[AccessD] Active Directory Logger

DWUTKA at marlow.com DWUTKA at marlow.com
Fri Dec 23 02:02:20 CST 2005 

I recently built an system to monitor active directory accounts.  It has a
few parts:

NT Service which records, on a daily basis, account information for every
user in the domain (Name info (first, last, display), account created, last
logged on, etc.), then records all of the groups in the domain, and relates
group membership (what groups each user is in).  It does this full data dump
once a day, but the service checks every minute for accounts that are locked
out.  (Our domain is set to lock an account if someone fails to authenticate
5 times in a row.  It unlocks the account after 30 minutes...unless we
manually go in and unlock it)  When it detects a user account is locked, it
sends out an email saying what accounts are locked.  When they unlock,
another email goes out.

Database:  Obviously stores the information, but it is designed for general
'read-only' access.  To be able to modify the data, you must use an .mdw
with security account designed to allow data modification.  The NT Service
and the next component (the web .dll) both have the ability to change data
(obviously...), but just opening the database allows the user to read
anything, just not change it.  That is important, because I built this for
Sarbanes Oxley compliance, which requires monitoring Security Accounts, so
there have to be security measures in place to prevent someone from
tampering with the 'log'.

Web Dll and ASP pages:  There is an ActiveX .dll, which works with a few
.asp pages which then allow for viewing and 'reviewing' log informaiton.
There are various viewing methods.  (Current AD information, changes between
selected dates, etc.).  The 'reviewing' part is setup so that a network
administrator can review daily changes to the Directory, and click a button
that marks that day's log as reviewed (it gives a place to record a comment
about that days log, and then records the users NT Name, time 'reviewed' and
the comments (if any)).

I'm posting about this here, to find out if anyone is interested in this.
Since we are now a public company (so the company I work for now has a
parent company, and several 'sister' companies), I've been developing stuff
to be drop in place more often (less 'Marlow Dependent' (I work for Marlow
Industries).  This system, for instance, has only one thing hard coded that
would need to be changed to use in any Active Directory network, and that is
the email alerts have our Exchange server hard coded, but that's pretty
simple to setup an .ini file to set the SMTP server to use).  Anyhow, I am
going to be talking to some of the higher ups, to see if they want me to
start selling some of these 'applications' I've been writing, on our website
(the shopping cart on there is something I built also, so it should be
pretty easy to set it up for selling software online).  I plan on giving
AccessD members free full versions, for both beta testing and word of mouth,
so AccessD membership does have it's benefits.

Drew

More information about the AccessD mailing list