The doc Gil mentioned describes how to track change as it happens. There is also metadata that is stored with every object that contains a brief change log history for each object (stored in the replPropertyMetaData attribute). You can view the metadata for an object using tools like repadmin or replmon. For example:
C:\>repadmin /showmeta cn=administrator,cn=users,dc=mycorp,dc=com Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute ======= =============== ======= ============= ==== ======= 24684 Default-First-Site-Name\DC1 24684 2002-11-26 06:05:05 1 mail 20548 Default-First-Site-Name\DC1 20548 2002-11-15 17:12:05 1 lastLogonTimestamp ... With metadata you can answer questions about when, where and what changes occurred to an object. Well you actually don't get the full story with what changed because only the attribute name that changed is stored, not the values that changed. I asked Stuart at DEC if they could answer the who question by adding the writer GUID to the metadata, which would be the object guid of the security principal that made the change. I also think it would be nice if the what question could also be fully answered in the metadata by providing the before and after values of the changed attribute (there are certain ramifications to this though). There are a couple other issues that impair the use of metadata, namely it is stored in binary format and not easily parsable unless using Microsoft API's. And since it is in binary, you can't search it. For more info on the API: http://msdn.microsoft.com/library/en-us/netdir/ad/ds_repl_obj_meta_data.asp Microsoft did include "Detailed transaction logging" on the questionnaire they provided at DEC as one of the features they are considering for the next release of AD (after .NET). I'm not sure what it would look like, but I believe Stuart said they where thinking it would be file-based. Robbie Allen > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 26, 2002 3:49 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] How to get changes from active directory? > > > Thanks Gil, I wasn't aware of this. You learn something new > every day :-) > > Any idea why Microsoft decided not to implement the changelog > approach? It seems like a number of the other vendors have. > > I quite like the look of the IBM Directory approach, which > includes support for a number of change log entry attributes, > including the DN of the change originator, e.g. > > ibm-changeInitiatorsName > The DN of the entity that initiated the change > Syntax: 1.3.6.1.4.1.1466.115.121.1.12 > Value: single-valued > Usage: userApplications > > I think this type of information would be useful in AD. > Robbie Allen touched on this at DEC Europe during his round > table discussion on tools. Stuart Kwan was there and > mentioned something about Microsoft's plans, but I can't > remember exactly what it was. Maybe Robbie remembers? > > Tony > > > ---------- Original Message ---------------------------------- > From: Gil Kirkpatrick <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Mon, 25 Nov 2002 12:37:29 -0700 > > Naval, > > There are several mechanisms for getting change information from the > directory. See > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/p olling_for_changes_using_the_dirsync_control.asp > > Each mechanism has its advantages and disadvantages; the docs do a > reasonable job of explaining them. > > -gil > > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 25, 2002 7:07 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] How to get changes from active directory? > > > Hi Naval > > AD doesn't (currently) store change information in the > directory. Some > information can be made available through auditing of AD > object access. The > audit information will be written to the event log. The > limitation of this > approach is that this information will only be available on > the DC where the > change was made. A separate consolidation process would then > be required if > centralised information were a requirement. > > Stuart (if he's listening) may have some information on > Microsoft's future > plans in this area. > > Tony > > ---------- Original Message ---------------------------------- > From: "Naval" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Mon, 25 Nov 2002 16:48:21 +0530 > > Hi, > > How can i get the changes from Active Directory server? > For e.g netscape provides changes below > cn=changelog node. > Where does AD publish the changes. > > Thanks, > Naval > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
