I'd be interested as well. BTW for the original request (don't have it here separatelly to reply) I've been told that there are some 3rd party tools which allow that kind of Audit. E.g. inTrust from Quest claims to plug in front of the LSASS and control which actions to log, which ones to apply and which ones to decline b/c they are in conflict with some buiness rules. Haven't head a chance to look into the app yet - just know the marketing ;-)
Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Sunday, October 16, 2005 5:11 PM |To: [email protected] |Subject: RE: [ActiveDir] Knowing when users were deleted. | |I would be curious just from the standpoint that I will |probably learn something about the internals. If you don't |feel the list would be interested, send to me offline. I have |removed your email address from the kill file. ;o) | |Now I have to go get ready to see a noon showing of Serenity[1]. | | joe | | |[1] We're deep in space, corner of No and Where. | | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Sunday, October 16, 2005 10:27 AM |To: [email protected] |Subject: RE: [ActiveDir] Knowing when users were deleted. | |You then change the representation from an external one to an |internal one, which is a significant design decision ... I |wrote up about a page filling out the argument against using a |backlink scheme ... then figured there probably isn't |interest, as we're talking a hypothetical feature. |Let me know if you want me to finish off and send my argument |against backlinks ... | |Cheers, |BrettSh [msft] | |On Fri, 14 Oct 2005, joe wrote: | |> Can you do some sort of backlink type of magic where you use some |> smaller sized value to represent the real value via indirection or |something? |> |> I expect most companies would be willing to take the hit on DIT size |> to get this kind of capability. ESE can handle it right? |> |> |> |> -----Original Message----- |> From: [EMAIL PROTECTED] |> [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley |> Sent: Friday, October 14, 2005 11:50 AM |> To: [email protected] |> Subject: RE: [ActiveDir] Knowing when users were deleted. |> |> |> Ignoring the 16 bytes at the beginning of the metadata for |version and |> attr count info, and garbage wasted space ... the metadata for a |> single attribute is 48 bytes, adding the SID (28 bytes) would be an |> expansion of 57% on the _raw_ per attribute metadata size. |> |> A sampling of a corporate DB showed the raw metadata size to |be 15% of |> the DIT size, which would lead me to believe the DIT would expand by |> ~10% for a trivial implementation against this paticular corporate |> DIT.[1] |> |> However, if you look at the /showobjmeta for _any_ object, you will |> realize that is a data structure that is over ripe (like |banannas you |> wouldn't even use for a bananna cake) for being compressed. |I think I |> could add a SID, |> (custom) compress it, and shrink the DIT in size. |> |> While you might think a GUID is better, because If you add a |GUID, it |> is only 16 bytes, but that's a very uncompressible 16 bytes, |> "effectively a random hash". The SID is more likely to |compress properly. |> |> [1] I expect that corporate DITs vary what % is meta-data by |how many |> certs and big blobs they stick in thier AD. I imagine most |corporate |> DITs are worse (as in higher % is metadata) than the one I |checked out. |> |> Not that I've been thought of it ... |> |> Cheers, |> -BrettSh [msft] |> |> This posting is provided "AS IS" with no warranties, and confers no |rights. |> |> |> On Fri, 14 Oct 2005, Al Mulnick wrote: |> |> > <raises hand> |> > GUID or SID of the user account that made the delete |request. Last |> > mod my not be enough in case some process gets hold of |that data in |> > the deleted items, even if unlikely. I want the id of the |identity |> > that put caused the object to be there in the first place. |> > |> > Having the data for a full undelete option wouldn't seem too |> > terrible either, although that might significantly increase the |> > storage |in the DIT. |> > In the past I've had to write apps to keep that information out of |> > band in order to put back items mistakenly removed. But I |can't see |> > why I should have to trip through all the DC's Audit logs to find |> > the information about who deleted something given how common this |> > type of question is. It should be recorded same as the audit log |> > (we have the information, why not stamp it on the object at time of |> > deletion?) |> > |> > Al |> > |> > |> > |> > -----Original Message----- |> > From: [EMAIL PROTECTED] |> > [mailto:[EMAIL PROTECTED] On Behalf Of joe |> > Sent: Friday, October 14, 2005 11:03 AM |> > To: [email protected] |> > Subject: RE: [ActiveDir] Knowing when users were deleted. |> > |> > |> > Correct, you can currenlty only get the when and the where |(DC Where |> > not Client Where). |> > |> > Which raises the question. How many people would like a metadata |> > stamp with the GUID or SID of the userid that made the |modification |> > for a given attribute (or value if appropriate)? Or would it be ok |> > to just have who made the last change to the object? Either way, |> > none of the "administrators group" nonsense, it points to |a specific |> > security |> principal. |> > |> > |> > |> > _____ |> > |> > From: [EMAIL PROTECTED] |> > [mailto:[EMAIL PROTECTED] On Behalf Of Freddy |> > HARTONO |> > Sent: Friday, October 14, 2005 3:18 AM |> > To: [email protected] |> > Subject: RE: [ActiveDir] Knowing when users were deleted. |> > |> > |> > Hi Yann, |> > |> > You can find at the deletedobject folder via adfind |-showdel and see |> > the Last modified date - that would be when the object is deleted. |> > |> > But as for who deleted - I dont think you can find it without the |> auditing. |> > |> > |> > |> > Thank you and have a splendid day! |> > |> > Kind Regards, |> > |> > Freddy Hartono |> > Group Support Engineer |> > InternationalSOS Pte Ltd |> > mail: [EMAIL PROTECTED] |> > phone: (+65) 6330-9740 - temp |> > |> > |> > |> > _____ |> > |> > From: Yann [mailto:[EMAIL PROTECTED] |> > Sent: Friday, October 14, 2005 2:57 PM |> > To: [email protected] |> > Subject: [ActiveDir] Knowing when users were deleted. |> > |> > |> > Hi there, |> > |> > I wonder if there is a way to know when a user has been |deleted from |> > AD other than using security audt, because at the time of the |> > deletion, i forgot to activate the audit :( |> > |> > So my boss urge me to find the guilty user AND the time of |deletion. |> > I looked for attributes in adsi and found that there is the |> > whencreated, whenmodified attribute but not |whendeletedtimestamp one. |> > |> > Any idea ? |> > |> > |> > |> > _____ |> > |> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! |> > Messenger Téléchargez |> > |<http://us.rd.yahoo.com/messenger/mail_taglines/default/*http://fr.m |> > es |> > senger |> > yahoo.com> le ici ! |> > |> > |> |> |> |> List info : http://www.activedir.org/List.aspx |> List FAQ : http://www.activedir.org/ListFAQ.aspx |> List archive: |> http://www.mail-archive.com/activedir%40mail.activedir.org/ |> |> List info : http://www.activedir.org/List.aspx |> List FAQ : http://www.activedir.org/ListFAQ.aspx |> List archive: |> http://www.mail-archive.com/activedir%40mail.activedir.org/ |> | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
