DWUTKA at marlow.com
DWUTKA at marlow.com
Sun Dec 25 09:58:55 CST 2005
That's two so far (Jim replied to me off list). Right now my company is on break, but our CEO told me he would discuss this with our CFO (my boss' boss) when we get back (on the 3rd of January). Drew -----Original Message----- From: Arthur Fuller [SMTP:artful at rogers.com] Sent: Sunday, December 25, 2005 3:18 AM To: 'Access Developers discussion and problem solving' Subject: Re: [AccessD] Active Directory Logger I am interested! What should I do to participate? Arthur -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of DWUTKA at marlow.com Sent: December 23, 2005 3:02 AM To: accessd at databaseadvisors.com Subject: [AccessD] Active Directory Logger I recently built an system to monitor active directory accounts. It has a few parts: NT Service which records, on a daily basis, account information for every user in the domain (Name info (first, last, display), account created, last logged on, etc.), then records all of the groups in the domain, and relates group membership (what groups each user is in). It does this full data dump once a day, but the service checks every minute for accounts that are locked out. (Our domain is set to lock an account if someone fails to authenticate 5 times in a row. It unlocks the account after 30 minutes...unless we manually go in and unlock it) When it detects a user account is locked, it sends out an email saying what accounts are locked. When they unlock, another email goes out. Database: Obviously stores the information, but it is designed for general 'read-only' access. To be able to modify the data, you must use an .mdw with security account designed to allow data modification. The NT Service and the next component (the web .dll) both have the ability to change data (obviously...), but just opening the database allows the user to read anything, just not change it. That is important, because I built this for Sarbanes Oxley compliance, which requires monitoring Security Accounts, so there have to be security measures in place to prevent someone from tampering with the 'log'. Web Dll and ASP pages: There is an ActiveX .dll, which works with a few .asp pages which then allow for viewing and 'reviewing' log informaiton. There are various viewing methods. (Current AD information, changes between selected dates, etc.). The 'reviewing' part is setup so that a network administrator can review daily changes to the Directory, and click a button that marks that day's log as reviewed (it gives a place to record a comment about that days log, and then records the users NT Name, time 'reviewed' and the comments (if any)). I'm posting about this here, to find out if anyone is interested in this. Since we are now a public company (so the company I work for now has a parent company, and several 'sister' companies), I've been developing stuff to be drop in place more often (less 'Marlow Dependent' (I work for Marlow Industries). This system, for instance, has only one thing hard coded that would need to be changed to use in any Active Directory network, and that is the email alerts have our Exchange server hard coded, but that's pretty simple to setup an .ini file to set the SMTP server to use). Anyhow, I am going to be talking to some of the higher ups, to see if they want me to start selling some of these 'applications' I've been writing, on our website (the shopping cart on there is something I built also, so it should be pretty easy to set it up for selling software online). I plan on giving AccessD members free full versions, for both beta testing and word of mouth, so AccessD membership does have it's benefits. Drew -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com