All geek questions in one place

More effective monitoring group membership in Active Directory (C # .NET)

I have an Active Directory synchronization tool (.NET 2.0 / C #) written as a Windows service that I have been working on for some time, and recently I was tasked with adding the ability to manage events based on changes in group memberships. The main scenario is that users are synchronized with the security database, and when changing the group membership, users need to change access rights (that is, if I am a member of the "IT staff" now, then I should automatically access the server room, if I remove from this group, then I should automatically lose access to the server room).

The problem is that when you perform DirectorySynchronization against groups, you get back the group from which the member was added / deleted, and from there, when you grab the list of members, you return a list of all the members of this group, not just the members that were added or deleted. This leads me to a rather effective problem - because in order to find out if the user has been added or deleted, I will have to locally save the list of each group and all members and compare them with the current list to find out who was added (not to the local list ) and who was deleted (in the local list, not in the list of current members).

I only discuss saving the details of the group membership in the DataSet in memory and writing to disk every time I handle new membership changes. Thus, if the service stops / crashing or rebooting the computer, I can still go to the current Active Directory state in the security database by comparing the latest information on the disk with the current list of group members. However, this seems terribly ineffective - through each member of the group, compare with what is in the data set, and then write the changes to disk every time there are changes in the list.

Has anyone dealt with this scenario before? Is there a way that I have not found to get only the delta of the group members? What would you do in this situation to ensure that you never miss any changes while doing the least performance?

Edit: AD can contain 500 users, it can contain 200,000 users - it depends on the client, and besides how many groups the average user is a member

+4
source share
3 answers

I would say it depends on how many active directory objects you need to track. If this is a small number (less than 1000 users), you can probably serialize your status data to disk with a few amazing results. If you are dealing with a very large number of objects, it may be more efficient to create a simple save scheme in something like SQL Express and use it.

+1
source

You can set up auditing for the success of account changes in the Group Policy Editor

You can then track the security log for the entries and process the log entries when the account changes.

eg.

EventLog myLog = new EventLog("Security"); // set event handler myLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten); myLog.EnableRaisingEvents = true;

Make sure you have privileges to access the security event log http://support.microsoft.com/kb/323076

+2
source

Do you know that there are products that help you with directory synchronization and user preferences (google these terms)? All of this has not been invented here, and you may have to justify investing in the current climate, but developing and maintaining a code for which a commercial solution already exists does not mean, say, always the most cost-effective way to run in the long run.

Not all support / support events are supported, but they support change tracking and distribution: it is not very important to create event decisions on top of these features.

Microsoft has an Identity Integration Server (MISS), which is repackaged as part of the Identity Lifecycle Manager . It was originally built on a more general meta / master data management, but it is functional. IBM has a Tivoli Directory Integrator (but you need to keep up with the changes in bilingual names!). Oracle has Oracle Identity Manager , and Sun Identity Manager . Most of them are leading products that major players buy to fill the gap in their portfolios.

Of course, these are enterprise-class products, which means large and expensive, but, as a rule, quite reliable in the future and expandable. If you do not need their full strength (for now!), You need to look at saving a copy for yourself. In this case, have you considered saving your replica of the last known AD tree using AD LDS (formerly AD / AM)? This is not an optimal format for comparing differences, but the catalog database will scale quite well, even in a light form.

+1
source

Source: https://habr.com/ru/post/1276817/

More articles:


All Articles