Grillenmeier, Guido wrote:

Chuck - what exactly are you trying to achieve/monitor?

I need to monitor for creation, deletion, renaming and moving of user objects, group objects and for objects based on 2 or 3 other application-specific object classes in AD. Additionally, I need to monitor for modification of some standard attributes and some custom/aux attributes on user & group objects. In the case of memership types of attributes that are multi-valued, when one of those attributes changes, I need to know what individual value is being added to or removed from the attribute's value list. This needs to be done for all user & group objects in the tree; there is no feasible way to limit the scope of object instances that need to monitored. When the events are received, the application will consolidate them and forward them on to an "engine" that will take certain actions depending on which particular events have occurred.

I would prefer notification of the desired changes to be delivered asynchronously, but I can poll for them if necessary. DirSync and LDAP and monitoring the uSNChanged attribute are all methods that fail to provide this degree of granularity. To use DirSync or LDAP searches would effectively require me to maintain a partial replica of the entire AD tree with which to perform comparisons of objects that are reported in the DirSync result-set.

AD itself doesn't provide a real event-driven model for notification of
changes to objects, but for single object monitoring you can get quite
far with WMI event queries (which in the background read the instance of
an object and then continuously poll for any changes to the object in AD
- no matter if direct or through replication). This will be ok for "poor man's" monitoring of a few special objects
(such as sensitive groups), but not for monitoring changes in all of AD
(both NetPro and Quest deploy agents to the DCs to intercept changes
that occur on DCs to reach their goal)

Yes, I understand that an agent is required on each DC to intercept the required changes. It is the method(s) that those agents [in Quest's & NetPro's products] are using that I'm looking for. I need the same degree of functionality in terms of fine grained event monitoring. As stated above, the # of objects involved is too large to use WMI. All users & groups in the tree will end up needing to be monitored along with several other classes of objects.


--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc.     864 801 2795 voice & voicemail
103 Autumn Hill Road              864 801 2774 fax
Greer, SC  29651

Do not send me unsolicited commercial email.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to