[AccessD] Active Directory Logger

MartyConnelly martyconnelly at shaw.ca
Fri Dec 23 14:17:06 CST 2005 

Just wondering cause, there is this product that you can add vbs scripts to
using some odd ADO providers that I hadn't heard of before. I have used 
some of their sample wmi scripts from access. I try to stay away from 
this code because some network admins get all excited if I even mention 
its use. I am testing using WinXP Home that doesn't install these providers.

http://www.activxperts.com/activmonitor/

As an example
http://www.activexperts.com/activmonitor/windowsmanagement/adsi/

Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "SELECT Name, Location, operatingSystemVersion FROM " _
    & "'LDAP://DC=fabrikam,DC=com' WHERE objectClass='computer' " _
    & "and operatingSystemVersion = '5.0 (2195)'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
    Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value
    objRecordSet.MoveNext
Loop

DWUTKA at marlow.com wrote:

>ADO.  (Which I guess is ADSI...in a way...).  Want to see the code?
>
>Drew
>
>-----Original Message-----
>From: MartyConnelly [mailto:martyconnelly at shaw.ca]
>Sent: Friday, December 23, 2005 1:19 PM
>To: Access Developers discussion and problem solving
>Subject: Re: [AccessD] Active Directory Logger
>
>
>Just curious which methods did you use LDAP, ADSI or WMI?
>
>DWUTKA at marlow.com wrote:
>
>  
>
>>I recently built an system to monitor active directory accounts.  It has a
>>few parts:
>>
>>NT Service which records, on a daily basis, account information for every
>>user in the domain (Name info (first, last, display), account created, last
>>logged on, etc.), then records all of the groups in the domain, and relates
>>group membership (what groups each user is in).  It does this full data
>>    
>>
>dump
>  
>
>>once a day, but the service checks every minute for accounts that are
>>    
>>
>locked
>  
>
>>out.  (Our domain is set to lock an account if someone fails to
>>    
>>
>authenticate
>  
>
>>5 times in a row.  It unlocks the account after 30 minutes...unless we
>>manually go in and unlock it)  When it detects a user account is locked, it
>>sends out an email saying what accounts are locked.  When they unlock,
>>another email goes out.
>>
>>Database:  Obviously stores the information, but it is designed for general
>>'read-only' access.  To be able to modify the data, you must use an .mdw
>>with security account designed to allow data modification.  The NT Service
>>and the next component (the web .dll) both have the ability to change data
>>(obviously...), but just opening the database allows the user to read
>>anything, just not change it.  That is important, because I built this for
>>Sarbanes Oxley compliance, which requires monitoring Security Accounts, so
>>there have to be security measures in place to prevent someone from
>>tampering with the 'log'.
>>
>>Web Dll and ASP pages:  There is an ActiveX .dll, which works with a few
>>.asp pages which then allow for viewing and 'reviewing' log informaiton.
>>There are various viewing methods.  (Current AD information, changes
>>    
>>
>between
>  
>
>>selected dates, etc.).  The 'reviewing' part is setup so that a network
>>administrator can review daily changes to the Directory, and click a button
>>that marks that day's log as reviewed (it gives a place to record a comment
>>about that days log, and then records the users NT Name, time 'reviewed'
>>    
>>
>and
>  
>
>>the comments (if any)).
>>
>>I'm posting about this here, to find out if anyone is interested in this.
>>Since we are now a public company (so the company I work for now has a
>>parent company, and several 'sister' companies), I've been developing stuff
>>to be drop in place more often (less 'Marlow Dependent' (I work for Marlow
>>Industries).  This system, for instance, has only one thing hard coded that
>>would need to be changed to use in any Active Directory network, and that
>>    
>>
>is
>  
>
>>the email alerts have our Exchange server hard coded, but that's pretty
>>simple to setup an .ini file to set the SMTP server to use).  Anyhow, I am
>>going to be talking to some of the higher ups, to see if they want me to
>>start selling some of these 'applications' I've been writing, on our
>>    
>>
>website
>  
>
>>(the shopping cart on there is something I built also, so it should be
>>pretty easy to set it up for selling software online).  I plan on giving
>>AccessD members free full versions, for both beta testing and word of
>>    
>>
>mouth,
>  
>
>>so AccessD membership does have it's benefits.
>>
>>Drew
>> 
>>
>>    
>>
>
>  
>

-- 
Marty Connelly
Victoria, B.C.
Canada

More information about the AccessD mailing list