Hi Darren
The Quest tool uses LSAS insertion. The explanation given to a lowly
network admin that can almost spell C++ is they stick a piece of code into
LSAS that intercepts every write to the AD database and reports it.
Short of hacking the secure communications on all your DCs I am not sure
you can duplicate this.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | Chuck Chopp |
| | <[EMAIL PROTECTED]|
| | > |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 07/08/2005 04:04 PM AST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [email protected]
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: Re: [ActiveDir] Programmatic auditing of AD changes similar
to what Quest/NetPro use |
>------------------------------------------------------------------------------------------------------------------------------|
Darren Mar-Elia wrote:
> Chuck-
> Have you seen this article?
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/c
> hange_notifications_in_active_directory.asp
Yes, I have. Been there, done that, bought the postcard & T-shirt... and,
sadly, it falls far far short of both what I need and what I know of other
auditing products to be capable of doing.
I can tell through feature descriptions, report contents and inspects of
the
binary EXE and DLL files of these products that they are not using any of
the following:
LDAP
ADSI DirSync
any method that tracks the uSNChanged attribute
System.Directory .DOT managed code
system auditing via SACLs set on containers & objects
Further inspection of Quest's Chanage Manager for Active Directory leads me
to believe that it is in fact hooking into AD some some manner so that it
is
directly intercepting replication traffic within the directory service
itself on the DC on which their monitor is installed. It would appear that
I need to go the same route in order to get the functionality that I
require.
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
Do not send me unsolicited commercial email.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
