[AccessD] Active Directory Logger

MartyConnelly martyconnelly at shaw.ca
Fri Dec 23 13:18:50 CST 2005


Just curious which methods did you use LDAP, ADSI or WMI?

DWUTKA at marlow.com wrote:

>I recently built an system to monitor active directory accounts.  It has a
>few parts:
>
>NT Service which records, on a daily basis, account information for every
>user in the domain (Name info (first, last, display), account created, last
>logged on, etc.), then records all of the groups in the domain, and relates
>group membership (what groups each user is in).  It does this full data dump
>once a day, but the service checks every minute for accounts that are locked
>out.  (Our domain is set to lock an account if someone fails to authenticate
>5 times in a row.  It unlocks the account after 30 minutes...unless we
>manually go in and unlock it)  When it detects a user account is locked, it
>sends out an email saying what accounts are locked.  When they unlock,
>another email goes out.
>
>Database:  Obviously stores the information, but it is designed for general
>'read-only' access.  To be able to modify the data, you must use an .mdw
>with security account designed to allow data modification.  The NT Service
>and the next component (the web .dll) both have the ability to change data
>(obviously...), but just opening the database allows the user to read
>anything, just not change it.  That is important, because I built this for
>Sarbanes Oxley compliance, which requires monitoring Security Accounts, so
>there have to be security measures in place to prevent someone from
>tampering with the 'log'.
>
>Web Dll and ASP pages:  There is an ActiveX .dll, which works with a few
>.asp pages which then allow for viewing and 'reviewing' log informaiton.
>There are various viewing methods.  (Current AD information, changes between
>selected dates, etc.).  The 'reviewing' part is setup so that a network
>administrator can review daily changes to the Directory, and click a button
>that marks that day's log as reviewed (it gives a place to record a comment
>about that days log, and then records the users NT Name, time 'reviewed' and
>the comments (if any)).
>
>I'm posting about this here, to find out if anyone is interested in this.
>Since we are now a public company (so the company I work for now has a
>parent company, and several 'sister' companies), I've been developing stuff
>to be drop in place more often (less 'Marlow Dependent' (I work for Marlow
>Industries).  This system, for instance, has only one thing hard coded that
>would need to be changed to use in any Active Directory network, and that is
>the email alerts have our Exchange server hard coded, but that's pretty
>simple to setup an .ini file to set the SMTP server to use).  Anyhow, I am
>going to be talking to some of the higher ups, to see if they want me to
>start selling some of these 'applications' I've been writing, on our website
>(the shopping cart on there is something I built also, so it should be
>pretty easy to set it up for selling software online).  I plan on giving
>AccessD members free full versions, for both beta testing and word of mouth,
>so AccessD membership does have it's benefits.
>
>Drew
>  
>

-- 
Marty Connelly
Victoria, B.C.
Canada






More information about the AccessD mailing list