Grillenmeier, Guido wrote:
Chuck - what exactly are you trying to achieve/monitor?
I need to monitor for creation, deletion, renaming and moving of user
objects, group objects and for objects based on 2 or 3 other
application-specific object classes in AD. Additionally, I need to monitor
for modification of some standard attributes and some custom/aux attributes
on user & group objects. In the case of memership types of attributes that
are multi-valued, when one of those attributes changes, I need to know what
individual value is being added to or removed from the attribute's value
list. This needs to be done for all user & group objects in the tree; there
is no feasible way to limit the scope of object instances that need to
monitored. When the events are received, the application will consolidate
them and forward them on to an "engine" that will take certain actions
depending on which particular events have occurred.
I would prefer notification of the desired changes to be delivered
asynchronously, but I can poll for them if necessary. DirSync and LDAP and
monitoring the uSNChanged attribute are all methods that fail to provide
this degree of granularity. To use DirSync or LDAP searches would
effectively require me to maintain a partial replica of the entire AD tree
with which to perform comparisons of objects that are reported in the
DirSync result-set.
AD itself doesn't provide a real event-driven model for notification of
changes to objects, but for single object monitoring you can get quite
far with WMI event queries (which in the background read the instance of
an object and then continuously poll for any changes to the object in AD
- no matter if direct or through replication).
This will be ok for "poor man's" monitoring of a few special objects
(such as sensitive groups), but not for monitoring changes in all of AD
(both NetPro and Quest deploy agents to the DCs to intercept changes
that occur on DCs to reach their goal)
Yes, I understand that an agent is required on each DC to intercept the
required changes. It is the method(s) that those agents [in Quest's &
NetPro's products] are using that I'm looking for. I need the same degree
of functionality in terms of fine grained event monitoring. As stated
above, the # of objects involved is too large to use WMI. All users &
groups in the tree will end up needing to be monitored along with several
other classes of objects.
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
Do not send me unsolicited commercial email.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
