Directory Programming .NET

Hi All,

Can a application / service be written to monitor activities on active directory using .net libraries?
for example: monitoring all actions taken on the user objects in an ou, for

1) What attributes were updated?,
2) By which user?,
3) At what time?,
4) What was the attribute value before updating?,

and then logging these activities in a database to generate reports later on.

If this can be done, can you suggest some general approaches to building such an application / service.

Thanks,
Ajit S

Related Topics

Overview of Change Tracking Techniques
http://msdn.microsoft.com/en-us/library/ms677625(VS.85).aspx

Change Notifications in Active Directory Domain Services
http://msdn.microsoft.com/en-us/library/aa772153(VS.85).aspx

Polling for Changes Using the DirSync Control
http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx

Polling for Changes Using USNChanged
http://msdn.microsoft.com/en-us/library/ms677627(VS.85).aspx

Implementing Change Notifications in .NET
http://dunnry.com/blog/ImplementingChangeNotificationsInNET.aspx

Thanks,
Ajit S

With your links I understood how to find what was changed but not "by which user".

Did you found a solution for that?

Thanks,
Zano

This is not stored in AD.  You need to use auditing at the server or DC level for that.  Software packages exist that will do something like this, but it is not built-in to anything.  I would simply buy a package rather than try to create my own audit software.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

Dunnry,

So is it possible to bulid such an application using our DirectoryServices NameSpace?

I was wondering if I have to monitor the eventlogs for auditing? please comment on this!

or

Are there any inbuilt events in active directory that i can handle when ever a change occurs on an object. For ex: If I change an user account, is there an event specific for this that the active directory raises which can be handled by us?

The whole idea for this post is to know about the concept behind how the existing auditing products pull this off!!!!

Thanks,
Ajit S

I too am curious about this, as I was thinking of creating my own free AD change monitoring app but couldn't figure out how you could find out which user made a specific change to AD (though I never spent that much time looking into it). I tried enabling auditing for AD and looking in the event logs but if I remember rightly they just told you what had changed and not who had changed it.

I'm a bit puzzled by this line of yours though:
"Are there any inbuilt events in active directory that i can handle when ever a change occurs on an object. For ex: If I change an user account, is there an event specific for this that the active directory raises which can be handled by us?"
because it was you that already posted several links to MSDN articles that answer that question...

---

My website: cjwdev.co.uk
My blog: cjwdev.wordpress.com

Hi Chris,

Yes, I'm aware of the links that I posted on the Change Notification.
But what that article says is that DirectoryServices.Protocols exposes a control called "DirectoryNotificationControl" that can be added to your search request, which would then notify you asynchronously whenever a change occurs. Now this notification is very generic which works for any action on the objects.

What I wanted to know is if there are controls or events that can be used for very specific actions like, mofiying user attributes, reset password, delete object, alone, which then would give us more information about the action, than just some attributes returned in case of "DirectoryNotificationControl".

Will it be possible to do a real time monitoring of activities and note down,
Who, When, What related information.

Thanks,
Ajit S

I'm really curious about how these 3rd party auditing programs work now... like this one for example: http://www.netwrix.com/active_directory_change_reporting_freeware_video_demo.html

As you can see from the video, they just run a scheduled task once a day to collect the information - now thats easy enough to figure out what changed between each run of the program but how on earth does it know who made the changes or when the change happened!? I'm going to install it on a test server and see if I can figure out how it works for curiosity's sake more than anything else :)

---

My website: cjwdev.co.uk
My blog: cjwdev.wordpress.com

Hello Chris,
We can find out who made the changes by just looking into the event logs. Just check the 'User' column in the security log. It mentions the the User who initiated the action. To check when it was done, check "Date" & "Time" columns of the event logs.

netwrix must be probably reading the the logs for these information. But, for this to happen, Auditing must be enabled.
I'm very keen to find how someone would record the changes without having to read the eventlogs, just like the "Quest ChangeAuditor".

The following thread has more discussion on the same topic. You may find what you are looking for. Please let me know what you find out. :)
http://directoryprogramming.net/forums/thread/7580.aspx

Thanks,
Ajit S

Yeah you were right, the Netwrix product does enable security auditing. Are you positive that there are products that dont require auditing to be enabled and can still tell you who/when?

---

My website: cjwdev.co.uk
My blog: cjwdev.wordpress.com

chris128:

Yeah you were right, the Netwrix product does enable security auditing. Are you positive that there are products that dont require auditing to be enabled and can still tell you who/when?

This is the only way to discover who made a change to an object.