DWUTKA at marlow.com
DWUTKA at marlow.com
Fri Dec 23 13:27:43 CST 2005
ADO. (Which I guess is ADSI...in a way...). Want to see the code? Drew -----Original Message----- From: MartyConnelly [mailto:martyconnelly at shaw.ca] Sent: Friday, December 23, 2005 1:19 PM To: Access Developers discussion and problem solving Subject: Re: [AccessD] Active Directory Logger Just curious which methods did you use LDAP, ADSI or WMI? DWUTKA at marlow.com wrote: >I recently built an system to monitor active directory accounts. It has a >few parts: > >NT Service which records, on a daily basis, account information for every >user in the domain (Name info (first, last, display), account created, last >logged on, etc.), then records all of the groups in the domain, and relates >group membership (what groups each user is in). It does this full data dump >once a day, but the service checks every minute for accounts that are locked >out. (Our domain is set to lock an account if someone fails to authenticate >5 times in a row. It unlocks the account after 30 minutes...unless we >manually go in and unlock it) When it detects a user account is locked, it >sends out an email saying what accounts are locked. When they unlock, >another email goes out. > >Database: Obviously stores the information, but it is designed for general >'read-only' access. To be able to modify the data, you must use an .mdw >with security account designed to allow data modification. The NT Service >and the next component (the web .dll) both have the ability to change data >(obviously...), but just opening the database allows the user to read >anything, just not change it. That is important, because I built this for >Sarbanes Oxley compliance, which requires monitoring Security Accounts, so >there have to be security measures in place to prevent someone from >tampering with the 'log'. > >Web Dll and ASP pages: There is an ActiveX .dll, which works with a few >.asp pages which then allow for viewing and 'reviewing' log informaiton. >There are various viewing methods. (Current AD information, changes between >selected dates, etc.). The 'reviewing' part is setup so that a network >administrator can review daily changes to the Directory, and click a button >that marks that day's log as reviewed (it gives a place to record a comment >about that days log, and then records the users NT Name, time 'reviewed' and >the comments (if any)). > >I'm posting about this here, to find out if anyone is interested in this. >Since we are now a public company (so the company I work for now has a >parent company, and several 'sister' companies), I've been developing stuff >to be drop in place more often (less 'Marlow Dependent' (I work for Marlow >Industries). This system, for instance, has only one thing hard coded that >would need to be changed to use in any Active Directory network, and that is >the email alerts have our Exchange server hard coded, but that's pretty >simple to setup an .ini file to set the SMTP server to use). Anyhow, I am >going to be talking to some of the higher ups, to see if they want me to >start selling some of these 'applications' I've been writing, on our website >(the shopping cart on there is something I built also, so it should be >pretty easy to set it up for selling software online). I plan on giving >AccessD members free full versions, for both beta testing and word of mouth, >so AccessD membership does have it's benefits. > >Drew > > -- Marty Connelly Victoria, B.C. Canada -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com