I am going to write a small software to track active directory changes. I need an expert opinion from you. I want to display information about What ( with before and after values), When, Where and Who of any change in AD.
I am going to implement this by one of the following way
1. Change Notification Control
2. DirSync Control
Both of these method give us the attribute that are changed and we can compare new values with some dump in SQL Server to get old values.
My problem is how can I find “Who” has made this change. I have tried but there is no attribute “LastModifiedBy” in active directory. Please give your opinion how can I track who has made this change.
--Faisal Iqbal
My company uses ActiveRoles from Quest. No one actually makes changes directly to AD; all changes are done through ActiveRoles so we have that type of auditing (and a lot more benefits.)
Is there any reason you can't use AD Auditing?
Related
I'm getting an error when uploading my customized policy, which is based on Microsoft's SocialAccounts example ([tenant] is a placeholder I added):
Policy "B2C_1A_TrustFrameworkExtensions" of tenant "[tenant].onmicrosoft.com" makes a reference to ClaimType with id "client_id" but neither the policy nor any of its base policies contain such an element
I've done some customization to the file, including adding local account signon, but comparing copies of TrustFrameworkExtensions.xml in the examples, I can't see where this element is defined. It is not defined in TrustFrameworkBase.xml, which is where I would expect it.
I figured it out, although it doesn't make sense to me. Hopefully this helps someone else running into the same issue.
The TrustFrameworkBase.xml is not the same in each scenario. When Microsoft documentation said not to modify it, I assumed that meant the "base" was always the same. The implication of this design is: If you try to mix and match between scenarios then you also need to find the supporting pieces in the TrustFrameworkBase.xml and move them into your extensions document. It also means if Microsoft does provide an update to their reference policies and you want to update, you need to remember which one you implemented originally and potentially which other ones you had to pull from or do line-by-line comparison. Not end of the world, but also not how I'd design an inheritance structure.
This also explains why I had to work through previous validation errors, including missing <DisplayName> and <Protocol> elements in the <TechnicalProfile> element.
Yes - I agree that is a problem.
My suggestion is always to use the "SocialAndLocalAccountsWithMfa" scenario as the sample.
That way you will always have the correct attributes and you know which one to use if there is an update.
It's easy enough to comment out the MFA stuff in the user journeys if you don't want it.
There is one exception. If you want to use "username" instead of "email", the reads/writes etc. are only in the username sample.
I have a very rookie question regarding making a simple Access database but for some reason I'm having trouble finding the proper keywords to adequately Google the problem. I'm certain the solution is going to be a simple toggle or setting I need to flip somewhere but I'm not sure what I'm looking for.
I have a table, tblClients. Each row has name, address, etc. I manually inputted a bunch of entries in here from datasheet view. I created a split form, frmClients, which will be to update client info in a more user-friendly fashion. At the moment, when the user makes any modifications in the form view and hit save, it appears to succeed but the actual data in the table row hasn't been modified. Do I need to change a setting somewhere or is there a different mechanism to post changes other than Ctrl+S or the save icon?
If there is necessary additional information I neglected to provide, please let me know. Thanks for your help.
-Marissa
I was wondering if someone could point me in the right direction.
Here is my problem: I have a large form/checklist that I would like to make digital for ease of use.
Thoughts: I would like to use existing tools that would be easy to integrate. My first option is Access 2010.
My question: I would like to enter the questions into a database and then use those entries to auto generate a form that can be used to allow the user to input the actual data into the database. An example would be I have 11 Sections of questions and under each section I have sub-sections that can contain anywhere from 1-... how many every questions we need.
Is it possible to use data stored in an Access database to generate a form with Checkboxes that can be used to input data?
Please point me in the right direction. Obviously there is the option of just creating multiple forms or one big form, but I would like this form to easily be changed etc... Less work more automation.
Thanks,
Alex
Depending on the requirements of your project, this may be quite possible. If you want to use Access as both the back-end and front-end, then you'll need to work within a few limitations:
Because Access combines the user interface and design interface into the same screen, it requires a certain amount of trust that the user can't or won't try to get too creative with changing the data, seeing everyone else's data, changing the design of your form because they are bored, etc. There are ways around these problems, but they can get complicated.
Will all your users be using Window's machines with Access 2010 installed and with the original default settings? If so, good. If not, there may be ways that this could still work.
(There's more, but that's all I can think of right now)
To get started, here's a broad outline:
Make a table for your questions. This table would just have the questions.
Make a form using that question table as the source. Leave the checkboxes and other answer fields unbounded. Include a 'submit' button at the bottom.
The submit button will create a sql query to insert the user's answers into a 2nd table.
If you have any specific questions, we here at SO will be glad to answer them.
In order to dynamically and easily change the number of questions in the sections, what I would do is:
In the main Questions table, add a field called Section to allocate the questions into diffferent ones, and another one Yes/No field to select those that are included (you may also exclude them by leaving the section field empty, as you wish). This will solve the problem of changing the design easily. you probaly will need an admin form in order to do this changes, to avoid touching the tables directly, but this is your decision.
Secondly, in order to allow the users to efectively answer the generated form, you have to ask yourself if you want to accumulate the answer sets, and if you are going to control who answers
Is there a ldap query that will return or list user objects that have been removed from the active-directory system? Must you track all the user objects currently in the active-directory, and maintain a "last seen" stamp in order to tell when a user object has been removed from the active-directory?
I really don't believe that this information is obtainable. In the next version of the OS (Windows 2008 R2), Microsoft is introducing the ability to do this by implementing a recycle bin like functionality for and Active Directory object. Please see these write ups for more info:
http://blogs.technet.com/niraj_kumar/archive/2009/02/03/new-feature-active-directory-recycle-bin-in-windows-2008-r2.aspx
http://technet.microsoft.com/en-us/library/dd392261.aspx
But you may see that this is in reference to the deletion of the object itself, and that it doesn't provide any information about when a property of the object changes. You can look at the last modified property but even then you have no way of knowing which property changed (more then likely it will be the last logon), so again your left with no help. If your trying to track a issue that is occurring which you can recreate, I recommend that create some sort of script/code which record the properties of a specific user at a given interval, and then just keep running it as you move from one step to the other i the recreation of the problem.
I have a User object that, upon successful authentication, is tucked into the session (sans security info) for easy recall and for determining whether we have an authenticated user or anonymous session. There are several paths by which the user can alter some or all of his or her information and I'd like to keep that session value up to date. The obvious answer is to update the value in the afterSave() callback, but that, of course, violates MVC.
Is there another way of capturing every change in one place so that I don't have to drop session writes all over the place? I can't think of anything, nor have I been able to find any other ideas. Am I the only person trying to do something like this?
Thanks.
Final Solution: I marked neilcrookes' response as the answer, frankly, because there doesn't seem to be the better way. Since this way violates my OCD senses, though, I took a slightly different path. I decided to have my User::authenticate() method return the authenticated user object to the caller so it can do whatever it wants with it. One of the things that the callers "want" to do is to drop that value in the session. It's redundancy, but it's very, very limited. In my mind, that felt better than accessing the session from the model (though it's certainly a damned if you do, damned if you don't scenario).
//in users controller
if ($this->User->save()) {
$this->Auth->login($this->User->read());
$this->Session->setFlash[.. etc]
And for the record, I do not agree with the answer of neilcrooks, but I will refrain from feeding the troll.
Some might disagree but I'd screw MVC, do it in Model::afterSave() and use $_SESSION - test for the session before writing to it, in case it's not started for example you are saving against the model in a shell or something.
MVC is a general pattern - a guideline, you can bang your head against it trying to figure out how to achieve something that doesn't quite fit, or just do it another way and move onto to something more important.
Bring on the flames.
after save
Use Like this
$this->Session->write('Auth.User.mmid', $kinde['Kindle']['id']);
You should be able to just use AppController to create the necessary callback(s) that keep your session data up to date. So, for instance, you could have your User model afterSave() set a property called changed to true. Then in your AppController->afterFilter() you check that property and update the session data as necessary.
Alternatively, you could write a component through which to update your user info and also your session data. Then any controller that needs to change user info just needs to include that component.
There's no need to write redundant code or break MVC.