The proposal was no history, nor even a history of who modified it, merely who made the current state of the AD be the way it is. In order to do that, you must track the modifier (whether by "backlink", GUID, SID, DN, samAccountName, whatever) at the replication conflict level, ergo for each attribute, and for DN values for each value.
The ancillary question, was, would it be OK to just get the last modifier at the object level (i.e. aggregate it up to who last touched the object, any attribute of value). Obviously, this would lose who made the change at time whenChanged minus 1 (or more). The first probably will not bloat the DIT, (in fact it will probably shrink the DIT as I will show shortly, when I find an extra hour). In a twist of irony, the later even though significantly less data, would probably bloat the DIT (although obviously only very slightly). This is because to implement the first idea, you have enough of an impact on DIT size (10% or more), the team would consider strongly compressing the meta-data to make up for it. Where as the later, would be so insignificant, that no one would invest in any compression. At least that is my prediction of how it would play out. Cheers, -Brett On Tue, 18 Oct 2005, Almeida Pinto, Jorge de wrote: > Hi, > > I'm not sure if I would want this in the AD DB as this would mean a > larger DIT (as every change is stamped... - how many versions are kept > as history?) and additional replication traffic. I would prefer a better > central auditing solution instead of having to check each DC to see for > who made a change and when. > > Jorge > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko > Sent: Tuesday, October 18, 2005 10:17 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Knowing when users were deleted. > > joe wrote: > > Correct, you can currenlty only get the when and the where (DC Where > > not Client Where). > > > > Which raises the question. How many people would like a metadata stamp > > > with the GUID or SID of the userid that made the modification for a > > given attribute (or value if appropriate)? Or would it be ok to just > > have who made the last change to the object? Either way, none of the > > "administrators group" nonsense, it points to a specific security > principal. > > > count me with this request > > > -- > Tomasz Onyszko > http://www.w2k.pl > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
