[ActiveDir] How to get changes from active directory?
Hi, How can i get the changes from Active Directory server? For e.g netscape provides changes below cn=changelog node. Where does AD publish the changes. Thanks, Naval List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] How to get changes from active directory?
Hi Naval AD doesn't (currently) store change information in the directory. Some information can be made available through auditing of AD object access. The audit information will be written to the event log. The limitation of this approach is that this information will only be available on the DC where the change was made. A separate consolidation process would then be required if centralised information were a requirement. Stuart (if he's listening) may have some information on Microsoft's future plans in this area. Tony -- Original Message -- From: Naval [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 25 Nov 2002 16:48:21 +0530 Hi, How can i get the changes from Active Directory server? For e.g netscape provides changes below cn=changelog node. Where does AD publish the changes. Thanks, Naval List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to get changes from active directory?
You could use EventComb to search multiple DCs for specific events. It's part of the tools that came with SOG. Regards, /Jimmy -- Jimmy Andersson, Q Advice AB Microsoft MVP - Active Directory Whistler Tech Beta Program Member Windows Pre-release Community Member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray Sent: den 25 november 2002 15:07 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to get changes from active directory? Hi Naval AD doesn't (currently) store change information in the directory. Some information can be made available through auditing of AD object access. The audit information will be written to the event log. The limitation of this approach is that this information will only be available on the DC where the change was made. A separate consolidation process would then be required if centralised information were a requirement. Stuart (if he's listening) may have some information on Microsoft's future plans in this area. Tony -- Original Message -- From: Naval [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 25 Nov 2002 16:48:21 +0530 Hi, How can i get the changes from Active Directory server? For e.g netscape provides changes below cn=changelog node. Where does AD publish the changes. Thanks, Naval List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus
Title: Message First I want to thank all of you for responding to my initial query and say that it has been very helpful. Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review. I spoke to a MS Premier Rapid Response Engineer and a Technical account manager. The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops. The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl. Many of you already concluded this through the discussion. So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized. If you can't then take necessary procedures to protect the infrastructure. Does anyone have anything different to add? Todd -Original Message-From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] AD and Network Core Services Anti-Virus Allan, How would upgrading to XP help you "push virus updates to the desktop remotely"? Peter - Original Message - From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services Anti-Virus We run McAfee on everything.Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a viruswith it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offendingprograms at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again. Allan Garrett A small SOCAL college -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 14, 2002 12:54 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I would like to know is, what does everyone on this list feel an is a good strategy when it comes to these types of services and anti-virus product? Thanks in Advance, Todd
RE: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus
Title: Message I've read opinions from several Microsoft reps in the Microsoft partners newsgroups, and just about every one has said that it's a good idea to have AV on everything possible. The problem as I see it is that AV software is only as good as its definitionf iles. The definition files are only as good as the people reporting the viruses. That means that for a definition file to know about a virus, the virus must already be in the wild. So imagine the "next" virus that comes out before the definition files do and it infects your desktops, which inturn infect your servers. Now, as soon as the definition files are updated on the desktops they are "fixed", but the servers are still infected, with no way of repairing themselves. Personally I've never had a problem with AV software on a serverc onflicting with anything. That includes terminal servers and CitrixM etaframe. Others I know have had problems, but for me, there's no way I would put a server out there without any AV protection... Also, take a look at this link: http://www.microsoft.com/technet/treeview/default.asp?url=""> That's technet's quick tips on how to securea Win2k server... Adam -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 9:15 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus First I want to thank all of you for responding to my initial query and say that it has been very helpful. Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review. I spoke to a MS Premier Rapid Response Engineer and a Technical account manager. The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops. The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl. Many of you already concluded this through the discussion. So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized. If you can't then take necessary procedures to protect the infrastructure. Does anyone have anything different to add? Todd -Original Message-From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] AD and Network Core Services Anti-Virus Allan, How would upgrading to XP help you "push virus updates to the desktop remotely"? Peter - Original Message - From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services Anti-Virus We run McAfee on everything.Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a viruswith it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offendingprograms at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again. Allan Garrett A small SOCAL college -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 14, 2002 12:54 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I
RE: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus
Title: Message May have been discussed, but the excluding of ANY log or SYSVOL or M: on Exchange is a critical piece as many of the apps die painfully when they have the logs pulled, or cannot access a file because the VScanner is busy with it, or SO personally, AV on everything, Exclude Logs, DB, and SYSVOL. Has worked well for a long while. Chad Purviance Prinicipal Consultant Broadwing IT Consulting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS weigh's in on AD and Network Core Services A nti-Virus I've read opinions from several Microsoft reps in the Microsoft partners newsgroups, and just about every one has said that it's a good idea to have AV on everything possible. The problem as I see it is that AV software is only as good as its definitionf iles. The definition files are only as good as the people reporting the viruses. That means that for a definition file to know about a virus, the virus must already be in the wild. So imagine the next virus that comes out before the definition files do and it infects your desktops, which inturn infect your servers. Now, as soon as the definition files are updated on the desktops they are fixed, but the servers are still infected, with no way of repairing themselves. Personally I've never had a problem with AV software on a serverc onflicting with anything. That includes terminal servers and CitrixM etaframe. Others I know have had problems, but for me, there's no way I would put a server out there without any AV protection... Also, take a look at this link: http://www.microsoft.com/technet/treeview/default.asp?url=""> That's technet's quick tips on how to securea Win2k server... Adam -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 9:15 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus First I want to thank all of you for responding to my initial query and say that it has been very helpful. Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review. I spoke to a MS Premier Rapid Response Engineer and a Technical account manager. The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops. The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl. Many of you already concluded this through the discussion. So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized. If you can't then take necessary procedures to protect the infrastructure. Does anyone have anything different to add? Todd -Original Message- From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD and Network Core Services Anti-Virus Allan, How would upgrading to XP help you push virus updates to the desktop remotely? Peter - Original Message - From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services Anti-Virus We run McAfee on everything.Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a viruswith it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offendingprograms at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again. Allan Garrett A small SOCAL college -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 14, 2002 12:54 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our
Re: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus
Title: Message nothing specfic to add, other than a comment that no one from the any of the leading AV vendors has tendered a view on this. - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Monday, November 25, 2002 3:14 PM Subject: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus First I want to thank all of you for responding to my initial query and say that it has been very helpful. Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review. I spoke to a MS Premier Rapid Response Engineer and a Technical account manager. The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops. The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl. Many of you already concluded this through the discussion. So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized. If you can't then take necessary procedures to protect the infrastructure. Does anyone have anything different to add? Todd -Original Message-From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] AD and Network Core Services Anti-Virus Allan, How would upgrading to XP help you "push virus updates to the desktop remotely"? Peter - Original Message - From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services Anti-Virus We run McAfee on everything.Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a viruswith it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offendingprograms at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again. Allan Garrett A small SOCAL college -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 14, 2002 12:54 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I would like to know is, what does everyone on this list feel an is a good strategy when it comes to these types of services and anti-virus product? Thanks in Advance, Todd
RE: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus
Title: Message Other than "as long as you buy from us we don't care if you're putting it on your copy machines" :) -Original Message-From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 9:21 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus nothing specfic to add, other than a comment that no one from the any of the leading AV vendors has tendered a view on this. - Original Message - From: Myrick, Todd (NIH/CIT) To: '[EMAIL PROTECTED]' Sent: Monday, November 25, 2002 3:14 PM Subject: [ActiveDir] MS weigh's in on AD and Network Core Services Anti-Virus First I want to thank all of you for responding to my initial query and say that it has been very helpful. Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review. I spoke to a MS Premier Rapid Response Engineer and a Technical account manager. The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops. The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl. Many of you already concluded this through the discussion. So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized. If you can't then take necessary procedures to protect the infrastructure. Does anyone have anything different to add? Todd -Original Message-From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] AD and Network Core Services Anti-Virus Allan, How would upgrading to XP help you "push virus updates to the desktop remotely"? Peter - Original Message - From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services Anti-Virus We run McAfee on everything.Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a viruswith it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offendingprograms at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again. Allan Garrett A small SOCAL college -Original Message-From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 14, 2002 12:54 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD and Network Core Services Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I would like to know is, what does everyone on this list feel an is a good strategy when it comes to these types of services and anti-virus product? Thanks in Advance, Todd This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this mail in error, please tell us immediately by return e-mail and delete the document.
RE: [ActiveDir] How to get changes from active directory?
Naval, There are several mechanisms for getting change information from the directory. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/p olling_for_changes_using_the_dirsync_control.asp Each mechanism has its advantages and disadvantages; the docs do a reasonable job of explaining them. -gil -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 7:07 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to get changes from active directory? Hi Naval AD doesn't (currently) store change information in the directory. Some information can be made available through auditing of AD object access. The audit information will be written to the event log. The limitation of this approach is that this information will only be available on the DC where the change was made. A separate consolidation process would then be required if centralised information were a requirement. Stuart (if he's listening) may have some information on Microsoft's future plans in this area. Tony -- Original Message -- From: Naval [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 25 Nov 2002 16:48:21 +0530 Hi, How can i get the changes from Active Directory server? For e.g netscape provides changes below cn=changelog node. Where does AD publish the changes. Thanks, Naval List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/