driver If you search the Compaq support drivers section, you want he smartstart scripting toolkit. It will show you how to script the hardware setup before you load your image. I would recommend you instead of Ghost here use PXE boot and Microsoft ADS. Theres even a long post at the top of my blog briandesmond.com detailing all the steps to get it working with Proliant hardware my test environment was DL380G4s. For server imaging, ADS is FAR more powerful than Ghost. --Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, July 19, 2005 5:13 AMTo: ActiveSubject: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. Hi all, Having read a few recent mails regarding server imaging, it's interesting to hear how 'easy' it has been for those who have responded. I have been having difficulties trying to create an image, I will explain further... I have 10xHP Proliant 380's G4, to save time I thought I would configure one of theProliant Servers (RAID 1 for OS), install a basic installation ofWindows 2003 Standard, sysprep it then create a ghost image of this file so I could install the image on the remaining 9 Proliant Servers. So I created a standard image, sysprep'd it then rebooted, I ran ghost and this is where the issue began, it did not recognise the disks (in RAID 1) for me to be able to ghost the drive, is there any docs or drivers or steps I have missed or need to look at? I know my information is vague, but I tried this over a month ago so my memory is pretty poor. Anyone with some advice where I should be looking? __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Ami i missing something here? Ghost and RAIDGhost is not compatible with computers that use RAID. That is, Symantec Ghost 8.x and earlier, and Norton Ghost 2003 and earlier, do not support RAID controllers on computers that are being imaged. In addition: http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999010613522725?Opensrc="">= Grtz J Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Brian DesmondVerzonden: woensdag 20 juli 2005 2:15Aan: ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. You have multiple problems here: The SmartArray card has no RAID config. The default varies though my experience is it RAID5s the first four drives and shuts down the remaining two in a DL380G4. Ghost likely does not have a driver enabling it to see the scsi disk. You will need to modify the config.sys and add CPQs dos driver If you search the Compaq support drivers section, you want he smartstart scripting toolkit. It will show you how to script the hardware setup before you load your image. I would recommend you instead of Ghost here use PXE boot and Microsoft ADS. Theres even a long post at the top of my blog briandesmond.com detailing all the steps to get it working with Proliant hardware my test environment was DL380G4s. For server imaging, ADS is FAR more powerful than Ghost. --Brian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Tuesday, July 19, 2005 5:13 AMTo: ActiveSubject: [ActiveDir] OT: Ghost Imaging HP Proliant Servers.. Hi all, Having read a few recent mails regarding server imaging, it's interesting to hear how 'easy' it has been for those who have responded. I have been having difficulties trying to create an image, I will explain further... I have 10xHP Proliant 380's G4, to save time I thought I would configure one of theProliant Servers (RAID 1 for OS), install a basic installation ofWindows 2003 Standard, sysprep it then create a ghost image of this file so I could install the image on the remaining 9 Proliant Servers. So I created a standard image, sysprep'd it then rebooted, I ran ghost and this is where the issue began, it did not recognise the disks (in RAID 1) for me to be able to ghost the drive, is there any docs or drivers or steps I have missed or need to look at? I know my information is vague, but I tried this over a month ago so my memory is pretty poor. Anyone with some advice where I should be looking? __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- http://www.acronis.com/enterprise/products/snapdeploy/ Might be an option Grtz J -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Grillenmeier, Guido Verzonden: woensdag 20 juli 2005 0:02 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] Logon script with Admin rights well, I could think of many more drawbacks using this option... don't get me wrong - psexec is cool. But I don't really see it as an option to deploy software to many clients of which usually a certain percentage is remotely connected or offline. So you'd have to build your own little framework to ensure availablity of the clients and successfull install of the app etc. The success naturally depends on your client landscape /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Dienstag, 19. Juli 2005 17:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logon script with Admin rights There is simple way of doing this that works if a) the .exe has a quiet option (-q for example) with no gui output b) it is not necessary to install the program from a logon script Simply install the program from another machine using psexec.exe i.e logon remote machine with sufficient privileges and run psexec -c \\remotemachine install.exe -q where install.exe is the installation program This method has several advantages if you put it in a script 1) It can easily be extended to install over a range of computers 2) You can get feedback as to whether it has installed or not. As Rick points out preparing .msi files has it's drawbacks, not least of which is access to a clean machine to prepare it on. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] User with LDAP userPassword permissions and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I didnt see any responses to this dont know if I missed an answer but you should be able to ACL the Write permission to the userPassword property to any account you want and youre right to do it to a limited account, although Id be concerned about ANY code that could be accessed and leveraged to change passwords but thats a security discussion, not a delegation discussion Whats the actual PROBLEM? Is it the delegation or how to do it? Ive not dealt with that attribute recently, but I might have the piece (that most people miss) for you. Hopefully this is the answer: You need to expose the permissions for that property in order to delegate them. There are LOTS of properties of a user (and other objects) that are hidden to keep the ACL Editor clean. On the machine FROM WHICH YOU ADMINISTER, open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete it. (the =7 hides the permissions for this property in the ACL editor) Restart AD Users Computers. In ADUC View Advanced Features. Right-click the OU that contains the users for whom you want this PHP app to set the passwords for. Security Advanced Add Specify the account (or a group containing the account) used by the PHP app. In the dialog box, click the PROPERTIES tab. In the drop down list, choose USER OBJECTS. Scroll down and youll find Write userPassword. If this doesnt work, or wasnt quite the problem you were having, please reply. IN such case, please let us know what domain and forest functional level youre running and if you have SP1 on your W2K3 DCs. It makes a difference, as you might know. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Monday, July 18, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User with LDAP userPassword permissions Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Does a domain require a GC? and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I wouldn't call the GC per site a requirement as much as I would call it a best practice. Environments can and do function fine without GCs (or even DCs) in every site. You can run into issues when network connectivity breaks, but it would be assumed you are thinking of this when you designed the topology. If the OP's Exchange servers are all in a centralized location, then set up a special site for Exchange and only have GCs in that site from the domain with all of the groups and users. Then DSACCESS/DSPROXY will pick out and give those GCs to clients to use so that outlook doesn't have to be overridden from its default behavior on what it wants to do. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, July 18, 2005 1:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain require a GC? Kevin, As I recall, the requirement is on a PER SITE for GCs I dont remember seeing a PER DOMAIN requirement. Given that the GC is a forest-wide element, the domain function really doesnt seem to make sense. However, the site requirement for the GC is an obvious one groups and specifically Universal groups. Given that sites can span domains I cant think of a dependency that would require a GC in each domain, as long as site requirements are met. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, July 18, 2005 11:19 AMTo: ActiveDir@mail.activedir.org; Exchange DiscussionsSubject: [ActiveDir] Does a domain require a GC? We have two domains in our forest. The "empty" root domain, and a resource domain where everything else lives. The root domain has two DCs - one each in two different sites. Our main domain has several DCs, and most of those are GCs as well. The sites containing the root DCs eachalso have at least one resource domain DC, and at least one of these DCs is a GC. In other words, all sites have at least one resource domain DC andat least one of those is a GC as well. My question is: can I remove GC function from thetwo root DCs? I seem to recall reading that at least one DC in a domain had to be a GC, but I can't find that requirement now. All DCs are server 2003. The forest is 2000 native mode. Why do I want to do this? We configure Outlook to use the "closest" GC. We want toinsure that Outlook can manage distributionlists (universal groups), and Outlook can only do that if the GCis in the same domain as the group. We are currently using a home-grown application to manage DL membership, but we'd like to switch back to outlook. ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Default Domain and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---BeginMessage--- I too have seen this and can reproduce it over and over. After we migrate a PC from our NT4 domains to AD, Quest DMW sets the default domain to our AD domain. However if the user hits ctrl-alt-del to logon and then ESC and then CTRL-ALT-DEL again, the default domain is set to the local computer account. Kinda a pain. I think it reverts to the AltDefaultDomainName key value, maybe you could set both keys and it would revert back to the correct setting. From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 7/19/2005 5:36 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Default Domain We are using a startup script that has two reg add commands reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultdomainname /t REG_SZ /d DOMAINAME /f reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultdomainname /t REG_SZ /d DOMAINAME /f This has worked very well for us during and post migration. Most of our users came from small NT domains and we only finished the 1000 NT domains to 9 AD domains over the last 6 months. Where this does not work is if I choose to logon, then hit escape - for some reason when I hit ctrl alt del the second time the last domain I logged into shows up instead of the specified DOMAINAME above. This might have been specific to one machine or may be a problem with one of the entries - I only saw it the once and have not had time to go back and investigate. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service [EMAIL PROTECTED] Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Default Domain [EMAIL PROTECTED] tivedir.org 07/19/2005 11:59 PM ZE2 Please respond to ActiveDir got ya - makes sense in this case. however, you could also edjucate users to logon via UPN thus not requiring the selection of a domain at all, regardless of the domain-affiliation of the PC used during logon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- well, I could think of many more drawbacks using this option... don't get me wrong - psexec is cool. But I don't really see it as an option to deploy software to many clients of which usually a certain percentage is remotely connected or offline. So you'd have to build your own little framework to ensure availablity of the clients and successfull install of the app etc. The success naturally depends on your client landscape /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Dienstag, 19. Juli 2005 17:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logon script with Admin rights There is simple way of doing this that works if a) the .exe has a quiet option (-q for example) with no gui output b) it is not necessary to install the program from a logon script Simply install the program from another machine using psexec.exe i.e logon remote machine with sufficient privileges and run psexec -c \\remotemachine install.exe -q where install.exe is the installation program This method has several advantages if you put it in a script 1) It can easily be extended to install over a range of computers 2) You can get feedback as to whether it has installed or not. As Rick points out preparing .msi files has it's drawbacks, not least of which is access to a clean machine to prepare it on. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Default Domain and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- We are using a startup script that has two reg add commands reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultdomainname /t REG_SZ /d DOMAINAME /f reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultdomainname /t REG_SZ /d DOMAINAME /f This has worked very well for us during and post migration. Most of our users came from small NT domains and we only finished the 1000 NT domains to 9 AD domains over the last 6 months. Where this does not work is if I choose to logon, then hit escape - for some reason when I hit ctrl alt del the second time the last domain I logged into shows up instead of the specified DOMAINAME above. This might have been specific to one machine or may be a problem with one of the entries - I only saw it the once and have not had time to go back and investigate. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service [EMAIL PROTECTED] Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Default Domain [EMAIL PROTECTED] tivedir.org 07/19/2005 11:59 PM ZE2 Please respond to ActiveDir got ya - makes sense in this case. however, you could also edjucate users to logon via UPN thus not requiring the selection of a domain at all, regardless of the domain-affiliation of the PC used during logon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 19, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain should work just like setting any other registry key on the client. The question is, if you really need it/want it. Most computer migration tools can set that value during the migration of the PC from source to target. But you might very well not want to change this value at the time of the computer-migration = you'll typically want to change it during migration/activation of the user accounts. This is often not done at the same time,
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] DC Backups and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Sorry, I meant drives C and E on DC2, database on E and logs on C with the OS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Sunday, July 17, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Backups You said the db was on the D: drive for DC2, so why would you see it on E:? Also, where are you running NTBackup from? If from DC1 when you are trying to drill down DC2's drive, that might not work since you can't remotely back up the system state with NTBackup. You would need a third party backup app like Veritas Backup Exec for that. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: Re: [ActiveDir] Delegation of privilege and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Yes that's a good document, one of Sanjay's best pieces of work. The best bit for me was the custom delegwiz.inf in appendicies, which I have managed extend now to include create mailbox, delete mailbox etc etc.. Mark -Original Message- From: Francis Ouellet [EMAIL PROTECTED] Date: Tue, 19 Jul 2005 09:26:08 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Mark, You might want to have a look at the Active Directory Delegation Best Practices document available from MS @ http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en Might not answer you question directly but it's an awesome primer on delegation. Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: July 19, 2005 9:12 AM To: ActiveDir.org Subject: Re: [ActiveDir] Delegation of privilege Search microsoft.com for secdefs.doc The document is Default access control settings in Windows Server 2003 Mark -Original Message- From: TIROA YANN [EMAIL PROTECTED] Date: Tue, 19 Jul 2005 15:03:40 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Ok, Thanks Sakari and Dan for your answers :) I will test TWEAKUI for Windows XP. But in fact, my need is rather giving a user server op, or equivalent privilege, for only *one DC* and not the whole DCs of my Domain. Last question: Where all the privileges are defined for built-in accounts ? are they in a .ini file or whatever ? Ex: domains admin have the right to do this action. I'd like to find where those privileges are declared in an special ACL, a file, a registry ? Thanks for Input :) Yann De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : mardi 19 juillet 2005 08:47 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delegation of privilege This may be a “rottenâ€� answer or a perfect answer… Check out TWEAKUI for Windows XP. It’s ACCESS CONTROL section gives you “UIâ€� ability to change very specific activities’ permissions, e.g. creating a share, etc. You might try it (in a lab, first of course) as far as how it works on 2003 for the specific things you are trying to accomplish. Because the Access Control will be server (in your case, DC) specific, it might just work. I’ve NOT tried it… but I think it’d be worth a shot. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give to one of my user server operator privilege on only one DC, and not the whole DCs of my AD 2003. I know that DCs do not have sam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing this allow my user to be server op for all DCs in my domain. The purpose of my question is; = to give one user the privilege to fully manage *only one* DC with server operator privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann [EMAIL PROTECTED] Å¡Å V«r¯yÊý§-Š÷Â�Š¾4™¨¥iËb½çb®Šà [EMAIL PROTECTED] šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] User with LDAP userPassword permissions and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Hi, I'm trying to give an account permission to update the userPassword field via LDAP protocol in PHP. I have it working perfect using my Admin account. But since that has to be stored in the PHP file I would really like to have an account with much tighter security able to make the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: Re: [ActiveDir] Resource unavailable temporarily and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- Also when I perform various operations to AD using tools like ldp, or a perl script, they are performed successfully. - Original Message - From: Mayuresh Kshirsagar [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, July 19, 2005 11:15 PM Subject: Resource unavailable temporarily I am connecting to an Active Directory Server, using a Meta Directory server. But while performing a base level it fails with error Schema search for 'attributeTypes' ERROR='Resource temporarily unavailable' Any clues as to how can I debug this problem? Thanks, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Logon script with Admin rights and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- I don't know what your budget might be, but a couple of my clients use TQCRunAs by Quimeras (www.quimeras.com) for this kind of thing... this tool lets you encapsulate a secondary logon, the credentials for that logon, and a command in an encrypted .exe, which you could then use in a logon script. It's not free, but it's not expensive either, and it's a great way to push things to users that require higher credentials, without exposing any accounts. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, July 19, 2005 8:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Al, One of the problems with the .ZAP format - it only executes the underlying program for install - but cannot be executed with elevated privliges as it is run under the user's context. .MSI is much better, but is not easy to create them correctly and effectively without some experience and practice. However, they can be written to install at an elevated context. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Tuesday, July 19, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Use the ZAP format. See KB 231747 below http://support.microsoft.com/default.aspx?scid=kb;en-us;231747 -Original Message- From: Harding, Devon [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 19, 2005 7:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Unfortunately, this software is not a .msi format. Can this still be installed via GPO? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, July 19, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logon script with Admin rights Software installation from GPO works like a charm. Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, July 19, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logon script with Admin rights How can I run a batch file logon script to map a drive and install an application on a user's PC as an Administrator? I don't want to expose the password using 'run as' Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---End Message---
[ActiveDir] OT: Roaming profiles and XP themes
We are just about to migrate over to Server 2003 from 2000, and in our test set up, when newly created users with roaming profiles log into an XP station, they get a modified desktop theme, instead of the default XP teletubbies one - it has the classic task bar and start menu. This doesn't happen if I create a user with a local profile. I know this is going to fox some users - does anyone know how to stop it? TIA, Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Default Domain and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- REG ADD has a disadvantage b/c it runs every time (thus adding to startup delay) but of course has one big advantage... it runs every time. Unless you configure the registry client side extension otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so you could still have a user from another domain change the domain, then the next user is logging on to the wrong domain... A startup script is useful to enforce that setting. However, I agree that educating users to log on with the upn is a much more viable answer for multidomain environments I would try to aim for that. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 19, 2005 3:37 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Default Domain We are using a startup script that has two reg add commands reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultdomainname /t REG_SZ /d DOMAINAME /f reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultdomainname /t REG_SZ /d DOMAINAME /f This has worked very well for us during and post migration. Most of our users came from small NT domains and we only finished the 1000 NT domains to 9 AD domains over the last 6 months. Where this does not work is if I choose to logon, then hit escape - for some reason when I hit ctrl alt del the second time the last domain I logged into shows up instead of the specified DOMAINAME above. This might have been specific to one machine or may be a problem with one of the entries - I only saw it the once and have not had time to go back and investigate. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service [EMAIL PROTECTED] Grillenmeier, Guido [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org com cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Default Domain [EMAIL PROTECTED] tivedir.org 07/19/2005 11:59 PM ZE2 Please respond to ActiveDir got ya - makes sense in this case. however, you could also edjucate users to logon via UPN thus not requiring the selection of a domain at all, regardless of the domain-affiliation of the PC used during logon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Dienstag, 19. Juli 2005 23:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain I am actually thinking of using it since I have 7 domains in one forest, if someone from a different domain uses someones computer, on reboot the domain that is selected in the drop down list is the proper domain for that computer. Similar to when my helpdesk people login to the local machine, the user doesn't try to then login to the local machine using their domain username, hence reducing phone calls to the helpdesk. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 19, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain should work just like setting any other registry key on the client. The question is, if you really need it/want it. Most computer migration tools can set that value during the migration of the PC from source to target. But you might very well not want to change this value at the time of the computer-migration = you'll typically want to change it during migration/activation of the user accounts. This is often not done at the same time, so changing the value via GPO with the computer migration could actually be counter-productive. Further, it's not enough if you're implementing a new naming conventions for user-accounts or simply need to change logon-names due to duplicates during a domain-migration that consolidates multiple source domains to one AD domain. In this case you'll no only want to generically update the
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
RE: [ActiveDir] Message Not Delivered
Does anyone know if [EMAIL PROTECTED] is a valid address? BWAHAHAHAHAHAHAHA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Message Not Delivered --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD
[ActiveDir] OT: Roaming profiles and XP themes
We are just about to migrate over to Server 2003 from 2000, and in our test set up, when newly created users with roaming profiles log into an XP station, they get a modified desktop theme, instead of the default XP teletubbies one - it has the classic task bar and start menu. This doesn't happen if I create a user with a local profile. I know this is going to fox some users - does anyone know how to stop it? TIA, Dan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Message Not Delivered
--- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: [ActiveDir] Message Not Delivered and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- ---End Message--- --- Attention: Non-Delivery Report --- This report is generated by the email server at: ivytech.edu The message with subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use and attached to this report was not delivered to the following recipients: Address: [EMAIL PROTECTED] Reason: 554 5.5.2 No valid recipients (554) -- ---BeginMessage--- No. It doesn't use DIRSYNC. To be honest, I would like, but that is another story. Just a question of priority among the millions of things to do in WMI ... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I always assumed that the WMI call is using DirSynch under the covers. That seemed to me to be the only way it would be able to accomplish the notifications. It's good to know that that is not the case. Thanks Alain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, July 19, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I just want to stress the fact that WMI is not an auditing technology per se. All what WMI does is polling AD for changes at regular intervals. Based on WQL query and changes, it notifies the WMI consumer that there was a change. No auditing information is available out of WMI. Windows Auditing must be used to gather the who did it. Moreover, I advise you to scope your WQL query very well (narrow scope) for good performance. /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, July 19, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use WMI Actually has an asynronous call that you can use to monitor specific objects. It will notify you when the object changes and what the original and new values are. Adam Lissoir wrote some scripts that demonstrate this. I think these links still work: http://www.LissWare.Net See Sample 3.54 - GroupMonitor.wsf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Friday, July 08, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use I'm interested in identifying the programming interfaces used by products like Quest's Change Manager for Active Directory and NetPro's AD-related change monitoring products. The existing ADSI and LDAP interfaces do not appear to offer the degree of granularity that these products are capable of obtaining in terms of AD changes that they can monitor report on. I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated async event notification API functions that it provides, and I'm thinking that AD has to have something similar. However, the MSDN Platform SDK documentation doesn't identify anything in way of API functions or COM interfaces [e.g. ADSI] that are capable of providing the sort of event notification that I'm needing to use in my application. I'm looking to track object creation, deletion, rename, move and modification of attributes. In the case of modified attributes, for single valued attributes, I need to know the before after values, and in the case of multi-valued attributes, I need to know which individual value was added to or removed from the attribute's value list. Does anybody have any recommendations on what sorts of programming interfaces are available that can provide this degree of granularity in AD