Ah I ran into your posts in the newsgroups. I responded some there. To further some of the info given previously, it is possible that some sort of LSASS injection is being used in one or more products, however, that doesn't mean this is a supported mechanism. Doing so *could* put your DCs or worse, your customers' DCs in a state that MS will not support which is the last thing you want to hear when your directory is sitting on the floor due to corruption or some other issue that you can not correct yourself or possibly even worse, performing in an inconsistent manner for performance or functionality. The fact that it is forcefully slamming code into a system owned process that isn't supposed to be modified by user mode apps and executing that code say like a virus/worm/trojan/rootkit or any number of things we consider bad would tend to give it challenging start towards support, IMO. Possibly someone from NetPro, Quest, or Microsoft could comment further if they understand and are able to speak about the mechanisms and their supported state.
As mentioned in the newsgroups, when I last chatted with the NetPro folks over a year ago about how they were grabbing some info they mentioned Event Tracing, I believe you have some info on it but are not impressed by the volume of info available. Again, as I mentioned in the newsgroups, it isn't a popular interface in terms of people asking about it and those who have figured it out, most likely did so to make money and aren't really going to just spill all the details because someone wants to duplicate their capability. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Monday, July 11, 2005 12:55 PM To: [email protected] Subject: Re: [ActiveDir] Programmatic auditing of AD changes similar to what Quest/NetPro use Alain Lissoir wrote: > WMI can be used for the monitoring but the capabilities are quite > limited with the current WMI provider implementation. > Despite this, it could be useful is some very specific pin-point > monitoring cases. > > However, in your case, you definitively need something else. > NETPRO solution seems to me the best match for what you need. > > However, I suspect that NETPRO uses this API (Polling for Changes > Using the DirSync Control) > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad > /polli ng_for_changes_using_the_dirsync_control.asp > > Don't know ... Only them can confirm ... :-) No.... unfortunately, the DirSync control [which I've investigated thoroughly and have used before] is totally unsuitable for what I need to do. It lacks the granularity in what it can report about changes that have occurred. Both NetPro and Quest have auditing products that report information that DirSync cannot possibly be providing. I've also received some information that indicates that Quest is using some sort of intercept method, most likely hooking of functions in one of the DLLs that makes up the core of AD. I don't need a full blown auditing package and I'm not needing to perform auditing, per se. But, I do need to use the same sorts of methods that allow such auditing to be performed. I'm working on a port of a product that already runs in the Novell eDirectory environment and which makes use of eDirectory Event Notification services. It appears that AD is totally lacking in terms of providing a similar set of asynchronous event-based notifications that provide detailed information regarding a selected set of event types. Anything which functions similar to DirSync and which requires a partial replica of the AD contents to be kept outside of AD for purposes of comparisons to determine what a particular result in the DirSynch result-set means is totally unacceptable for my purposes. -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice & voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
