Hi Everyone,
I am going to write a small software to track active directory changes. I need an expert opinion from members and also validate my findings from you.
What I Need? I want to display information about What ( with before and after values), When, Where and Who of any change in AD.
What I Found So Far?
I found that there are different alternatives of tracking AD changes,
- Reading Audit logs Disadvantage: Dependency on native logging, Difficult to get useful information from event logs
- Change Notification Control Disadvantage: Performance of Domain Controller, too much information, Limitation of five objects
- DirSync Control Disadvantage: Can't scope the monitoring ( always monitor complete domain controller), permission issues,
- uSNChanged attribute Disadvantage: attribute don'tt replicate between domain controller, Complex ( to handle move, deleted, renamed objects)
I also found that for 2,3, and 4 i need to have a secondary storage( a database) and make it synchronize with AD first time, and for each change i need to compare changed object with previously stored object to know what is actually changed ( before and after value).
What I want to know from forum members?
- Please suggest any solution that would be performance effective and easy to implement in .NET.
- Please suggest if there is any way to know before and after values without having database. If there is no way please suggest a way to make a clone of AD in SQL Server database.
- Any helpful hint/tip to get this task done.
I don't need code level details at this time, I just need high level plan so that I proceed further.
Please let me know if i didn't clear any thing.
and sorry for the long text :( .
Thank you -Faisal