There's a good description of the different strategies you can use to track AD changes at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/track ing_changes.asp?frame=true.
Tony, you should add this to the FAQ... It seems to come up every few months. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 6:08 AM To: [EMAIL PROTECTED] Subject: Re[2]: [ActiveDir] How to track object deletion? Thank you all guys for your help. I've mode some investigation on this. Here are the results. Correct me if I'am mistaken. When AD object is deleted it is actually moved to the Deleted Objects container of the partition it is deleted from. But when it is moved to that container only a little part of its properties is taken with it. Alas, there is no DN property that can tell where the object was deleted from. In spite of the fact that parentGUID property remained in the tombstoned object it is set to the GUID of Deleted Object container, but not to the GUID of the recent object parent. It is a real mess. It all leads to that I can't determine DN of deleted object by any mean without storing some type of objects cache before their deletion! I can't accept that taking into account that object deletion is the most critical AD change. > I've been looking at ways for tracking static DNS record changes. So far > I've been focusing on the "dnsTombestone" property which has 3 values > of NULL, TRUE, and FALSE. > > Perhaps you can see if that object has a similar property? I'm not at > an AD terminal now, so I can't check, but it might be something you > can check on. > > Just an Idea. :) > > J > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, January 19, 2004 9:37 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] How to track object deletion? > > Hello, AD gurus. > I' ve been developing a DirSync program that tracks for object changes > in AD. Everything is fine except for object deletion. > When AD object is deleted, as everybody knows here, it is tombstoned. As I > figured out that means that the object is moved to the > hidden container called 'Deleted Objects'. So when I delete an object > DirSync returns me the following > > CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted > Objects,DC=sbhbd1,DC=local > > as the DN of changed object. > > In the example above I deleted object with DN: CN=user1,CN=Users, > DC=sbhbd1,DC=local. But I've lost some part of original object DN > like: * ,CN=Users, * > > The question is: How to track AD objects deletion? I need to know > object original DN, but AD hides it from me. I don't want to keep a > copy of original AD or whatever similar to it. > > Thanks in advance! > > > > -- > Best regards, > (mailto:[EMAIL PROTECTED]) 19.01.2004, 18:27 > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- Best regards, (mailto:[EMAIL PROTECTED]) 20.01.2004, 15:57 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
