Managing Active Directory Objects
Do you know what's changed in your Active Directory?
The NetPro folks in Scottsdale, Arizona have a history of innovative products that allow you to figure out what’s going on inside your network. DirectoryInsight is no exception. DirectoryInsight’s goal is to allow you to find out how much has changed in Active Directory over time and what the changes were.
If you’ve enabled Windows 2000 auditing, then much of this information is theoretically available in various audit log files scattered across your enterprise. But it’s a real drag trying to round up log files from various sources just to get a picture of your growth. DirectoryInsight handles the roundup for you and allows you to see the whole picture in one place.
DirectoryInsight’s installation is simple and unobtrusive. It must be installed on a Domain Controller (DC) with the Global Catalog (GC) attribute set, along with IIS 5.0. Once installed, it collects all of the logging information into its own Microsoft Access database for future queries. One of the highlights of DI is that its entire interface is 100 percent Web-driven and is accessible from anywhere on your network; there’s no need to run MMC or load a snap-in.
Once in the Web-based interface, you can use the Population History to graphically see the answers to “how many” questions. Specifically, you can see how many Groups, Sites, Group Policy objects, computers or other objects were added to the Active Directory database, and when.
The Change Logging Tab answers the question of “what”--specifically, what Structural, Replication, Security and Schema changes were made in Active Directory. These can be things such as FSMO role changes, or the creation of new Group Policy objects, trust, or site links. You can also see what new GC came online or what security group was created. The Change Logging tab, however, seemed to stop short of telling me what new users were added.
DirectoryInsight does have its drawbacks. First of all, it’s built on a Microsoft Jet database, which can make it difficult to create customized queries against the data.
|Is it odd that 10,000 users were added in a day? Use DirectoryInsight to know when you should start asking more questions. (Click image to view larger
DirectoryInsight is good at showing you what happened, but it falls short of telling you “who did it” for “blame management.” Only the Windows 2000 log files can point you in the right direction for that. Additionally, there’s no triggering of events as found in some other logging programs. Ideally, I would have liked to have been notified by pager or e-mail if, say, another domain came online and be told which user account was used to authorize the change.
DirectoryInsight looks like a promising new method of seeking out changes instead of pawing through audit log files. It’s a good start for a 1.0 product, but add in the “who did it” and event triggering, and this product will blossom into a real winner.
Jeremy Moskowitz, a Group Policy MVP, is the Chief Propeller-Head for Moskowitz, Inc. and GPanswers.com. He is one of less than a dozen Microsoft MVPs in Group Policy. Since becoming one of the world's first MCSEs, he has performed Active Directory and Group Policy planning and implementations for some of the nation’s largest organizations. His latest books are Group Policy Fundamentals, Security, and Troubleshooting and Creating the Secure Managed Desktop: Group Policy, SoftGrid, and Microsoft Deployment and Management Tools.
Learn more about the books and Jeremy's Group Policy Master Class training www.GPanswers.com (ranked as one of "The 20 most useful Microsoft sites for IT professionals" by ComputerWorld magazine).