| Author | Messages | |
boubbha
Posts:29
 | | 10/14/2005 7:00 AM |
| | Message body was not found. | | | |
| bdesmond
Posts:366
| | 10/14/2005 7:03 AM |
| Was going to ask that myself.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005
2:54 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Gentlemen,
"WHICH IS CHEAPER?"
LOL
RH
__________________________________
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Darren Mar-Elia
Sent: Friday, October 14, 2005
1:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Ok, now you've done it Gil :-) I guess
this is the geek version of "dueling banjos" :-)
Quest's InTrust for Active Directory
provides detailed, real-time auditing and alerting of all changes to AD and
Group Policy Objects (GPOs), including changes to AD configuration and GPO
settings. It also provides all information behind important changes, including
who made the change and the before and after values all without requiring
native auditing. http://wm.quest.com/products/InTrustAD/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Friday, October 14, 2005
10:02 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
NetPro's ChangeAuditor for AD does this
without requiring auditing. The change log includes what was changed, before
and after values, when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Yann
Sent: Thursday, October 13, 2005
11:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Knowing when
users were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the
whencreated, whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT
partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez
le ici ! | | | |
| FreddyHARTONO
Posts:19
| | 10/14/2005 7:21 AM |
| Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| darren.marelia@xxxx.yyy
| | 10/14/2005 7:37 AM |
| Come on...we're software companies. The price is directly
related to the number of days left in a particular quarter.
Its called "vendor management" :-)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Friday, October 14, 2005 12:01 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Was
going to ask that myself.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rocky
HabeebSent: Friday, October
14, 2005 2:54 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when users
were deleted.
Gentlemen,
"WHICH IS CHEAPER?"
LOL
RH
__________________________________
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 1:33
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Ok, now you've done
it Gil :-) I guess this is the geek version of "dueling banjos"
:-)
Quest's InTrust for
Active Directory provides detailed, real-time auditing and alerting of all
changes to AD and Group Policy Objects (GPOs), including changes to AD
configuration and GPO settings. It also provides all information behind
important changes, including who made the change and the before and after
values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Friday,
October 14, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
NetPro's
ChangeAuditor for AD does this without requiring auditing. The change log
includes what was changed, before and after values, when, where, and by
whom.
See http://www.netpro.com/products/changemanager/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of YannSent: Thursday, October 13, 2005 11:57
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has
been deleted from AD other than using security audt, because at the time of
the deletion, i forgot to activate the audit
:(
So my boss urge me to find the guilty user AND the
time of deletion.
I looked for attributes in adsi and found that there
is the whencreated, whenmodified attribute but not whendeletedtimestamp
one.
Any idea ?
Appel audio
GRATUIT partout dans le monde avec le nouveau Yahoo!
MessengerTéléchargez
le ici ! | | | |
| bdesmond
Posts:366
| | 10/14/2005 7:49 AM |
| When™s the end of the Quest FY?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, October 14, 2005
3:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Come on...we're software companies. The
price is directly related to the number of days left in a particular quarter.
Its called "vendor management"
:-)
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
Desmond
Sent: Friday, October 14, 2005
12:01 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Was going to ask that myself.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005
2:54 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Gentlemen,
"WHICH IS CHEAPER?"
LOL
RH
__________________________________
-----Original Message-----
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Darren Mar-Elia
Sent: Friday, October 14, 2005
1:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
Ok, now you've done it Gil :-) I guess
this is the geek version of "dueling banjos" :-)
Quest's InTrust for Active Directory
provides detailed, real-time auditing and alerting of all changes to AD and
Group Policy Objects (GPOs), including changes to AD configuration and GPO
settings. It also provides all information behind important changes, including
who made the change and the before and after values all without requiring
native auditing. http://wm.quest.com/products/InTrustAD/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil Kirkpatrick
Sent: Friday, October 14, 2005
10:02 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing
when users were deleted.
NetPro's ChangeAuditor for AD does this
without requiring auditing. The change log includes what was changed, before
and after values, when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Yann
Sent: Thursday, October 13, 2005
11:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Knowing when
users were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the
whencreated, whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT
partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez
le ici ! | | | |
| listmail
Posts:454
| | 10/14/2005 11:54 AM |
| Adfind saved your job?
Hmmm that sounds like it is work 25% of your salary for the
next year. ;o)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Friday, October 14, 2005 11:18 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Hi Freddy,
The information you gave rocks !
I did not think using the Last modified date attribute and
query it with the magic joe's tool :
-> "adfind -default -showdel -f isdeleted=TRUE"
It saves my job ! :)
The security audit is now configured and on.
Thanks for your help.
YannFreddy HARTONO
a écrit :
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of
deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde
avec le nouveau Yahoo! MessengerTéléchargez
le ici !
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| listmail
Posts:454
| | 10/15/2005 12:01 PM |
| Can you do some sort of backlink type of magic where you use some smaller
sized value to represent the real value via indirection or something?
I expect most companies would be willing to take the hit on DIT size to get
this kind of capability. ESE can handle it right?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Ignoring the 16 bytes at the beginning of the metadata for version and attr
count info, and garbage wasted space ... the metadata for a single attribute
is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
_raw_ per attribute metadata size.
A sampling of a corporate DB showed the raw metadata size to be 15% of the
DIT size, which would lead me to believe the DIT would expand by ~10% for a
trivial implementation against this paticular corporate DIT.Ώ]
However, if you look at the /showobjmeta for _any_ object, you will realize
that is a data structure that is over ripe (like banannas you wouldn't even
use for a bananna cake) for being compressed. I think I could add a SID,
(custom) compress it, and shrink the DIT in size.
While you might think a GUID is better, because If you add a GUID, it is
only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
random hash". The SID is more likely to compress properly.
Ώ] I expect that corporate DITs vary what % is meta-data by how many certs
and big blobs they stick in thier AD. I imagine most corporate DITs are
worse (as in higher % is metadata) than the one I checked out.
Not that I've been thought of it ...
Cheers,
-BrettSh [msft]
This posting is provided "AS IS" with no warranties, and confers no rights.
On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> GUID or SID of the user account that made the delete request. Last
> mod my not be enough in case some process gets hold of that data in
> the deleted items, even if unlikely. I want the id of the identity
> that put caused the object to be there in the first place.
>
> Having the data for a full undelete option wouldn't seem too terrible
> either, although that might significantly increase the storage in the DIT.
> In the past I've had to write apps to keep that information out of
> band in order to put back items mistakenly removed. But I can't see
> why I should have to trip through all the DC's Audit logs to find the
> information about who deleted something given how common this type of
> question is. It should be recorded same as the audit log (we have the
> information, why not stamp it on the object at time of deletion?)
>
> Al
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, October 14, 2005 11:03 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Correct, you can currenlty only get the when and the where (DC Where
> not Client Where).
>
> Which raises the question. How many people would like a metadata stamp
> with the GUID or SID of the userid that made the modification for a
> given attribute (or value if appropriate)? Or would it be ok to just
> have who made the last change to the object? Either way, none of the
> "administrators group" nonsense, it points to a specific security
principal.
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> HARTONO
> Sent: Friday, October 14, 2005 3:18 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Hi Yann,
>
> You can find at the deletedobject folder via adfind -showdel and see
> the Last modified date - that would be when the object is deleted.
>
> But as for who deleted - I dont think you can find it without the
auditing.
>
>
>
> Thank you and have a splendid day!
>
> Kind Regards,
>
> Freddy Hartono
> Group Support Engineer
> InternationalSOS Pte Ltd
> mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> phone: (+65) 6330-9740 - temp
>
>
>
> _____
>
> From: Yann [mailto:boubbha@xxxxxxxx]
> Sent: Friday, October 14, 2005 2:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Knowing when users were deleted.
>
>
> Hi there,
>
> I wonder if there is a way to know when a user has been deleted from
> AD other than using security audt, because at the time of the
> deletion, i forgot to activate the audit :(
>
> So my boss urge me to find the guilty user AND the time of deletion.
> I looked for attributes in adsi and found that there is the
> whencreated, whenmodified attribute but not whendeletedtimestamp one.
>
> Any idea ?
>
>
>
> _____
>
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> Messenger Téléchargez
> senger
> yahoo.com> le ici !
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:454
| | 10/15/2005 12:07 PM |
| The Oracle sales model. :) There was a link a couple
of days ago to Joel on Software describing this price
model.
The correct answer to this is probably closer to "Depends
on who you talk to last..."
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren
Mar-EliaSent: Friday, October 14, 2005 3:35 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Come on...we're software companies. The price is directly
related to the number of days left in a particular quarter.
Its called "vendor management" :-)
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Friday, October 14, 2005 12:01 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Was
going to ask that myself.
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Rocky
HabeebSent: Friday, October
14, 2005 2:54 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when users
were deleted.
Gentlemen,
"WHICH IS CHEAPER?"
LOL
RH
__________________________________
-----Original
Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 1:33
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Ok, now you've done
it Gil :-) I guess this is the geek version of "dueling banjos"
:-)
Quest's InTrust for
Active Directory provides detailed, real-time auditing and alerting of all
changes to AD and Group Policy Objects (GPOs), including changes to AD
configuration and GPO settings. It also provides all information behind
important changes, including who made the change and the before and after
values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Gil
KirkpatrickSent: Friday,
October 14, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
NetPro's
ChangeAuditor for AD does this without requiring auditing. The change log
includes what was changed, before and after values, when, where, and by
whom.
See http://www.netpro.com/products/changemanager/
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of YannSent: Thursday, October 13, 2005 11:57
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has
been deleted from AD other than using security audt, because at the time of
the deletion, i forgot to activate the audit
:(
So my boss urge me to find the guilty user AND the
time of deletion.
I looked for attributes in adsi and found that there
is the whencreated, whenmodified attribute but not whendeletedtimestamp
one.
Any idea ?
Appel audio
GRATUIT partout dans le monde avec le nouveau Yahoo!
MessengerTéléchargez
le ici ! | | | |
| activedirsmaporg
Posts:0
| | 10/16/2005 2:34 AM |
| You then change the representation from an external one to an internal
one, which is a significant design decision ... I wrote up about a page
filling out the argument against using a backlink scheme ... then figured
there probably isn't interest, as we're talking a hypothetical feature.
Let me know if you want me to finish off and send my argument against
backlinks ...
Cheers,
BrettSh [msft]
On Fri, 14 Oct 2005, joe wrote:
> Can you do some sort of backlink type of magic where you use some smaller
> sized value to represent the real value via indirection or something?
>
> I expect most companies would be willing to take the hit on DIT size to get
> this kind of capability. ESE can handle it right?
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Ignoring the 16 bytes at the beginning of the metadata for version and attr
> count info, and garbage wasted space ... the metadata for a single attribute
> is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> _raw_ per attribute metadata size.
>
> A sampling of a corporate DB showed the raw metadata size to be 15% of the
> DIT size, which would lead me to believe the DIT would expand by ~10% for a
> trivial implementation against this paticular corporate DIT.Ώ]
>
> However, if you look at the /showobjmeta for _any_ object, you will realize
> that is a data structure that is over ripe (like banannas you wouldn't even
> use for a bananna cake) for being compressed. I think I could add a SID,
> (custom) compress it, and shrink the DIT in size.
>
> While you might think a GUID is better, because If you add a GUID, it is
> only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> random hash". The SID is more likely to compress properly.
>
> Ώ] I expect that corporate DITs vary what % is meta-data by how many certs
> and big blobs they stick in thier AD. I imagine most corporate DITs are
> worse (as in higher % is metadata) than the one I checked out.
>
> Not that I've been thought of it ...
>
> Cheers,
> -BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> >
> > GUID or SID of the user account that made the delete request. Last
> > mod my not be enough in case some process gets hold of that data in
> > the deleted items, even if unlikely. I want the id of the identity
> > that put caused the object to be there in the first place.
> >
> > Having the data for a full undelete option wouldn't seem too terrible
> > either, although that might significantly increase the storage in the DIT.
> > In the past I've had to write apps to keep that information out of
> > band in order to put back items mistakenly removed. But I can't see
> > why I should have to trip through all the DC's Audit logs to find the
> > information about who deleted something given how common this type of
> > question is. It should be recorded same as the audit log (we have the
> > information, why not stamp it on the object at time of deletion?)
> >
> > Al
> >
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Correct, you can currenlty only get the when and the where (DC Where
> > not Client Where).
> >
> > Which raises the question. How many people would like a metadata stamp
> > with the GUID or SID of the userid that made the modification for a
> > given attribute (or value if appropriate)? Or would it be ok to just
> > have who made the last change to the object? Either way, none of the
> > "administrators group" nonsense, it points to a specific security
> principal.
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > HARTONO
> > Sent: Friday, October 14, 2005 3:18 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi Yann,
> >
> > You can find at the deletedobject folder via adfind -showdel and see
> > the Last modified date - that would be when the object is deleted.
> >
> > But as for who deleted - I dont think you can find it without the
> auditing.
> >
> >
> >
> > Thank you and have a splendid day!
> >
> > Kind Regards,
> >
> > Freddy Hartono
> > Group Support Engineer
> > InternationalSOS Pte Ltd
> > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > phone: (+65) 6330-9740 - temp
> >
> >
> >
> > _____
> >
> > From: Yann [mailto:boubbha@xxxxxxxx]
> > Sent: Friday, October 14, 2005 2:57 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi there,
> >
> > I wonder if there is a way to know when a user has been deleted from
> > AD other than using security audt, because at the time of the
> > deletion, i forgot to activate the audit :(
> >
> > So my boss urge me to find the guilty user AND the time of deletion.
> > I looked for attributes in adsi and found that there is the
> > whencreated, whenmodified attribute but not whendeletedtimestamp one.
> >
> > Any idea ?
> >
> >
> >
> > _____
> >
> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > Messenger Téléchargez
> > > senger
> > yahoo.com> le ici !
> >
> >
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:454
| | 10/16/2005 3:12 AM |
| I would be curious just from the standpoint that I will probably learn
something about the internals. If you don't feel the list would be
interested, send to me offline. I have removed your email address from the
kill file. ;o)
Now I have to go get ready to see a noon showing of SerenityΏ].
joe
Ώ] We're deep in space, corner of No and Where.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Sunday, October 16, 2005 10:27 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
You then change the representation from an external one to an internal one,
which is a significant design decision ... I wrote up about a page filling
out the argument against using a backlink scheme ... then figured there
probably isn't interest, as we're talking a hypothetical feature.
Let me know if you want me to finish off and send my argument against
backlinks ...
Cheers,
BrettSh [msft]
On Fri, 14 Oct 2005, joe wrote:
> Can you do some sort of backlink type of magic where you use some
> smaller sized value to represent the real value via indirection or
something?
>
> I expect most companies would be willing to take the hit on DIT size
> to get this kind of capability. ESE can handle it right?
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Ignoring the 16 bytes at the beginning of the metadata for version and
> attr count info, and garbage wasted space ... the metadata for a
> single attribute is 48 bytes, adding the SID (28 bytes) would be an
> expansion of 57% on the _raw_ per attribute metadata size.
>
> A sampling of a corporate DB showed the raw metadata size to be 15% of
> the DIT size, which would lead me to believe the DIT would expand by
> ~10% for a trivial implementation against this paticular corporate
> DIT.Ώ]
>
> However, if you look at the /showobjmeta for _any_ object, you will
> realize that is a data structure that is over ripe (like banannas you
> wouldn't even use for a bananna cake) for being compressed. I think I
> could add a SID,
> (custom) compress it, and shrink the DIT in size.
>
> While you might think a GUID is better, because If you add a GUID, it
> is only 16 bytes, but that's a very uncompressible 16 bytes,
> "effectively a random hash". The SID is more likely to compress properly.
>
> Ώ] I expect that corporate DITs vary what % is meta-data by how many
> certs and big blobs they stick in thier AD. I imagine most corporate
> DITs are worse (as in higher % is metadata) than the one I checked out.
>
> Not that I've been thought of it ...
>
> Cheers,
> -BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> >
> > GUID or SID of the user account that made the delete request. Last
> > mod my not be enough in case some process gets hold of that data in
> > the deleted items, even if unlikely. I want the id of the identity
> > that put caused the object to be there in the first place.
> >
> > Having the data for a full undelete option wouldn't seem too
> > terrible either, although that might significantly increase the storage
in the DIT.
> > In the past I've had to write apps to keep that information out of
> > band in order to put back items mistakenly removed. But I can't see
> > why I should have to trip through all the DC's Audit logs to find
> > the information about who deleted something given how common this
> > type of question is. It should be recorded same as the audit log
> > (we have the information, why not stamp it on the object at time of
> > deletion?)
> >
> > Al
> >
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Correct, you can currenlty only get the when and the where (DC Where
> > not Client Where).
> >
> > Which raises the question. How many people would like a metadata
> > stamp with the GUID or SID of the userid that made the modification
> > for a given attribute (or value if appropriate)? Or would it be ok
> > to just have who made the last change to the object? Either way,
> > none of the "administrators group" nonsense, it points to a specific
> > security
> principal.
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > HARTONO
> > Sent: Friday, October 14, 2005 3:18 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi Yann,
> >
> > You can find at the deletedobject folder via adfind -showdel and see
> > the Last modified date - that would be when the object is deleted.
> >
> > But as for who deleted - I dont think you can find it without the
> auditing.
> >
> >
> >
> > Thank you and have a splendid day!
> >
> > Kind Regards,
> >
> > Freddy Hartono
> > Group Support Engineer
> > InternationalSOS Pte Ltd
> > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > phone: (+65) 6330-9740 - temp
> >
> >
> >
> > _____
> >
> > From: Yann [mailto:boubbha@xxxxxxxx]
> > Sent: Friday, October 14, 2005 2:57 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi there,
> >
> > I wonder if there is a way to know when a user has been deleted from
> > AD other than using security audt, because at the time of the
> > deletion, i forgot to activate the audit :(
> >
> > So my boss urge me to find the guilty user AND the time of deletion.
> > I looked for attributes in adsi and found that there is the
> > whencreated, whenmodified attribute but not whendeletedtimestamp one.
> >
> > Any idea ?
> >
> >
> >
> > _____
> >
> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > Messenger Téléchargez
> > > es
> > senger
> > yahoo.com> le ici !
> >
> >
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Ulf@xxxx.yyy
| | 10/16/2005 3:30 AM |
| I'd be interested as well.
BTW for the original request (don't have it here separatelly to reply) I've
been told that there are some 3rd party tools which allow that kind of
Audit. E.g. inTrust from Quest claims to plug in front of the LSASS and
control which actions to log, which ones to apply and which ones to decline
b/c they are in conflict with some buiness rules. Haven't head a chance to
look into the app yet - just know the marketing ;-)
Ulf
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
|Sent: Sunday, October 16, 2005 5:11 PM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: RE: [ActiveDir] Knowing when users were deleted.
|
|I would be curious just from the standpoint that I will
|probably learn something about the internals. If you don't
|feel the list would be interested, send to me offline. I have
|removed your email address from the kill file. ;o)
|
|Now I have to go get ready to see a noon showing of SerenityΏ].
|
| joe
|
|
|Ώ] We're deep in space, corner of No and Where.
|
|
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
|Sent: Sunday, October 16, 2005 10:27 AM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: RE: [ActiveDir] Knowing when users were deleted.
|
|You then change the representation from an external one to an
|internal one, which is a significant design decision ... I
|wrote up about a page filling out the argument against using a
|backlink scheme ... then figured there probably isn't
|interest, as we're talking a hypothetical feature.
|Let me know if you want me to finish off and send my argument
|against backlinks ...
|
|Cheers,
|BrettSh [msft]
|
|On Fri, 14 Oct 2005, joe wrote:
|
|> Can you do some sort of backlink type of magic where you use some
|> smaller sized value to represent the real value via indirection or
|something?
|>
|> I expect most companies would be willing to take the hit on DIT size
|> to get this kind of capability. ESE can handle it right?
|>
|>
|>
|> -----Original Message-----
|> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
|Brett Shirley
|> Sent: Friday, October 14, 2005 11:50 AM
|> To: ActiveDir@xxxxxxxxxxxxxxxxxx
|> Subject: RE: [ActiveDir] Knowing when users were deleted.
|>
|>
|> Ignoring the 16 bytes at the beginning of the metadata for
|version and
|> attr count info, and garbage wasted space ... the metadata for a
|> single attribute is 48 bytes, adding the SID (28 bytes) would be an
|> expansion of 57% on the _raw_ per attribute metadata size.
|>
|> A sampling of a corporate DB showed the raw metadata size to
|be 15% of
|> the DIT size, which would lead me to believe the DIT would expand by
|> ~10% for a trivial implementation against this paticular corporate
|> DIT.Ώ]
|>
|> However, if you look at the /showobjmeta for _any_ object, you will
|> realize that is a data structure that is over ripe (like
|banannas you
|> wouldn't even use for a bananna cake) for being compressed.
|I think I
|> could add a SID,
|> (custom) compress it, and shrink the DIT in size.
|>
|> While you might think a GUID is better, because If you add a
|GUID, it
|> is only 16 bytes, but that's a very uncompressible 16 bytes,
|> "effectively a random hash". The SID is more likely to
|compress properly.
|>
|> Ώ] I expect that corporate DITs vary what % is meta-data by
|how many
|> certs and big blobs they stick in thier AD. I imagine most
|corporate
|> DITs are worse (as in higher % is metadata) than the one I
|checked out.
|>
|> Not that I've been thought of it ...
|>
|> Cheers,
|> -BrettSh [msft]
|>
|> This posting is provided "AS IS" with no warranties, and confers no
|rights.
|>
|>
|> On Fri, 14 Oct 2005, Al Mulnick wrote:
|>
|> >
|> > GUID or SID of the user account that made the delete
|request. Last
|> > mod my not be enough in case some process gets hold of
|that data in
|> > the deleted items, even if unlikely. I want the id of the
|identity
|> > that put caused the object to be there in the first place.
|> >
|> > Having the data for a full undelete option wouldn't seem too
|> > terrible either, although that might significantly increase the
|> > storage
|in the DIT.
|> > In the past I've had to write apps to keep that information out of
|> > band in order to put back items mistakenly removed. But I
|can't see
|> > why I should have to trip through all the DC's Audit logs to find
|> > the information about who deleted something given how common this
|> > type of question is. It should be recorded same as the audit log
|> > (we have the information, why not stamp it on the object at time of
|> > deletion?)
|> >
|> > Al
|> >
|> >
|> >
|> > -----Original Message-----
|> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
|> > Sent: Friday, October 14, 2005 11:03 AM
|> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
|> > Subject: RE: [ActiveDir] Knowing when users were deleted.
|> >
|> >
|> > Correct, you can currenlty only get the when and the where
|(DC Where
|> > not Client Where).
|> >
|> > Which raises the question. How many people would like a metadata
|> > stamp with the GUID or SID of the userid that made the
|modification
|> > for a given attribute (or value if appropriate)? Or would it be ok
|> > to just have who made the last change to the object? Either way,
|> > none of the "administrators group" nonsense, it points to
|a specific
|> > security
|> principal.
|> >
|> >
|> >
|> > _____
|> >
|> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
|> > HARTONO
|> > Sent: Friday, October 14, 2005 3:18 AM
|> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
|> > Subject: RE: [ActiveDir] Knowing when users were deleted.
|> >
|> >
|> > Hi Yann,
|> >
|> > You can find at the deletedobject folder via adfind
|-showdel and see
|> > the Last modified date - that would be when the object is deleted.
|> >
|> > But as for who deleted - I dont think you can find it without the
|> auditing.
|> >
|> >
|> >
|> > Thank you and have a splendid day!
|> >
|> > Kind Regards,
|> >
|> > Freddy Hartono
|> > Group Support Engineer
|> > InternationalSOS Pte Ltd
|> > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
|> > phone: (+65) 6330-9740 - temp
|> >
|> >
|> >
|> > _____
|> >
|> > From: Yann [mailto:boubbha@xxxxxxxx]
|> > Sent: Friday, October 14, 2005 2:57 PM
|> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
|> > Subject: [ActiveDir] Knowing when users were deleted.
|> >
|> >
|> > Hi there,
|> >
|> > I wonder if there is a way to know when a user has been
|deleted from
|> > AD other than using security audt, because at the time of the
|> > deletion, i forgot to activate the audit :(
|> >
|> > So my boss urge me to find the guilty user AND the time of
|deletion.
|> > I looked for attributes in adsi and found that there is the
|> > whencreated, whenmodified attribute but not
|whendeletedtimestamp one.
|> >
|> > Any idea ?
|> >
|> >
|> >
|> > _____
|> >
|> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
|> > Messenger Téléchargez
|> >
| > es
|> > senger
|> > yahoo.com> le ici !
|> >
|> >
|>
|>
|>
|> List info : http://www.activedir.org/List.aspx
|> List FAQ : http://www.activedir.org/ListFAQ.aspx
|> List archive:
|> http://www.mail-archive.com/activedir%40mail.activedir.org/
|>
|> List info : http://www.activedir.org/List.aspx
|> List FAQ : http://www.activedir.org/ListFAQ.aspx
|> List archive:
|> http://www.mail-archive.com/activedir%40mail.activedir.org/
|>
|
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 10/16/2005 5:39 AM |
| I'd be interested to see that argument as well, Brett.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Sunday, October 16, 2005 11:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
I would be curious just from the standpoint that I will probably learn
something about the internals. If you don't feel the list would be
interested, send to me offline. I have removed your email address from the
kill file. ;o)
Now I have to go get ready to see a noon showing of SerenityΏ].
joe
Ώ] We're deep in space, corner of No and Where.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Sunday, October 16, 2005 10:27 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
You then change the representation from an external one to an internal one,
which is a significant design decision ... I wrote up about a page filling
out the argument against using a backlink scheme ... then figured there
probably isn't interest, as we're talking a hypothetical feature.
Let me know if you want me to finish off and send my argument against
backlinks ...
Cheers,
BrettSh [msft]
On Fri, 14 Oct 2005, joe wrote:
> Can you do some sort of backlink type of magic where you use some
> smaller sized value to represent the real value via indirection or
something?
>
> I expect most companies would be willing to take the hit on DIT size
> to get this kind of capability. ESE can handle it right?
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Ignoring the 16 bytes at the beginning of the metadata for version and
> attr count info, and garbage wasted space ... the metadata for a
> single attribute is 48 bytes, adding the SID (28 bytes) would be an
> expansion of 57% on the _raw_ per attribute metadata size.
>
> A sampling of a corporate DB showed the raw metadata size to be 15% of
> the DIT size, which would lead me to believe the DIT would expand by
> ~10% for a trivial implementation against this paticular corporate
> DIT.Ώ]
>
> However, if you look at the /showobjmeta for _any_ object, you will
> realize that is a data structure that is over ripe (like banannas you
> wouldn't even use for a bananna cake) for being compressed. I think I
> could add a SID,
> (custom) compress it, and shrink the DIT in size.
>
> While you might think a GUID is better, because If you add a GUID, it
> is only 16 bytes, but that's a very uncompressible 16 bytes,
> "effectively a random hash". The SID is more likely to compress properly.
>
> Ώ] I expect that corporate DITs vary what % is meta-data by how many
> certs and big blobs they stick in thier AD. I imagine most corporate
> DITs are worse (as in higher % is metadata) than the one I checked out.
>
> Not that I've been thought of it ...
>
> Cheers,
> -BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> >
> > GUID or SID of the user account that made the delete request. Last
> > mod my not be enough in case some process gets hold of that data in
> > the deleted items, even if unlikely. I want the id of the identity
> > that put caused the object to be there in the first place.
> >
> > Having the data for a full undelete option wouldn't seem too
> > terrible either, although that might significantly increase the storage
in the DIT.
> > In the past I've had to write apps to keep that information out of
> > band in order to put back items mistakenly removed. But I can't see
> > why I should have to trip through all the DC's Audit logs to find
> > the information about who deleted something given how common this
> > type of question is. It should be recorded same as the audit log
> > (we have the information, why not stamp it on the object at time of
> > deletion?)
> >
> > Al
> >
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Correct, you can currenlty only get the when and the where (DC Where
> > not Client Where).
> >
> > Which raises the question. How many people would like a metadata
> > stamp with the GUID or SID of the userid that made the modification
> > for a given attribute (or value if appropriate)? Or would it be ok
> > to just have who made the last change to the object? Either way,
> > none of the "administrators group" nonsense, it points to a specific
> > security
> principal.
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > HARTONO
> > Sent: Friday, October 14, 2005 3:18 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi Yann,
> >
> > You can find at the deletedobject folder via adfind -showdel and see
> > the Last modified date - that would be when the object is deleted.
> >
> > But as for who deleted - I dont think you can find it without the
> auditing.
> >
> >
> >
> > Thank you and have a splendid day!
> >
> > Kind Regards,
> >
> > Freddy Hartono
> > Group Support Engineer
> > InternationalSOS Pte Ltd
> > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > phone: (+65) 6330-9740 - temp
> >
> >
> >
> > _____
> >
> > From: Yann [mailto:boubbha@xxxxxxxx]
> > Sent: Friday, October 14, 2005 2:57 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi there,
> >
> > I wonder if there is a way to know when a user has been deleted from
> > AD other than using security audt, because at the time of the
> > deletion, i forgot to activate the audit :(
> >
> > So my boss urge me to find the guilty user AND the time of deletion.
> > I looked for attributes in adsi and found that there is the
> > whencreated, whenmodified attribute but not whendeletedtimestamp
> > one.
> >
> > Any idea ?
> >
> >
> >
> > _____
> >
> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > Messenger Téléchargez
> > > es
> > senger
> > yahoo.com> le ici !
> >
> >
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001356
Posts:0
| | 10/16/2005 6:40 AM |
| Yep. Me too.
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Sunday, October 16, 2005 6:38 PM
Subject: RE: [ActiveDir] Knowing when users were deleted.
I'd be interested to see that argument as well, Brett.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Sunday, October 16, 2005 11:11 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
I would be curious just from the standpoint that I will probably learn
something about the internals. If you don't feel the list would be
interested, send to me offline. I have removed your email address from the
kill file. ;o)
Now I have to go get ready to see a noon showing of SerenityΏ].
joe
Ώ] We're deep in space, corner of No and Where.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Sunday, October 16, 2005 10:27 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
You then change the representation from an external one to an internal
one,
which is a significant design decision ... I wrote up about a page filling
out the argument against using a backlink scheme ... then figured there
probably isn't interest, as we're talking a hypothetical feature.
Let me know if you want me to finish off and send my argument against
backlinks ...
Cheers,
BrettSh [msft]
On Fri, 14 Oct 2005, joe wrote:
Can you do some sort of backlink type of magic where you use some
smaller sized value to represent the real value via indirection or
something?
I expect most companies would be willing to take the hit on DIT size
to get this kind of capability. ESE can handle it right?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Ignoring the 16 bytes at the beginning of the metadata for version and
attr count info, and garbage wasted space ... the metadata for a
single attribute is 48 bytes, adding the SID (28 bytes) would be an
expansion of 57% on the _raw_ per attribute metadata size.
A sampling of a corporate DB showed the raw metadata size to be 15% of
the DIT size, which would lead me to believe the DIT would expand by
~10% for a trivial implementation against this paticular corporate
DIT.Ώ]
However, if you look at the /showobjmeta for _any_ object, you will
realize that is a data structure that is over ripe (like banannas you
wouldn't even use for a bananna cake) for being compressed. I think I
could add a SID,
(custom) compress it, and shrink the DIT in size.
While you might think a GUID is better, because If you add a GUID, it
is only 16 bytes, but that's a very uncompressible 16 bytes,
"effectively a random hash". The SID is more likely to compress
properly.
Ώ] I expect that corporate DITs vary what % is meta-data by how many
certs and big blobs they stick in thier AD. I imagine most corporate
DITs are worse (as in higher % is metadata) than the one I checked out.
Not that I've been thought of it ...
Cheers,
-BrettSh [msft]
This posting is provided "AS IS" with no warranties, and confers no
rights.
On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> GUID or SID of the user account that made the delete request. Last
> mod my not be enough in case some process gets hold of that data in
> the deleted items, even if unlikely. I want the id of the identity
> that put caused the object to be there in the first place.
>
> Having the data for a full undelete option wouldn't seem too
> terrible either, although that might significantly increase the storage
in the DIT.
> In the past I've had to write apps to keep that information out of
> band in order to put back items mistakenly removed. But I can't see
> why I should have to trip through all the DC's Audit logs to find
> the information about who deleted something given how common this
> type of question is. It should be recorded same as the audit log
> (we have the information, why not stamp it on the object at time of
> deletion?)
>
> Al
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, October 14, 2005 11:03 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Correct, you can currenlty only get the when and the where (DC Where
> not Client Where).
>
> Which raises the question. How many people would like a metadata
> stamp with the GUID or SID of the userid that made the modification
> for a given attribute (or value if appropriate)? Or would it be ok
> to just have who made the last change to the object? Either way,
> none of the "administrators group" nonsense, it points to a specific
> security
principal.
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> HARTONO
> Sent: Friday, October 14, 2005 3:18 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Hi Yann,
>
> You can find at the deletedobject folder via adfind -showdel and see
> the Last modified date - that would be when the object is deleted.
>
> But as for who deleted - I dont think you can find it without the
auditing.
>
>
>
> Thank you and have a splendid day!
>
> Kind Regards,
>
> Freddy Hartono
> Group Support Engineer
> InternationalSOS Pte Ltd
> mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> phone: (+65) 6330-9740 - temp
>
>
>
> _____
>
> From: Yann [mailto:boubbha@xxxxxxxx]
> Sent: Friday, October 14, 2005 2:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Knowing when users were deleted.
>
>
> Hi there,
>
> I wonder if there is a way to know when a user has been deleted from
> AD other than using security audt, because at the time of the
> deletion, i forgot to activate the audit :(
>
> So my boss urge me to find the guilty user AND the time of deletion.
> I looked for attributes in adsi and found that there is the
> whencreated, whenmodified attribute but not whendeletedtimestamp
> one.
>
> Any idea ?
>
>
>
> _____
>
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> Messenger Téléchargez
> es
> senger
> yahoo.com> le ici !
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| laurahcomputing
Posts:43
| | 10/16/2005 8:29 AM |
| Various thoughts from this thread:
Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
I'm not as convinced of the trade-off value of bloating the DIT for
full undelete information, particularly in monster big environments.
For my teeny-tiny single domain it probably wouldn't be that bad of a
hit, but I imagine that the laws of diminishing returns would quickly
set in.
ΐ] Please finish the thought, Brett, I'm sure I'd find it
helpful/enlightening/informative even if it's only speaking in
hypotheticals.
Α] It's Gil and Darren's turn to crack me up today, I guess joe is
taking a break.
Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
- L
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Ulf@xxxx.yyy
| | 10/16/2005 8:43 AM |
| Hmm.
Do we really want to excuse prior failure of proper auditing by putting more
data into AD? Wouldn't that lead into every request of non-configured
auditing to requests for extending the AD? Do it right the first way.
I completely agree that we should make the people more auditing aware, and
it would be great to have a centralized auditing together with some force of
configuration instead of the per server events and auditing which is rearly
configured.
However I'm not sure if I want this kind of data in the AD.
Just my Eurocents.
Ulf
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura
|E. Hunter
|Sent: Sunday, October 16, 2005 10:28 PM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: Re: [ActiveDir] Knowing when users were deleted.
|
|Various thoughts from this thread:
|
|Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
| I'm not as convinced of the trade-off value of bloating the
|DIT for full undelete information, particularly in monster big
|environments.
|For my teeny-tiny single domain it probably wouldn't be that
|bad of a hit, but I imagine that the laws of diminishing
|returns would quickly set in.
|
|ΐ] Please finish the thought, Brett, I'm sure I'd find it
|helpful/enlightening/informative even if it's only speaking in
|hypotheticals.
|
|Α] It's Gil and Darren's turn to crack me up today, I guess
|joe is taking a break.
|
|
|Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
|
|- L
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 10/17/2005 1:11 AM |
| I'll see your Eurocents and add raise you two. :)
I fully understand where you're coming from Ulf. Adding this information
into the DIT when it is currently possible to get is something that grates
against common sense and common engineering principles even if you subscribe
to belts and braces methodologies.
However, I think two things make this a worthwhile request with a big
payoff. First to Laura's point about diminishing returns. I agree, at some
point there will be diminishing returns. I also believe that as hardware
gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation
machines, etc. Ώ]) the bar gets raised until we get to the diminishing
return. Since we're targeting 80/20 out of the box ΐ] it seems reasonable
that 80% of the deployments would benefit from such a change. The other 20
would be those that a) don't care or know about such things and b) those
that can't tolerate the additional overhead and therefore wouldn't want to
deploy it. I say tough pickles to them. :) Seriously, this could be on by
default but configurable (group policy?) to disable it as a performance
issue etc.
Second, I think that the major benefit is the ability to actually get usable
information native to the product vs. having to invest in a third party
product. Why? Because today in order to get that information I have to have
something that scrapes the Security logs looking for such information. Is
this a good idea? I think it is. Is it something that could be native? I
think it could and should be native if technically feasible.
Making us look in a particular DC's event logs is more difficult than it
should be without yet another product. That's fine for the really large
companies that have deeper pockets, and larger needs. For the small to
medium businesses, it should not be so difficult nor should it *require* SQL
licensing or expertise.
Ώ] I'm not saying that the quality has kept up, only that the hardware is
bigger, faster, stronger and cheaper.
ΐ] I'm making that up, but it sounds reasonable
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, October 16, 2005 4:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Hmm.
Do we really want to excuse prior failure of proper auditing by putting more
data into AD? Wouldn't that lead into every request of non-configured
auditing to requests for extending the AD? Do it right the first way.
I completely agree that we should make the people more auditing aware, and
it would be great to have a centralized auditing together with some force of
configuration instead of the per server events and auditing which is rearly
configured.
However I'm not sure if I want this kind of data in the AD.
Just my Eurocents.
Ulf
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura
|E. Hunter
|Sent: Sunday, October 16, 2005 10:28 PM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: Re: [ActiveDir] Knowing when users were deleted.
|
|Various thoughts from this thread:
|
|Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
|I'm not as convinced of the trade-off value of bloating the DIT for
|full undelete information, particularly in monster big environments.
|For my teeny-tiny single domain it probably wouldn't be that
|bad of a hit, but I imagine that the laws of diminishing
|returns would quickly set in.
|
|ΐ] Please finish the thought, Brett, I'm sure I'd find it
|helpful/enlightening/informative even if it's only speaking in
|hypotheticals.
|
|Α] It's Gil and Darren's turn to crack me up today, I guess
|joe is taking a break.
|
|
|Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
|
|- L
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:317
| | 10/17/2005 1:34 AM |
| In SBSland we have a daily monitoring email [well ... I send it daily
anyway, but it's configurable] and it looks at the event logs and tells
daily health status of my server.
Like today my email tells me my server has been running for 6 hours
[just rebooted it last night] and it gives me an overview if auto
services are not running, critical alerts and critical errors in the
event logs.
It tells me memory/disk size, cpu use, top processes, if the backup
ran, and aggregates the alerts from all the log files.
It's a health mon that dumps it's data into a msde database and builds
the email to be sent internally or externally.
What it does now, is only pulls data from the one box, the SBS box. but
I can go into health mon and build my own monitors and grab those event
logs from other machines [need to so that just haven't gotten around to it].
Right now if someone [usually me] fat fingers a password, for example,
it gives me an alert in the email of the last time it occurred and how
many occurrances. Basically it's tracking the critical alerts in all
the event logs and summarizing the events along with the number of
events in the email [and showing the last time the event occurred so you
can start your investigation from that point back]
For SBS ....it's in the box, it's a gui wizard that builds this pretty
little html email that my server builds and hits me every morning at 6
a.m and says "Hey here's how I'm doing...how are you?". It's the mid
market that doesn't have this. [and yes, we've told Mothership Redmond
they need to steal this sucker and put it in the mid market server bundle]
Does it make me more aware of events on my server? Oh you betcha it
does. Which is why this needs to be ....as you say...native in small
and medium servers....heck I'd strongly argue that no server should be
shipped without some admin somewhere getting an in your face report on
that sucker.
I'll go to Frys and buy bigger harddrives if I need to. But give me a
big fat audit log file and I'm a happy camper.
Al Mulnick wrote:
I'll see your Eurocents and add raise you two. :)
I fully understand where you're coming from Ulf. Adding this information
into the DIT when it is currently possible to get is something that grates
against common sense and common engineering principles even if you subscribe
to belts and braces methodologies.
However, I think two things make this a worthwhile request with a big
payoff. First to Laura's point about diminishing returns. I agree, at some
point there will be diminishing returns. I also believe that as hardware
gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation
machines, etc. Ώ]) the bar gets raised until we get to the diminishing
return. Since we're targeting 80/20 out of the box ΐ] it seems reasonable
that 80% of the deployments would benefit from such a change. The other 20
would be those that a) don't care or know about such things and b) those
that can't tolerate the additional overhead and therefore wouldn't want to
deploy it. I say tough pickles to them. :) Seriously, this could be on by
default but configurable (group policy?) to disable it as a performance
issue etc.
Second, I think that the major benefit is the ability to actually get usable
information native to the product vs. having to invest in a third party
product. Why? Because today in order to get that information I have to have
something that scrapes the Security logs looking for such information. Is
this a good idea? I think it is. Is it something that could be native? I
think it could and should be native if technically feasible.
Making us look in a particular DC's event logs is more difficult than it
should be without yet another product. That's fine for the really large
companies that have deeper pockets, and larger needs. For the small to
medium businesses, it should not be so difficult nor should it *require* SQL
licensing or expertise.
Ώ] I'm not saying that the quality has kept up, only that the hardware is
bigger, faster, stronger and cheaper.
ΐ] I'm making that up, but it sounds reasonable
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, October 16, 2005 4:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Hmm.
Do we really want to excuse prior failure of proper auditing by putting more
data into AD? Wouldn't that lead into every request of non-configured
auditing to requests for extending the AD? Do it right the first way.
I completely agree that we should make the people more auditing aware, and
it would be great to have a centralized auditing together with some force of
configuration instead of the per server events and auditing which is rearly
configured.
However I'm not sure if I want this kind of data in the AD.
Just my Eurocents.
Ulf
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura
|E. Hunter
|Sent: Sunday, October 16, 2005 10:28 PM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: Re: [ActiveDir] Knowing when users were deleted.
|
|Various thoughts from this thread:
|
|Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
|I'm not as convinced of the trade-off value of bloating the DIT for
|full undelete information, particularly in monster big environments.
|For my teeny-tiny single domain it probably wouldn't be that
|bad of a hit, but I imagine that the laws of diminishing
|returns would quickly set in.
|
|ΐ] Please finish the thought, Brett, I'm sure I'd find it
|helpful/enlightening/informative even if it's only speaking in
|hypotheticals.
|
|Α] It's Gil and Darren's turn to crack me up today, I guess
|joe is taking a break.
|
|
|Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
|
|- L
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| rkingsla@xxxx.yyy
| | 10/17/2005 1:48 AM |
| And, as you know that does work well in SBSland. However, when the scale
grows, so do the requirements. IN the Medium to Enterprise space, the idea
is more along the lines of a system or series of systems pumping this type
of information into paging and making intelligent decisions based on the
audit, event, alerts, services, etc.
Which, is right where MOM 2005 drops into the picture. If it _IS_ the event
aggregator, or if it's pushing up to a bigger overall item such as HP
OpenView - that data is available. It's just that instead of getting an
e-mail per server (most admins would just begin to create a rule to send
these to DEV/NUL after a while...) MOM collects, enforces and reports this
same type of information.
Scale makes the problem much tougher, as I'm sure you can imagine....
Rick [msft]
--
Posting is provided "AS IS", and confers no rights or warranties ...
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 8:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Knowing when users were deleted.
In SBSland we have a daily monitoring email [well ... I send it daily
anyway, but it's configurable] and it looks at the event logs and tells
daily health status of my server.
Like today my email tells me my server has been running for 6 hours [just
rebooted it last night] and it gives me an overview if auto services are not
running, critical alerts and critical errors in the event logs.
It tells me memory/disk size, cpu use, top processes, if the backup ran,
and aggregates the alerts from all the log files.
It's a health mon that dumps it's data into a msde database and builds the
email to be sent internally or externally.
What it does now, is only pulls data from the one box, the SBS box. but I
can go into health mon and build my own monitors and grab those event logs
from other machines [need to so that just haven't gotten around to it].
Right now if someone [usually me] fat fingers a password, for example, it
gives me an alert in the email of the last time it occurred and how many
occurrances. Basically it's tracking the critical alerts in all the event
logs and summarizing the events along with the number of events in the email
[and showing the last time the event occurred so you can start your
investigation from that point back]
For SBS ....it's in the box, it's a gui wizard that builds this pretty
little html email that my server builds and hits me every morning at 6 a.m
and says "Hey here's how I'm doing...how are you?". It's the mid market
that doesn't have this. [and yes, we've told Mothership Redmond they need
to steal this sucker and put it in the mid market server bundle]
Does it make me more aware of events on my server? Oh you betcha it does.
Which is why this needs to be ....as you say...native in small and medium
servers....heck I'd strongly argue that no server should be shipped without
some admin somewhere getting an in your face report on that sucker.
I'll go to Frys and buy bigger harddrives if I need to. But give me a big
fat audit log file and I'm a happy camper.
Al Mulnick wrote:
>I'll see your Eurocents and add raise you two. :)
>
>I fully understand where you're coming from Ulf. Adding this information
>into the DIT when it is currently possible to get is something that grates
>against common sense and common engineering principles even if you
subscribe
>to belts and braces methodologies.
>
>However, I think two things make this a worthwhile request with a big
>payoff. First to Laura's point about diminishing returns. I agree, at
some
>point there will be diminishing returns. I also believe that as hardware
>gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation
>machines, etc. Ώ]) the bar gets raised until we get to the diminishing
>return. Since we're targeting 80/20 out of the box ΐ] it seems reasonable
>that 80% of the deployments would benefit from such a change. The other 20
>would be those that a) don't care or know about such things and b) those
>that can't tolerate the additional overhead and therefore wouldn't want to
>deploy it. I say tough pickles to them. :) Seriously, this could be on
by
>default but configurable (group policy?) to disable it as a performance
>issue etc.
>
>Second, I think that the major benefit is the ability to actually get
usable
>information native to the product vs. having to invest in a third party
>product. Why? Because today in order to get that information I have to
have
>something that scrapes the Security logs looking for such information. Is
>this a good idea? I think it is. Is it something that could be native? I
>think it could and should be native if technically feasible.
>
>Making us look in a particular DC's event logs is more difficult than it
>should be without yet another product. That's fine for the really large
>companies that have deeper pockets, and larger needs. For the small to
>medium businesses, it should not be so difficult nor should it *require*
SQL
>licensing or expertise.
>
>
>
>Ώ] I'm not saying that the quality has kept up, only that the hardware is
>bigger, faster, stronger and cheaper.
>ΐ] I'm making that up, but it sounds reasonable
>
>
>
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
>Simon-Weidner
>Sent: Sunday, October 16, 2005 4:42 PM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
>Hmm.
>
>Do we really want to excuse prior failure of proper auditing by putting
more
>data into AD? Wouldn't that lead into every request of non-configured
>auditing to requests for extending the AD? Do it right the first way.
>
>I completely agree that we should make the people more auditing aware, and
>it would be great to have a centralized auditing together with some force
of
>configuration instead of the per server events and auditing which is rearly
>configured.
>
>However I'm not sure if I want this kind of data in the AD.
>
>Just my Eurocents.
>
>Ulf
>
>|-----Original Message-----
>|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura
>|E. Hunter
>|Sent: Sunday, October 16, 2005 10:28 PM
>|To: ActiveDir@xxxxxxxxxxxxxxxxxx
>|Subject: Re: [ActiveDir] Knowing when users were deleted.
>|
>|Various thoughts from this thread:
>|
>|Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
>|I'm not as convinced of the trade-off value of bloating the DIT for
>|full undelete information, particularly in monster big environments.
>|For my teeny-tiny single domain it probably wouldn't be that
>|bad of a hit, but I imagine that the laws of diminishing
>|returns would quickly set in.
>|
>|ΐ] Please finish the thought, Brett, I'm sure I'd find it
>|helpful/enlightening/informative even if it's only speaking in
>|hypotheticals.
>|
>|Α] It's Gil and Darren's turn to crack me up today, I guess
>|joe is taking a break.
>|
>|
>|Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
>|
>|- L
>|List info : http://www.activedir.org/List.aspx
>|List FAQ : http://www.activedir.org/ListFAQ.aspx
>|List archive:
>|http://www.mail-archive.com/activedir%40mail.activedir.org/
>|
>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:317
| | 10/17/2005 1:55 AM |
| Yup information overload 'is' a problem.
And then after the scale its... okay what the heck is the server trying
to tell me?
I'm still a fan of www.eventid.net over microsoft.com's click here.
Rick Kingslan wrote:
And, as you know that does work well in SBSland. However, when the scale
grows, so do the requirements. IN the Medium to Enterprise space, the idea
is more along the lines of a system or series of systems pumping this type
of information into paging and making intelligent decisions based on the
audit, event, alerts, services, etc.
Which, is right where MOM 2005 drops into the picture. If it _IS_ the event
aggregator, or if it's pushing up to a bigger overall item such as HP
OpenView - that data is available. It's just that instead of getting an
e-mail per server (most admins would just begin to create a rule to send
these to DEV/NUL after a while...) MOM collects, enforces and reports this
same type of information.
Scale makes the problem much tougher, as I'm sure you can imagine....
Rick [msft]
--
Posting is provided "AS IS", and confers no rights or warranties ...
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 8:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Knowing when users were deleted.
In SBSland we have a daily monitoring email [well ... I send it daily
anyway, but it's configurable] and it looks at the event logs and tells
daily health status of my server.
Like today my email tells me my server has been running for 6 hours [just
rebooted it last night] and it gives me an overview if auto services are not
running, critical alerts and critical errors in the event logs.
It tells me memory/disk size, cpu use, top processes, if the backup ran,
and aggregates the alerts from all the log files.
It's a health mon that dumps it's data into a msde database and builds the
email to be sent internally or externally.
What it does now, is only pulls data from the one box, the SBS box. but I
can go into health mon and build my own monitors and grab those event logs
from other machines [need to so that just haven't gotten around to it].
Right now if someone [usually me] fat fingers a password, for example, it
gives me an alert in the email of the last time it occurred and how many
occurrances. Basically it's tracking the critical alerts in all the event
logs and summarizing the events along with the number of events in the email
[and showing the last time the event occurred so you can start your
investigation from that point back]
For SBS ....it's in the box, it's a gui wizard that builds this pretty
little html email that my server builds and hits me every morning at 6 a.m
and says "Hey here's how I'm doing...how are you?". It's the mid market
that doesn't have this. [and yes, we've told Mothership Redmond they need
to steal this sucker and put it in the mid market server bundle]
Does it make me more aware of events on my server? Oh you betcha it does.
Which is why this needs to be ....as you say...native in small and medium
servers....heck I'd strongly argue that no server should be shipped without
some admin somewhere getting an in your face report on that sucker.
I'll go to Frys and buy bigger harddrives if I need to. But give me a big
fat audit log file and I'm a happy camper.
Al Mulnick wrote:
I'll see your Eurocents and add raise you two. :)
I fully understand where you're coming from Ulf. Adding this information
into the DIT when it is currently possible to get is something that grates
against common sense and common engineering principles even if you
subscribe
to belts and braces methodologies.
However, I think two things make this a worthwhile request with a big
payoff. First to Laura's point about diminishing returns. I agree, at
some
point there will be diminishing returns. I also believe that as hardware
gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation
machines, etc. Ώ]) the bar gets raised until we get to the diminishing
return. Since we're targeting 80/20 out of the box ΐ] it seems reasonable
that 80% of the deployments would benefit from such a change. The other 20
would be those that a) don't care or know about such things and b) those
that can't tolerate the additional overhead and therefore wouldn't want to
deploy it. I say tough pickles to them. :) Seriously, this could be on
by
default but configurable (group policy?) to disable it as a performance
issue etc.
Second, I think that the major benefit is the ability to actually get
usable
information native to the product vs. having to invest in a third party
product. Why? Because today in order to get that information I have to
have
something that scrapes the Security logs looking for such information. Is
this a good idea? I think it is. Is it something that could be native? I
think it could and should be native if technically feasible.
Making us look in a particular DC's event logs is more difficult than it
should be without yet another product. That's fine for the really large
companies that have deeper pockets, and larger needs. For the small to
medium businesses, it should not be so difficult nor should it *require*
SQL
licensing or expertise.
Ώ] I'm not saying that the quality has kept up, only that the hardware is
bigger, faster, stronger and cheaper.
ΐ] I'm making that up, but it sounds reasonable
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: Sunday, October 16, 2005 4:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Hmm.
Do we really want to excuse prior failure of proper auditing by putting
more
data into AD? Wouldn't that lead into every request of non-configured
auditing to requests for extending the AD? Do it right the first way.
I completely agree that we should make the people more auditing aware, and
it would be great to have a centralized auditing together with some force
of
configuration instead of the per server events and auditing which is rearly
configured.
However I'm not sure if I want this kind of data in the AD.
Just my Eurocents.
Ulf
|-----Original Message-----
|From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
|[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura
|E. Hunter
|Sent: Sunday, October 16, 2005 10:28 PM
|To: ActiveDir@xxxxxxxxxxxxxxxxxx
|Subject: Re: [ActiveDir] Knowing when users were deleted.
|
|Various thoughts from this thread:
|
|Ώ] I agree with Al and PaulΏ] on a desire for that sort of metadata.
|I'm not as convinced of the trade-off value of bloating the DIT for
|full undelete information, particularly in monster big environments.
|For my teeny-tiny single domain it probably wouldn't be that
|bad of a hit, but I imagine that the laws of diminishing
|returns would quickly set in.
|
|ΐ] Please finish the thought, Brett, I'm sure I'd find it
|helpful/enlightening/informative even if it's only speaking in
|hypotheticals.
|
|Α] It's Gil and Darren's turn to crack me up today, I guess
|joe is taking a break.
|
|
|Ώ] *waves* Hi Paul! Glad to see you alive post-Summit.
|
|- L
|List info : http://www.activedir.org/List.aspx
|List FAQ : http://www.activedir.org/ListFAQ.aspx
|List archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List info : http://www.activedir.org |
|
|