date:20050720

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

RE: [ActiveDir] Default Domain

2005-07-20 Thread Dan Holme

REG ADD has a disadvantage b/c it runs every time (thus adding to
startup delay) but of course has one big advantage... it runs every
time.  Unless you configure the registry client side extension
otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so
you could still have a user from another domain change the domain, then
the next user is logging on to the wrong domain... A startup script is
useful to enforce that setting.

However, I agree that educating users to log on with the upn is a much
more viable answer for multidomain environments I would try to aim
for that.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, July 19, 2005 3:37 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default Domain

We are using a startup script that has two reg add commands

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ  /d DOMAINAME /f

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ  /d DOMAINAME /f

This has worked very well for us during and post migration.  Most of our
users came from small NT domains and we only finished the 1000 NT
domains
to 9 AD domains over the last 6 months.  Where this does not work is if
I
choose to logon, then hit escape - for some reason when I hit ctrl alt
del
the second time the last domain I logged into shows up instead of the
specified DOMAINAME above.  This might have been specific to one machine
or
may be a problem with one of the entries - I only saw it the once and
have
not had time to go back and investigate.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
[EMAIL PROTECTED]


 

  Grillenmeier, Guido

  [EMAIL PROTECTED]To:
ActiveDir@mail.activedir.org

  com   cc:   (bcc:
James Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] Default Domain

  [EMAIL PROTECTED]

  tivedir.org

 

 

  07/19/2005 11:59 PM ZE2

  Please respond to

  ActiveDir

 





got ya - makes sense in this case.

however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 23:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

should work just like setting any other registry key on the client.

The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target.  But you might very well not want to change this value at the
time of the computer-migration = you'll typically want to change it
during migration/activation of the user accounts.  This is often not
done at the same time, so changing the value via GPO with the computer
migration could actually be counter-productive.

Further, it's not enough if you're implementing a new naming conventions
for user-accounts or simply need to change logon-names due to duplicates
during a domain-migration that consolidates multiple source domains to
one AD domain.  In this case you'll no only want to generically update
the DefaulDomainName value to help your users, but at the same time
you might want to update the DefaultUserName value with the new
accountname for the target domain. Hardly doable with a GPO - I
typically do this with custom scripts triggered centrally during account
activation (quite independently from the computer migration).

But nothing goes over edjucating your users about the changes in the
infrastructure and specifically those related to their domain logon -
otherwise

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD
event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] User with LDAP userPassword permissions

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---








Do this with ADSIEDIT  more permissions,
no fiddling ;)











From: Dan Holme
[mailto:[EMAIL PROTECTED] 
Sent: 19 July 2005 09:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User with
LDAP userPassword permissions





I didnt see any responses to
this dont know if I missed an answer but you should be
able to ACL the Write permission to the userPassword property to any account
you want and youre right to do it to a limited
account, although Id be concerned about ANY code that could be accessed
and leveraged to change passwords but thats a security
discussion, not a delegation discussion



Whats the actual PROBLEM? Is
it the delegation or how to do it? Ive not dealt with that
attribute recently, but I might have the piece (that most people miss) for
you. Hopefully this is the answer:



You need to expose the
permissions for that property in order to delegate them. There are LOTS
of properties of a user (and other objects) that are hidden to
keep the ACL Editor clean.



On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat

Find the section [user].

Find the line userPassword=7. Delete
it. (the =7 hides the permissions for this property in the
ACL editor)

Restart AD Users  Computers.



In ADUC View  Advanced
Features.

Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. 

Security  Advanced  Add

Specify the account (or a group containing
the account) used by the PHP app.

In the dialog box, click the PROPERTIES
tab.

In the drop down list, choose USER
OBJECTS.

Scroll down and youll find Write
userPassword.



If this doesnt work, or
wasnt quite the problem you were having, please reply. IN such
case, please let us know what domain and forest functional level youre
running and if you have SP1 on your W2K3 DCs. It makes a difference, as
you might know.



Dan















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Brown
Sent: Monday, July 18, 2005 1:49
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User with
LDAP userPassword permissions







Hi,











I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP. I have it working perfect
using my Admin account. But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification.











Any ideas?









Thanks,

--

Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+












---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Delegation of privilege

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



Hi Yann,

You could grant your user those privileges that are listed 
as User Rights, by applying a corresponding Group Policy Object to only one DC. 
However, this is probably not enough for you. For example, you cannot grant a 
privilege to format hard drives or share folders this way.

Yours, Sakari



  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
  YANNSent: Monday, July 18, 2005 8:39 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation of 
  privilege
  
  
  Hello AD Gurus 
  :)
  
  I would like to give toone of my 
  user "server operator" privilegeon only one DC, and not the whole DCs of 
  my AD 2003.
  I know that DCs do not havesam 
  locally, and the only way to give this privilege is to use the Built-in Groups 
  in the Built-in Container. But doing thisallow my user to be server op 
  for all DCs in my domain.
  
  The purpose of myquestion 
  is;
  =to give one user the privilege 
  to fully manage *only one* DCwith "server operator" 
  privilege, without having the right to use MMCs such as ADUC, Schema, dssite, 
  replmon, repadmin commands.
  
  Is this possible ?
  
  Thanks for input.
  
  Cheers,
  
  Yann
  
  
  
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] DC Backups

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
Hi,
 
Check if the exclusions definitions are the same in NTBACKUP (tools - options - 
exclude files)
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny
Sent: Sun 7/17/2005 11:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Backups




I have something that is bugging me and maybe someone on this list 
knows. I have two 2003 DCs. DC1 has 3 drives C, D and E. I installed the 
database on E and the logs on D. On DC2 on a different site, it has 2 
drives C and D. I installed the database on D and the logs on C with the 
OS. 

I am doing an all drives backup of both DCs with NTBACKUP on Sundays, 
separate from the daily System States. On DC1, I can drill down on the E 
drive and see NTDS.DIT file selected and I can chose to unselect it if I 
want. On DC2, I also see the E drive selected, however when I drill down 
I can NOT select the NTDS.DIT file and other files on the NTDS 
directory. 

I've read that the database is part of the System State backup and that 
it can not be backed up or restored individually. If that's the case I 
would expect to see the same kind of thing on both DCs. 

Anyone know why this is? 

Thanks 

Johnny Figueroa 
Enterprise Network Consultant/Integrator 
Network Services Banner Health Voice (602) 
495-4195 Fax (602) 495-4406 
  
WARNING: This message, and any attachments, are intended only for the 
use of the individual or entity to which it is addressed and may contain 
information that is privileged, confidential and exempt from disclosure 
under applicable law.  If the reader of this message is not the intended 
recipient or employee/agent responsible for delivering the message to 
the intended recipient, you are hereby notified that any dissemination, 
distribution or copying of the communication is strictly prohibited.  If 
you receive this communication in error, please notify us immediately 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
If you use a startup script, it will run as local system and be able to
fully install.  If, however, it NEEDS to be run as a user, this won't
work.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 8:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon script with Admin rights

How can I run a batch file logon script to map a drive and install an
application on a user's PC as an Administrator?  I don't want to expose
the password using 'run as'

Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Default Domain

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

should work just like setting any other registry key on the client.

The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target.  But you might very well not want to change this value at the
time of the computer-migration = you'll typically want to change it
during migration/activation of the user accounts.  This is often not
done at the same time, so changing the value via GPO with the computer
migration could actually be counter-productive.

Further, it's not enough if you're implementing a new naming conventions
for user-accounts or simply need to change logon-names due to duplicates
during a domain-migration that consolidates multiple source domains to
one AD domain.  In this case you'll no only want to generically update
the DefaulDomainName value to help your users, but at the same time
you might want to update the DefaultUserName value with the new
accountname for the target domain. Hardly doable with a GPO - I
typically do this with custom scripts triggered centrally during account
activation (quite independently from the computer migration).

But nothing goes over edjucating your users about the changes in the
infrastructure and specifically those related to their domain logon -
otherwise they potentially stare at another machine and wonder why they
can't logon to this one, causing an increase in helpdesk calls...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 22:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default Domain

Has anyone tried this?  I got it off of another list I am a part of.

The default domain name is stored in the DefaultDomainName registry
value, but no built-in Group Policy setting to control its value. You
can easily create a custom .adm file that will let you configure the
default domain for computers that have the GPO applied. To do so, save
this code as defaultdomain.adm in the C:\windows\inf folder.

CATEGORY Logon Settings 
  KEYNAME SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 
POLICY Default Domain 
  PART Default Domain EDITTEXT 
VALUENAME DefaultDomainName 
  END PART 
END POLICY
END CATEGORY

You can then add this template to an existing or new GPO's Computer
Configuration section. To do so, select Add/Remove Templates. Click Add
and select the defaultdomain.adm file. Because this registry subkey
isn't in a standard, managed portion of the registry, you won't see it
until you select Filtering under the View menu and clear the Only show
policy settings that can be fully managed check box, as the figure at
http://list.windowsitpro.com/t?ctl=EA05:2C262
shows.
   The new policy will be available under Computer Configuration,
Administrative Templates, Logon Settings, Default Domain. The policy
sets the specified domain on computers that receive the policy, as the
figure at
http://list.windowsitpro.com/t?ctl=EA08:2C262
shows. During migrations between domains, this policy saves users from
having to select a new domain from the drop-down list


Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   :

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the
original and new values are.  Adam Lissoir wrote some scripts that
demonstrate this.  I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by
products like Quest's Change Manager for Active Directory and NetPro's
AD-related change monitoring products.  The existing ADSI and LDAP
interfaces do not appear to offer the degree of granularity that these
products are capable of obtaining in terms of AD changes that they can
monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm
thinking that AD has to have something similar.  However, the MSDN
Platform SDK documentation doesn't identify anything in way of API
functions or COM interfaces [e.g. ADSI] that are capable of providing
the sort of event notification that I'm needing to use in my
application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for
single valued attributes, I need to know the before  after values, and
in the case of multi-valued attributes, I need to know which individual
value was added to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in
AD event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
Small correction - Alain, not Adam.  Unless, however, there is another WMI
Guru out there with the surname Lissoir that I'm not aware of.  Anything is
possible, I suspect.

;o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 1:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the
original and new values are.  Adam Lissoir wrote some scripts that
demonstrate this.  I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by
products like Quest's Change Manager for Active Directory and NetPro's
AD-related change monitoring products.  The existing ADSI and LDAP
interfaces do not appear to offer the degree of granularity that these
products are capable of obtaining in terms of AD changes that they can
monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm
thinking that AD has to have something similar.  However, the MSDN
Platform SDK documentation doesn't identify anything in way of API
functions or COM interfaces [e.g. ADSI] that are capable of providing
the sort of event notification that I'm needing to use in my
application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for
single valued attributes, I need to know the before  after values, and
in the case of multi-valued attributes, I need to know which individual
value was added to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in
AD event monitoring?


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc. 864 801 2795 voice  voicemail
103 Autumn Hill Road  864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a 
list of SP1 changes? I think it was this DL..)

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
Yes, exactly as joe wrote, this was a terminology thing.

In my language, the base schema includes all the classes and attributes that 
ship with the OS, and in ~Eric's language, the base schema includes only those 
that are specifically marked as Category 1 (to have several protections). And 
well, he represents the guys who own Windows and AD, so I guess they get to 
define the terminology...

Both me and ~Eric agree that you cannot set a Category 1 attribute as 
confidential, but you can set Category 2 attribute as confidential.

Yours, Sakari

PS. Then it's another story why an attribute such as the cost of a site link is 
not marked to be Category 1 (the base schema) and therefore doesn't have the 
protection of base schema attributes.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Thursday, July 14, 2005 6:59 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who 
 was asking for a list of SP1 changes? I think it was this DL..)
 
 I think it is a terminology thing. I would guess that Sakari 
 is considering
 anything shipped in the base product is considered base 
 schema. Of course
 your definition should match perfectly because the underlying 
 code should be
 that it tests that flag and if it matches it won't allow the 
 update. Since
 that is the verification mechanism, it would be an extremely 
 odd case where
 it wasn't correct and would indicate a very very odd error 
 that is nigh
 impossible. 
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
 Fleischman
 Sent: Tuesday, July 12, 2005 8:30 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who 
 was asking for
 a list of SP1 changes? I think it was this DL..)
 
 For clarity, this is the flag I'm making reference to:
 
   1 systemFlags: 0x10 = ( FLAG_SCHEMA_BASE_OBJECT );
 
 If that is set on a schema element, my contention is that on 
 an SP1 DC it
 should not allow you to set the confidential bit.
 
 Show me a counterexample please.
 
 ~Eric
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
 Fleischman
 Sent: Tuesday, July 12, 2005 5:24 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who 
 was asking for
 a list of SP1 changes? I think it was this DL..)
 
   ~Eric wrote:
   We actually block all base schema elements if I remember 
 correctly.
 
  No you don't. Of the 1070 base schema attributes, you only block the
 1007
  ones that are marked as category 1. The remaining 63 
 attributes, such
 as
  msDS-ExternalKey, are not marked and therefore don't have 
 this or any 
  other protection for base schema attributes.
 
 Looking at your example msds-externalkey, I don't see the 
 base flags bit
 set. Therefore, it would not be blocked.
 Looking at the code, right now, I stand by the earlier 
 statement: we block
 base schema elements. Base schema elements are defined as the 
 elements with
 the base schema flag set. All of them should be blocked.
 
 Please show me an example of a base schema element with the 
 base schema flag
 set where I'm wrong.
 
 ~Eric
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
 Sent: Tuesday, July 12, 2005 4:39 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who 
 was asking for
 a list of SP1 changes? I think it was this DL..)
 
 Hi Brett and ~Eric,
 
 Thanks for your comments on my confidential attribute post. 
 Now I solved,
 how to set the confidentiality in a way where unnecessary 
 permissions are
 not granted.
 
  Brett wrote:
  A) Small note, 0xF is 15 decimal and is equivalent to
  4 bits set (0b)
 
 Thanks for catching my silly mistake. Yes, I meant 0x10, 
 which is 16 in
 decimal. Fortunately this part was not about setting bits, 
 but just checking
 which base schema attributes have protection.
 
  Brett wrote (and ~Eric agreed):
  B) Why can't you grant the explicit extended right for reading the 
  confidential attribute?  I assume there is one, there has to be.
 
 No there isn't. I went through the 49 extended rights that 
 exist in SP1, and
 none of them seems to be for controlling confidentiality. 
 This is

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers..

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



Just pull one of the drives out, put it in your other 
server and let the RAID 1 rebuild.

Jeremy 
Waldrop
Systems 
Engineer
4Front Systems, 
Inc.860 Aviation Parkway
Morrisville NC 
27560Main Line: (919)653-4400
Support Line: (919) 
653-
Web: http://www.4frontsystems.comemail:[EMAIL PROTECTED]


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Tuesday, July 19, 2005 6:13 AMTo: 
  ActiveSubject: [ActiveDir] OT: Ghost Imaging HP Proliant 
  Servers..
  
  Hi all,
  
  Having read a few recent mails regarding server imaging, it's interesting 
  to hear how 'easy' it has been for those who have responded. I have been 
  having difficulties trying to create an image, I will explain further...
  
  I have 10xHP Proliant 380's G4, to save time I thought I would configure 
  one of theProliant Servers (RAID 1 for OS), install a basic installation 
  ofWindows 2003 Standard, sysprep it then create a ghost image of this 
  file so I could install the image on the remaining 9 Proliant Servers.
  
  So I created a standard image, sysprep'd it then rebooted, I ran ghost 
  and this is where the issue began, it did not recognise the disks (in RAID 1) 
  for me to be able to ghost the drive, is there any docs or drivers or steps I 
  have missed or need to look at?
  
  I know my information is vague, but I tried this over a month ago so my 
  memory is pretty poor.
  
  Anyone with some advice where I should be looking?
  __Do You 
  Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around 
  http://mail.yahoo.com 
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Delegation of privilege

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---








This may be a rotten answer
or a perfect answer Check out TWEAKUI for Windows XP. Its
ACCESS CONTROL section gives you UI ability to change very
specific activities permissions, e.g. creating a share, etc. You might
try it (in a lab, first of course) as far as how it works on 2003 for the
specific things you are trying to accomplish. Because the Access Control will
be server (in your case, DC) specific, it might just work. Ive NOT
tried it but I think itd be worth a shot. 



Dan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Delegation of privilege





Hi Yann,



You could grant your user those privileges
that are listed as User Rights, by applying a corresponding Group Policy Object
to only one DC. However, this is probably not enough for you. For example, you
cannot grant a privilege to format hard drives or share folders this way.



Yours, Sakari



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, July 18, 2005 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of
privilege





Hello AD Gurus :)











I would like to give toone of my user server
operator privilegeon only one DC, and not the whole DCs of my AD
2003.





I know that DCs do not havesam locally, and the only
way to give this privilege is to use the Built-in Groups in the Built-in
Container. But doing thisallow my user to be server op for all DCs in my
domain.











The purpose of myquestion is;





=to give one user the privilege to fully manage
*only one* DCwith server operator privilege,
without having the right to use MMCs such as ADUC, Schema, dssite, replmon,
repadmin commands.











Is this possible ?











Thanks for input.











Cheers,











Yann




























---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
This installation also needs to be run from mapped drive.  I would
really like to run this in GPO via VB Script.  If anyone knows the best
way to this, lemme know.

-Devon

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Tuesday, July 19, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logon script with Admin rights

There is simple way of doing this that works if
a) the .exe has a quiet option (-q for example) with no gui output
b) it is not necessary to install the program from a logon script


Simply install the program from another machine using psexec.exe 
i.e
logon remote machine with sufficient privileges and run
psexec -c \\remotemachine install.exe -q
where install.exe is the installation program

This method has several advantages if you put it in a script
1) It can easily be extended to install over a range of computers
2) You can get feedback as to whether it has installed or not. 

As Rick points out preparing .msi files has it's drawbacks, not least
of which is access to a clean machine to prepare it on.


Regards

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Delegation of privilege

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



You have answered your own question. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Monday, July 18, 2005 1:39 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegation of 
privilege


Hello AD Gurus 
:)

I would like to give toone of my user 
"server operator" privilegeon only one DC, and not the whole DCs of my AD 
2003.
I know that DCs do not havesam 
locally, and the only way to give this privilege is to use the Built-in Groups 
in the Built-in Container. But doing thisallow my user to be server op for 
all DCs in my domain.

The purpose of myquestion 
is;
=to give one user the privilege 
to fully manage *only one* DCwith "server operator" privilege, 
without having the right to use MMCs such as ADUC, Schema, dssite, replmon, 
repadmin commands.

Is this possible ?

Thanks for input.

Cheers,

Yann



---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] GC availability issue?

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



Hi Jeremy,

If you have 5 DCs and 9 sites, do you have non-DC-related 
reasons to have sites? If not, you could remove all sites that don't have a DC, 
and link their subnet objects to some remaining sites.

For example, if your DCs are on two AD sites, and then you 
have seven DC-less locations, you could add the subnets of those seven locations 
to either one of your AD sites.

Yours, Sakari


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy 
  [Contractor]Sent: Monday, July 18, 2005 9:34 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] GC availability 
  issue?
  
  
  Everyone,
   
  We have an empty root domain and a child domain with approximately 9 or so 
  sites in the forest. The root domain has 2 DCs (1 GC) and the child 
  domain has 3 DCs (1GC) both of which are located in our main site. At 
  our main site where I am located we have approximately 500 users. The 
  best scenario I can give you is we do PC rollouts where we take a large number 
  of PCs 30-50 at a time and rename them with an old extension in the host name 
  then we bring a new machine onto the network with the same name. 
  Sometimes we get an error saying the computer account already exists in the 
  organization when we try to name the new machine with the same name, but the 
  issue is inconsistent. I did some traffic sniffing with a PC and found 
  that approximately 50% of the time machines in our site are contacting servers 
  in other site for directory service information instead of our site DCs. 
  Even machines that have been on the network are not using local site DCs for 
  information all the time but using other site DCs instead. I am 
  wondering what could be causing this. This configuration has been static 
  for sometime nothing new has been introduced except for Windows 2003 schema 
  (could this be the cause?). I think it is because we do not have enough 
  GCs in our site (2), but my boss disagrees. What does everyone 
  think?
  
  Jeremy
  
  ---Jeremy 
  BurkesStrategic Systems ProgramsManagement 
  Information SystemsHelp Desk: 
  202-764-1442Work: 
  202-764-1270|  Fax: 
  202-764-1503[EMAIL PROTECTED]
  
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Delegation of privilege

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
I will read carefully all the docs. u forwaded me.

I just noticed that when I do a whoami /all command on my DC with my domain 
admin account (for example), i found this privilege:

SeChangeNotifyPrivilege  activate
SeImpersonatePrivilege   activate
SeCreateGlobalPrivilege  activate

I wonder if just giving a user these privileges, this user may have the same 
privilege  but i thing it is a  a naive thought :-)

I will rather read the secdefs.doc, Active Directory Delegation Best Practices 
document, and the delegwiz.inf

Thanks all for help.

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mark Parris
Envoyé : mardi 19 juillet 2005 15:12
À : ActiveDir.org
Objet : Re: [ActiveDir] Delegation of privilege

Search microsoft.com for secdefs.doc

The document is

Default access control settings in Windows Server 2003

Mark
-Original Message-
From: TIROA YANN [EMAIL PROTECTED]
Date: Tue, 19 Jul 2005 15:03:40
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege

Ok, Thanks Sakari and Dan for your answers :) 
 
I will test TWEAKUI for Windows XP. 
 
But in fact, my need is rather giving a user server op, or equivalent 
privilege, for only *one DC* and not the whole DCs of my Domain. 
 
Last question:  Where all the privileges are defined for built-in accounts ? 
are they in a .ini file or whatever ? 
Ex: domains admin have the right to do this action. I'd like to find where 
those privileges are declared in an special ACL, a file, a registry ? 
 
Thanks for Input :)
Yann
 
 De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme 
Envoyé : mardi 19 juillet 2005 08:47 À : ActiveDir@mail.activedir.org Objet : 
RE: [ActiveDir] Delegation of privilege

 
 
 
This may be a “rotten” answer or a perfect answer…  Check out TWEAKUI for 
Windows XP.  It’s ACCESS CONTROL section gives you “UI” ability to change very 
specific activities’ permissions, e.g. creating a share, etc.  You might try it 
(in a lab, first of course) as far as how it works on 2003 for the specific 
things you are trying to accomplish.  Because the Access Control will be server 
(in your case, DC) specific, it might just work.  I’ve NOT tried it… but I 
think it’d be worth a shot. 
 
 
 
Dan
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege
 
 
 
Hi Yann,
 
 
 
You could grant your user those privileges that are listed as User Rights, by 
applying a corresponding Group Policy Object to only one DC. However, this is 
probably not enough for you. For example, you cannot grant a privilege to 
format hard drives or share folders this way.
 
 
 
Yours, Sakari
 
 
 
 
 
   
 
   
   
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]   On Behalf Of TIROA   YANN
Sent: Monday, July 18,   2005 8:39 PM
To:   ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of   privilege
   
   
   
Hello AD Gurus   :)
   
   
 
   
   
I would like to give to one   of my user server operator privilege on only 
one DC, and not the whole   DCs of my AD 2003.
   
   
I know that DCs do not   have sam locally, and the only way to give this 
privilege is to use the   Built-in Groups in the Built-in Container. But doing 
this allow my user   to be server op for all DCs in my domain.
   
   
 
   
   
The purpose of my question   is;
   
   
= to give one user the   privilege to fully manage *only one*  DC  with 
server   operator privilege, without having the right to use MMCs such as 
ADUC,   Schema, dssite, replmon, repadmin commands.
   
   
 
   
   
Is this possible   ?
   
   
 
   
   
Thanks for   input.
   
   
 
   
   
Cheers,
   
   
 
   
   
Yann
   
   
 
   
   
   
 
[EMAIL PROTECTED]   šŠV«r¯yÊý§-Š÷Š¾4™¨¥iËb½çb®Šà
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
One caveat to this - if you are going to be accessing a network resource,
the default behavior is NOT to wait for the network stack to be initialized
before completing computer startup.  The obvious problem of not being able
to AuthN the user or the computer against AD is handled via cached
credentials, etc.

However - this behavior can be changed to force the system to wait for the
network stack to be loaded, inited, and available before the policies are
run.  

To do this, you will need to set:

\Computer Configuration\Administrative Templates\System\Logon\Always wait
for the network at computer startup and logon == enabled.

This will noticeably slow down the appearance of the logon dialog, but
nothing that your users will not get over in a very short period of time.
The added delay is small, typically.  In environments with 10s of GPO's to
process - 5 second delay is what I've experienced.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Tuesday, July 19, 2005 12:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

If you use a startup script, it will run as local system and be able to
fully install.  If, however, it NEEDS to be run as a user, this won't
work.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 8:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon script with Admin rights

How can I run a batch file logon script to map a drive and install an
application on a user's PC as an Administrator?  I don't want to expose
the password using 'run as'

Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited.  If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Default Domain

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
not tried it myself, but it should work as I know Quest DMW does this (setting 
a different default domain) when migrating computers
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Salandra, Justin A.
Sent: Tue 7/19/2005 10:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default Domain



Has anyone tried this?  I got it off of another list I am a part of. 

The default domain name is stored in the DefaultDomainName registry 
value, but no built-in Group Policy setting to control its value. You 
can easily create a custom .adm file that will let you configure the 
default domain for computers that have the GPO applied. To do so, save 
this code as defaultdomain.adm in the C:\windows\inf folder. 

CATEGORY Logon Settings 
  KEYNAME SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 
POLICY Default Domain 
  PART Default Domain EDITTEXT 
VALUENAME DefaultDomainName 
  END PART 
END POLICY 
END CATEGORY 

You can then add this template to an existing or new GPO's Computer 
Configuration section. To do so, select Add/Remove Templates. Click Add 
and select the defaultdomain.adm file. Because this registry subkey 
isn't in a standard, managed portion of the registry, you won't see it 
until you select Filtering under the View menu and clear the Only show 
policy settings that can be fully managed check box, as the figure at 
http://list.windowsitpro.com/t?ctl=EA05:2C262 
shows. 
   The new policy will be available under Computer Configuration, 
Administrative Templates, Logon Settings, Default Domain. The policy 
sets the specified domain on computers that receive the policy, as the 
figure at 
http://list.windowsitpro.com/t?ctl=EA08:2C262 
shows. During migrations between domains, this policy saves users from 
having to select a new domain from the drop-down list 


Justin A. Salandra 
MCSE Windows 2000  2003 
Network and Technology Services Manager 
Catholic Healthcare System 
212.752.7300 - office 
917.455.0110 - cell 
[EMAIL PROTECTED] 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
inline: winmail.dat---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] DC Backups

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---

I have something that is bugging me and maybe someone on this list
knows. I have two 2003 DCs. DC1 has 3 drives C, D and E. I installed the
database on E and the logs on D. On DC2 on a different site, it has 2
drives C and D. I installed the database on D and the logs on C with the
OS.

I am doing an all drives backup of both DCs with NTBACKUP on Sundays,
separate from the daily System States. On DC1, I can drill down on the E
drive and see NTDS.DIT file selected and I can chose to unselect it if I
want. On DC2, I also see the E drive selected, however when I drill down
I can NOT select the NTDS.DIT file and other files on the NTDS
directory. 

I've read that the database is part of the System State backup and that
it can not be backed up or restored individually. If that's the case I
would expect to see the same kind of thing on both DCs.

Anyone know why this is?

Thanks 

Johnny Figueroa
Enterprise Network Consultant/Integrator
Network Services Banner Health Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] DC Backups

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
I'm sure you've figured this out on your own, but just in case, you're
right... AD is part of the system state and even if you CAN back up
NTDS.DIT 'separately' as a file, you shouldn't.  You need the system
state to do any kind of restore operation in Dir Svcs Restore Mode.  

So b/c you can't do anything with it, so you're wasting time, tape, and
who knows what else.  Don't get too caught up in why you can or can't
see it or can or can't (de)select it... 

Instead (something COOL and not publicized enough) -- test your DC
restore process on a 2K3 SP1 machine and check out the LDIF file that
Auth Restore creates for you to help make restoring group memberships
MUCH easier  COOL! grin and off the subject, but cool...

Dan Holme
Intelliem
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers..

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



in addition: Ghost 9.0 supports only raid 0 (stripe) and 
raid 5 (stripe sets with parity) 



Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens Quatro 
InfoVerzonden: woensdag 20 juli 2005 2:38Aan: 
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost 
Imaging HP Proliant Servers..

Ami i missing something here?


Ghost and 
RAIDGhost is not compatible with computers that use RAID. That 
is, Symantec Ghost 8.x and earlier, and Norton Ghost 2003 and earlier, do not 
support RAID controllers on computers that are being imaged. In addition: 


http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999010613522725?Opensrc="">=


Grtz J


Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens Brian 
DesmondVerzonden: woensdag 20 juli 2005 2:15Aan: 
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost 
Imaging HP Proliant Servers..


You 
have multiple problems here:

The 
SmartArray card has no RAID config. The default varies though my experience is 
it RAID5s the first four drives and shuts down the remaining two in a 
DL380G4.

Ghost 
likely does not have a driver enabling it to see the scsi disk. You will need to 
modify the config.sys and add CPQs dos driver


If 
you search the Compaq support  drivers section, you want he smartstart 
scripting toolkit. It will show you how to script the hardware setup before you 
load your image. I would recommend you instead of Ghost here use PXE boot and 
Microsoft ADS. Theres even a long post at the top of my blog  briandesmond.com 
detailing all the steps to get it working with Proliant hardware  my test 
environment was DL380G4s. For server imaging, ADS is FAR more powerful than 
Ghost.

--Brian





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Frank 
AbagnaleSent: Tuesday, July 
19, 2005 5:13 AMTo: 
ActiveSubject: [ActiveDir] OT: 
Ghost Imaging HP Proliant Servers..


Hi all,



Having read a few recent mails regarding server imaging, 
it's interesting to hear how 'easy' it has been for those who have responded. I 
have been having difficulties trying to create an image, I will explain 
further...



I have 10xHP Proliant 380's G4, to save time I thought I 
would configure one of theProliant Servers (RAID 1 for OS), install a 
basic installation ofWindows 2003 Standard, sysprep it then create a ghost 
image of this file so I could install the image on the remaining 9 Proliant 
Servers.



So I created a standard image, sysprep'd it then 
rebooted, I ran ghost and this is where the issue began, it did not recognise 
the disks (in RAID 1) for me to be able to ghost the drive, is there any docs or 
drivers or steps I have missed or need to look 
at?



I know my information is vague, but I tried this over a 
month ago so my memory is pretty poor.



Anyone with some advice where I should be 
looking?
__Do 
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] OT: Ghost Imaging HP Proliant Servers..

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



Ami i missing something here?


Ghost and 
RAIDGhost is not compatible with computers that use RAID. That 
is, Symantec Ghost 8.x and earlier, and Norton Ghost 2003 and earlier, do not 
support RAID controllers on computers that are being imaged. In addition: 


http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999010613522725?Opensrc="">=


Grtz J


Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens Brian 
DesmondVerzonden: woensdag 20 juli 2005 2:15Aan: 
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] OT: Ghost 
Imaging HP Proliant Servers..


You 
have multiple problems here:

The 
SmartArray card has no RAID config. The default varies though my experience is 
it RAID5s the first four drives and shuts down the remaining two in a 
DL380G4.

Ghost 
likely does not have a driver enabling it to see the scsi disk. You will need to 
modify the config.sys and add CPQs dos driver


If 
you search the Compaq support  drivers section, you want he smartstart 
scripting toolkit. It will show you how to script the hardware setup before you 
load your image. I would recommend you instead of Ghost here use PXE boot and 
Microsoft ADS. Theres even a long post at the top of my blog  briandesmond.com 
detailing all the steps to get it working with Proliant hardware  my test 
environment was DL380G4s. For server imaging, ADS is FAR more powerful than 
Ghost.

--Brian





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Frank 
AbagnaleSent: Tuesday, July 
19, 2005 5:13 AMTo: 
ActiveSubject: [ActiveDir] OT: 
Ghost Imaging HP Proliant Servers..


Hi all,



Having read a few recent mails regarding server imaging, 
it's interesting to hear how 'easy' it has been for those who have responded. I 
have been having difficulties trying to create an image, I will explain 
further...



I have 10xHP Proliant 380's G4, to save time I thought I 
would configure one of theProliant Servers (RAID 1 for OS), install a 
basic installation ofWindows 2003 Standard, sysprep it then create a ghost 
image of this file so I could install the image on the remaining 9 Proliant 
Servers.



So I created a standard image, sysprep'd it then 
rebooted, I ran ghost and this is where the issue began, it did not recognise 
the disks (in RAID 1) for me to be able to ghost the drive, is there any docs or 
drivers or steps I have missed or need to look 
at?



I know my information is vague, but I tried this over a 
month ago so my memory is pretty poor.



Anyone with some advice where I should be 
looking?
__Do 
You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
http://www.acronis.com/enterprise/products/snapdeploy/


Might be an option

Grtz J 

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Grillenmeier, Guido
Verzonden: woensdag 20 juli 2005 0:02
Aan: ActiveDir@mail.activedir.org
Onderwerp: RE: [ActiveDir] Logon script with Admin rights

well, I could think of many more drawbacks using this option...

don't get me wrong - psexec is cool. But I don't really see it as an option to 
deploy software to many clients of which usually a
certain percentage is remotely connected or offline.  So you'd have to build 
your own little framework to ensure availablity of the
clients and successfull install of the app etc.  The success naturally depends 
on your client landscape

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Dienstag, 19. Juli 2005 17:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logon script with Admin rights

There is simple way of doing this that works if
a) the .exe has a quiet option (-q for example) with no gui output
b) it is not necessary to install the program from a logon script


Simply install the program from another machine using psexec.exe i.e logon 
remote machine with sufficient privileges and run psexec
-c \\remotemachine install.exe -q
where install.exe is the installation program

This method has several advantages if you put it in a script
1) It can easily be extended to install over a range of computers
2) You can get feedback as to whether it has installed or not. 

As Rick points out preparing .msi files has it's drawbacks, not least of which 
is access to a clean machine to prepare it on.


Regards

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] User with LDAP userPassword permissions

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---








I didnt see any responses to this
dont know if I missed an answer but you should be able to ACL the
Write permission to the userPassword property to any account you want
and youre right to do it to a limited account, although Id
be concerned about ANY code that could be accessed and leveraged to change
passwords but thats a security discussion, not a delegation
discussion



Whats the actual PROBLEM? Is
it the delegation or how to do it? Ive not dealt with that
attribute recently, but I might have the piece (that most people miss) for you.
Hopefully this is the answer:



You need to expose the
permissions for that property in order to delegate them. There are LOTS
of properties of a user (and other objects) that are hidden to
keep the ACL Editor clean.



On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat

Find the section [user].

Find the line userPassword=7. Delete
it. (the =7 hides the permissions for this property in the
ACL editor)

Restart AD Users  Computers.



In ADUC View  Advanced Features.

Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. 

Security  Advanced  Add

Specify the account (or a group containing
the account) used by the PHP app.

In the dialog box, click the PROPERTIES
tab.

In the drop down list, choose USER
OBJECTS.

Scroll down and youll find Write
userPassword.



If this doesnt work, or wasnt
quite the problem you were having, please reply. IN such case, please let
us know what domain and forest functional level youre running and if you
have SP1 on your W2K3 DCs. It makes a difference, as you might know.



Dan















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Monday, July 18, 2005 1:49
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User with
LDAP userPassword permissions







Hi,











I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP. I have it working perfect
using my Admin account. But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification.











Any ideas?









Thanks,

--

Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+












---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Does a domain require a GC?

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



I wouldn't call the GC per site a requirement as much as I 
would call it a best practice. Environments can and do function fine without GCs 
(or even DCs) in every site. You can run into issues when network connectivity 
breaks, but it would be assumed you are thinking of this when you designed the 
topology.

If the OP's Exchange servers are all in a centralized 
location, then set up a special site for Exchange and only have GCs in that site 
from the domain with all of the groups and users. Then DSACCESS/DSPROXY will 
pick out and give those GCs to clients to use so that outlook doesn't have to be 
overridden from its default behavior on what it wants to do. 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Monday, July 18, 2005 1:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Does a domain 
require a GC?


Kevin,

As I recall, the 
requirement is on a PER SITE for GCs  I dont remember seeing a PER DOMAIN 
requirement. Given that the GC is a forest-wide element, the domain 
function really doesnt seem to make sense. However, the site requirement 
for the GC is an obvious one  groups and specifically Universal 
groups.

Given that sites can 
span domains  I cant think of a dependency that would require a GC in each 
domain, as long as site requirements are met.


Rick




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ken 
CornetetSent: Monday, July 18, 
2005 11:19 AMTo: 
ActiveDir@mail.activedir.org; 
Exchange DiscussionsSubject: 
[ActiveDir] Does a domain require a GC?


We have two domains in our forest. 
The "empty" root domain, and a resource domain where everything else lives. The 
root domain has two DCs - one each in two different 
sites.



Our main domain has several DCs, and 
most of those are GCs as well. The sites containing the root DCs eachalso 
have at least one resource domain DC, and at least one of these DCs is a GC. In 
other words, all sites have at least one resource domain DC andat least 
one of those is a GC as well.



My question is: can I remove GC 
function from thetwo root DCs? I seem to recall reading that at least one 
DC in a domain had to be a GC, but I can't find that requirement 
now.



All DCs are server 2003. The forest 
is 2000 native mode.



Why do I want to do this? We 
configure Outlook to use the "closest" GC. We want toinsure that Outlook 
can manage distributionlists (universal groups), and Outlook can only do 
that if the GCis in the same domain as the group. We are currently using a 
home-grown application to manage DL membership, but we'd like to switch back to 
outlook.




---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Default Domain

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---BeginMessage---
I too have seen this and can reproduce it over and over.  After we migrate a PC 
from our NT4 domains to AD, Quest DMW sets the default domain to our AD domain. 
 However if the user hits ctrl-alt-del to logon and then ESC and then 
CTRL-ALT-DEL again, the default domain is set to the local computer account.  
Kinda a pain.  I think it reverts to the AltDefaultDomainName key value, maybe 
you could set both keys and it would revert back to the correct setting.



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 7/19/2005 5:36 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default Domain



We are using a startup script that has two reg add commands

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ  /d DOMAINAME /f

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ  /d DOMAINAME /f

This has worked very well for us during and post migration.  Most of our
users came from small NT domains and we only finished the 1000 NT domains
to 9 AD domains over the last 6 months.  Where this does not work is if I
choose to logon, then hit escape - for some reason when I hit ctrl alt del
the second time the last domain I logged into shows up instead of the
specified DOMAINAME above.  This might have been specific to one machine or
may be a problem with one of the entries - I only saw it the once and have
not had time to go back and investigate.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
[EMAIL PROTECTED]




  Grillenmeier, Guido 

  [EMAIL PROTECTED]To:   
ActiveDir@mail.activedir.org   
  com   cc:   (bcc: James 
Day/Contractor/NPS)  
  Sent by:   Subject:  RE: [ActiveDir] 
Default Domain   
  [EMAIL PROTECTED] 
  
  tivedir.org   





  07/19/2005 11:59 PM ZE2   

  Please respond to 

  ActiveDir 







got ya - makes sense in this case.

however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 23:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
well, I could think of many more drawbacks using this option...

don't get me wrong - psexec is cool. But I don't really see it as an
option to deploy software to many clients of which usually a certain
percentage is remotely connected or offline.  So you'd have to build
your own little framework to ensure availablity of the clients and
successfull install of the app etc.  The success naturally depends on
your client landscape

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Dienstag, 19. Juli 2005 17:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logon script with Admin rights

There is simple way of doing this that works if
a) the .exe has a quiet option (-q for example) with no gui output
b) it is not necessary to install the program from a logon script


Simply install the program from another machine using psexec.exe 
i.e
logon remote machine with sufficient privileges and run
psexec -c \\remotemachine install.exe -q
where install.exe is the installation program

This method has several advantages if you put it in a script
1) It can easily be extended to install over a range of computers
2) You can get feedback as to whether it has installed or not. 

As Rick points out preparing .msi files has it's drawbacks, not least
of which is access to a clean machine to prepare it on.


Regards

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Default Domain

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
We are using a startup script that has two reg add commands

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ  /d DOMAINAME /f

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ  /d DOMAINAME /f

This has worked very well for us during and post migration.  Most of our
users came from small NT domains and we only finished the 1000 NT domains
to 9 AD domains over the last 6 months.  Where this does not work is if I
choose to logon, then hit escape - for some reason when I hit ctrl alt del
the second time the last domain I logged into shows up instead of the
specified DOMAINAME above.  This might have been specific to one machine or
may be a problem with one of the entries - I only saw it the once and have
not had time to go back and investigate.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
[EMAIL PROTECTED]



 
  Grillenmeier, Guido 
 
  [EMAIL PROTECTED]To:   
ActiveDir@mail.activedir.org
  com   cc:   (bcc: James 
Day/Contractor/NPS)   
  Sent by:   Subject:  RE: [ActiveDir] 
Default Domain
  [EMAIL PROTECTED] 
   
  tivedir.org   
 

 

 
  07/19/2005 11:59 PM ZE2   
 
  Please respond to 
 
  ActiveDir 
 

 




got ya - makes sense in this case.

however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 23:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

should work just like setting any other registry key on the client.

The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target.  But you might very well not want to change this value at the
time of the computer-migration = you'll typically want to change it
during migration/activation of the user accounts.  This is often not
done at the same time,

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] DC Backups

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---

Sorry, I meant drives C and E on DC2, database on E and logs on C with
the OS. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, July 17, 2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Backups

You said the db was on the D: drive for DC2, so why would you see it on
E:?

Also, where are you running NTBackup from?

If from DC1 when you are trying to drill down DC2's drive, that might
not work since you can't remotely back up the system state with
NTBackup.
You would need a third party backup app like Veritas Backup Exec for
that.
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   Re: [ActiveDir] Delegation of privilege

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
Yes that's a good document, one of Sanjay's best pieces of work.

The best bit for me was the custom delegwiz.inf in appendicies, which I have 
managed extend now to include create mailbox, delete mailbox etc etc..

Mark

-Original Message-
From: Francis Ouellet [EMAIL PROTECTED]
Date: Tue, 19 Jul 2005 09:26:08 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege

Hi Mark,


You might want to have a look at the Active Directory Delegation Best Practices 
document available from MS @ 
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en
 Might not answer you question directly but it's an awesome primer on 
delegation.

Francis 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: July 19, 2005 9:12 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Delegation of privilege

Search microsoft.com for secdefs.doc

The document is

Default access control settings in Windows Server 2003

Mark
-Original Message-
From: TIROA YANN [EMAIL PROTECTED]
Date: Tue, 19 Jul 2005 15:03:40
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege

Ok, Thanks Sakari and Dan for your answers :) 
 
I will test TWEAKUI for Windows XP. 
 
But in fact, my need is rather giving a user server op, or equivalent 
privilege, for only *one DC* and not the whole DCs of my Domain. 
 
Last question:  Where all the privileges are defined for built-in accounts ? 
are they in a .ini file or whatever ? 
Ex: domains admin have the right to do this action. I'd like to find where 
those privileges are declared in an special ACL, a file, a registry ? 
 
Thanks for Input :)
Yann
 
 De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme 
EnvoyÃ© : mardi 19 juillet 2005 08:47 Ã€ : ActiveDir@mail.activedir.org Objet : 
RE: [ActiveDir] Delegation of privilege

 
 
 
This may be a â€œrottenâ€� answer or a perfect answerâ€¦  Check out TWEAKUI for 
Windows XP.  Itâ€™s ACCESS CONTROL section gives you â€œUIâ€� ability to change 
very specific activitiesâ€™ permissions, e.g. creating a share, etc.  You might 
try it (in a lab, first of course) as far as how it works on 2003 for the 
specific things you are trying to accomplish.  Because the Access Control will 
be server (in your case, DC) specific, it might just work.  Iâ€™ve NOT tried 
itâ€¦ but I think itâ€™d be worth a shot. 
 
 
 
Dan
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege
 
 
 
Hi Yann,
 
 
 
You could grant your user those privileges that are listed as User Rights, by 
applying a corresponding Group Policy Object to only one DC. However, this is 
probably not enough for you. For example, you cannot grant a privilege to 
format hard drives or share folders this way.
 
 
 
Yours, Sakari
 
 
 
 
 
   
 
   
   
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]   On Behalf Of TIROA   YANN
Sent: Monday, July 18,   2005 8:39 PM
To:   ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of   privilege
   
   
   
Hello AD Gurus   :)
   
   
 
   
   
I would like to give to one   of my user server operator privilege on only 
one DC, and not the whole   DCs of my AD 2003.
   
   
I know that DCs do not   have sam locally, and the only way to give this 
privilege is to use the   Built-in Groups in the Built-in Container. But doing 
this allow my user   to be server op for all DCs in my domain.
   
   
 
   
   
The purpose of my question   is;
   
   
= to give one user the   privilege to fully manage *only one*  DC  with 
server   operator privilege, without having the right to use MMCs such as 
ADUC,   Schema, dssite, replmon, repadmin commands.
   
   
 
   
   
Is this possible   ?
   
   
 
   
   
Thanks for   input.
   
   
 
   
   
Cheers,
   
   
 
   
   
Yann
   
   
 
   
   
   
 
[EMAIL PROTECTED]   Å¡Å VÂ«rÂ¯yÃŠÃ½Â§-Å Ã·Â�Å Â¾4â„¢Â¨Â¥iÃ‹bÂ½Ã§bÂ®Å Ã 
[EMAIL PROTECTED]   šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] User with LDAP userPassword permissions

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---



Hi,

I'm trying to give 
an account permission to update the userPassword field via LDAP protocol in 
PHP. I have it working perfect using my Admin account. But since 
that has to be stored in the PHP file I would really like to have an account 
with much tighter security able to make the modification.

Any 
ideas?



Thanks,
--
Matt 
Brown [EMAIL PROTECTED]Consultant for Student Technology 
Feewebsite: http://techfee.ewu.edu/+--+| 
509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 
99004+--+

---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   Re: [ActiveDir] Resource unavailable temporarily

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
Also when I perform various operations to AD using tools like ldp, or a perl
script, they are performed successfully.

- Original Message - 
From: Mayuresh Kshirsagar [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, July 19, 2005 11:15 PM
Subject: Resource unavailable temporarily


 I am connecting to an Active Directory Server, using a Meta Directory
 server. But while performing a base level it fails with error

 Schema search for 'attributeTypes' ERROR='Resource temporarily
unavailable'

 Any clues as to how can I debug this problem?
 Thanks,
 Mayuresh.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] Message Not Delivered

2005-07-20 Thread rfinley

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Logon script with Admin rights

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
I don't know what your budget might be, but a couple of my clients use
TQCRunAs by Quimeras (www.quimeras.com) for this kind of thing... this
tool lets you encapsulate a secondary logon, the credentials for that
logon, and a command in an encrypted .exe, which you could then use in a
logon script.  It's not free, but it's not expensive either, and it's a
great way to push things to users that require higher credentials,
without exposing any accounts.

Dan 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Tuesday, July 19, 2005 8:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

Al,

One of the problems with the .ZAP format - it only executes the
underlying
program for install - but cannot be executed with elevated privliges as
it
is run under the user's context.

.MSI is much better, but is not easy to create them correctly and
effectively without some experience and practice.  However, they can be
written to install at an elevated context.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Tuesday, July 19, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

Use the ZAP format.

See KB 231747 below

http://support.microsoft.com/default.aspx?scid=kb;en-us;231747



-Original Message-
From: Harding, Devon [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 19, 2005 7:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights


Unfortunately, this software is not a .msi format.  Can this still be
installed via GPO?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, July 19, 2005 10:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logon script with Admin rights

 Software installation from GPO works like a charm.

Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, July 19, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon script with Admin rights

How can I run a batch file logon script to map a drive and install an
application on a user's PC as an Administrator?  I don't want to expose
the password using 'run as'

Devon Harding
Windows Systems Engineer
Southern Wine  Spirits - BSG
954-602-2469


-
__
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information.  If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.  Thank You.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---End Message---

[ActiveDir] OT: Roaming profiles and XP themes

2005-07-20 Thread Dan Stanford


We are just about to migrate over to Server 2003 from 2000, and in our
test set up, when newly created users with roaming profiles log into an
XP station, they get a modified desktop theme, instead of the default XP
teletubbies one - it has the classic task bar and start menu.  This
doesn't happen if I create a user with a local profile.  I know this is
going to fox some users - does anyone know how to stop it?

TIA,
Dan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Default Domain

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
REG ADD has a disadvantage b/c it runs every time (thus adding to
startup delay) but of course has one big advantage... it runs every
time.  Unless you configure the registry client side extension
otherwise, it doesn't refresh (b/c the GPO itself hasn't changed)... so
you could still have a user from another domain change the domain, then
the next user is logging on to the wrong domain... A startup script is
useful to enforce that setting.

However, I agree that educating users to log on with the upn is a much
more viable answer for multidomain environments I would try to aim
for that.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, July 19, 2005 3:37 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Default Domain

We are using a startup script that has two reg add commands

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
altdefaultdomainname /t REG_SZ  /d DOMAINAME /f

reg add HKLM\software\microsoft\windows nt\currentversion\winlogon /v
defaultdomainname /t REG_SZ  /d DOMAINAME /f

This has worked very well for us during and post migration.  Most of our
users came from small NT domains and we only finished the 1000 NT
domains
to 9 AD domains over the last 6 months.  Where this does not work is if
I
choose to logon, then hit escape - for some reason when I hit ctrl alt
del
the second time the last domain I logged into shows up instead of the
specified DOMAINAME above.  This might have been specific to one machine
or
may be a problem with one of the entries - I only saw it the once and
have
not had time to go back and investigate.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
[EMAIL PROTECTED]


 

  Grillenmeier, Guido

  [EMAIL PROTECTED]To:
ActiveDir@mail.activedir.org

  com   cc:   (bcc:
James Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] Default Domain

  [EMAIL PROTECTED]

  tivedir.org

 

 

  07/19/2005 11:59 PM ZE2

  Please respond to

  ActiveDir

 





got ya - makes sense in this case.

however, you could also edjucate users to logon via UPN thus not
requiring the selection of a domain at all, regardless of the
domain-affiliation of the PC used during logon...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Dienstag, 19. Juli 2005 23:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

I am actually thinking of using it since I have 7 domains in one forest,
if someone from a different domain uses someones computer, on reboot the
domain that is selected in the drop down list is the proper domain for
that computer.  Similar to when my helpdesk people login to the local
machine, the user doesn't try to then login to the local machine using
their domain username, hence reducing phone calls to the helpdesk.

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, July 19, 2005 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain

should work just like setting any other registry key on the client.

The question is, if you really need it/want it. Most computer migration
tools can set that value during the migration of the PC from source to
target.  But you might very well not want to change this value at the
time of the computer-migration = you'll typically want to change it
during migration/activation of the user accounts.  This is often not
done at the same time, so changing the value via GPO with the computer
migration could actually be counter-productive.

Further, it's not enough if you're implementing a new naming conventions
for user-accounts or simply need to change logon-names due to duplicates
during a domain-migration that consolidates multiple source domains to
one AD domain.  In this case you'll no only want to generically update
the

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

RE: [ActiveDir] Message Not Delivered

2005-07-20 Thread Craig Cerino

Does anyone know if [EMAIL PROTECTED] is a valid address?
BWAHAHAHAHAHAHAHA

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, July 20, 2005 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Message Not Delivered

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

[ActiveDir] OT: Roaming profiles and XP themes

2005-07-20 Thread Dan Stanford

 

We are just about to migrate over to Server 2003 from 2000, and in our
test set up, when newly created users with roaming profiles log into an
XP station, they get a modified desktop theme, instead of the default XP
teletubbies one - it has the classic task bar and start menu.  This
doesn't happen if I create a user with a local profile.  I know this is
going to fox some users - does anyone know how to stop it?

TIA,
Dan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Message Not Delivered

2005-07-20 Thread ssanders

---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   [ActiveDir] Message Not Delivered

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
---End Message---
---
Attention: Non-Delivery Report
---

This report is generated by the email server at:

   ivytech.edu

The message with subject:

   RE: [ActiveDir] Programmatic auditing of AD changes similar to what 
Quest/NetPro use

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--

---BeginMessage---
No. It doesn't use DIRSYNC. To be honest, I would like, but that is another
story.
Just a question of priority among the millions of things to do in WMI ... :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I always assumed that the WMI call is using DirSynch under the covers.
That seemed to me to be the only way it would be able to accomplish the
notifications.  It's good to know that that is not the case.  Thanks Alain. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Tuesday, July 19, 2005 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I just want to stress the fact that WMI is not an auditing technology per
se.
All what WMI does is polling AD for changes at regular intervals. Based on
WQL query and changes, it notifies the WMI consumer that there was a change.
No auditing information is available out of WMI. Windows Auditing must be
used to gather the who did it.
Moreover, I advise you to scope your WQL query very well (narrow scope) for
good performance.

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

WMI Actually has an asynronous call that you can use to monitor specific
objects.  It will notify you when the object changes and what the original
and new values are.  Adam Lissoir wrote some scripts that demonstrate this.
I think these links still work:  

http://www.LissWare.Net
See Sample 3.54 - GroupMonitor.wsf

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp
Sent: Friday, July 08, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Programmatic auditing of AD changes similar to what
Quest/NetPro use

I'm interested in identifying the programming interfaces used by products
like Quest's Change Manager for Active Directory and NetPro's AD-related
change monitoring products.  The existing ADSI and LDAP interfaces do not
appear to offer the degree of granularity that these products are capable of
obtaining in terms of AD changes that they can monitor  report on.

I'm familiar with Novell's eDirectory [f.k.a. NDS] and the sophisticated
async event notification API functions that it provides, and I'm thinking
that AD has to have something similar.  However, the MSDN Platform SDK
documentation doesn't identify anything in way of API functions or COM
interfaces [e.g. ADSI] that are capable of providing the sort of event
notification that I'm needing to use in my application.

I'm looking to track object creation, deletion, rename, move and
modification of attributes.  In the case of modified attributes, for single
valued attributes, I need to know the before  after values, and in the case
of multi-valued attributes, I need to know which individual value was added
to or removed from the attribute's value list.

Does anybody have any recommendations on what sorts of programming
interfaces are available that can provide this degree of granularity in AD

1 2 >

1 - 100 of 183 matches

Mail list logo