1

I need to get notification when certain events occur in Active Directory using LDAP protocol. Events that should be triggered are:

  • When a certain AD group is associated to a user.
  • And if a field (like phone number) has changed in AD user.

I searched all internet but mostly solutions are based on the code on the end of this article:

As mentioned in that article there are 3 ways to do it:

  • Using USNChanged
  • Using the DirSync Control
  • And using that code on the end of the page.

For first two options I found articles with examples on Microsoft's site, but all examples are in c++, and I need this in C#.

Other code samples that I found are incomplete and not understandable, so I can't use them appropriate.

Is there any solution, code sample etc that I can use similar to that code on the end of provided article?

Once again, I need this in C#

Thanks

Community
  • 1
  • 1
Dan
  • 448
  • 10
  • 20
  • Do you have a link for the Microsoft c++ samples? – Bassie Sep 01 '16 at 01:15
  • @Bassie Here they are: - https://msdn.microsoft.com/en-us/library/ms676895.aspx , - https://msdn.microsoft.com/en-us/library/ms676877.aspx , - https://msdn.microsoft.com/en-us/library/ms676896.aspx , - https://msdn.microsoft.com/en-us/library/ms677927.aspx , – Dan Sep 01 '16 at 07:39
  • What is the reason of requiring LDAP? I think you can also try a) enabling AD DS Auditing (and reading that log) https://technet.microsoft.com/en-us/library/a9c25483-89e2-4202-881c-ea8e02b4b2a5 b) use third-party tools like https://www.manageengine.com/products/active-directory-audit/ c) if real-time notifications are not required then you can schedule a code that will check required groups / properties and compare with the previous values. – user2316116 Sep 01 '16 at 08:21
  • @smirnov LDAP is just a protocol the way we are connected on AD,send data etc,right? I'm not too much familiar with this, I saw that its also mentioned in ways like ldap server etc. I stated that because in my request states: which events we can act on, based on the .net connectivity model for LDAP, to get this notifications? The third solution you provided, can help me, I saw some examples like that, but I wasn't sure it can work. Do you maybe have some code samples that can help me in that direction? – Dan Sep 01 '16 at 11:12
  • It's not necessarily need to be LDAP to work with AD, there is System.DirectoryServices, that can be used too. Regarding sample for the third solution - how many users you will have in AD? This idea could work well if a) there are not many users/groups to monitor (so you don't need to create a big snapshot of the current state) b) you may not manage AD (and you cannot setup e.g. auditing). – user2316116 Sep 01 '16 at 13:25
  • @smirnov In my case its LDAP protocol.I cannot predict how many users will be and that solution have to be paid if I'm not mistaken. For now I only need next possibilities: - AD User was deactivated, - AD User was moved to another business unit, I found one usfull article which i will try to make it work: -http://stackoverflow.com/questions/3819824/how-to-query-changes-in-active-directory-including-deleted-objects Some advice, example that can help me also? – Dan Sep 02 '16 at 13:51

1 Answers1

0

I want to share what I have accomplished so far. So since I managed to set the notifiers on my Active directory using 3rd solution from provided article:

I realized that (even though its mentioned in post) its possible to register only 5 objects in domain - I'm not exactly sure why, but there is some limitation on server. I solved that with the next line of code:

notifier.Register("dc=a24xrmdomain,dc=info",System.DirectoryServices.Protocols.SearchScope.Subtree);

that is I set the root domain to be observed and set the scope of monitoring to System.DirectoryServices.Protocols.SearchScope.Subtree) - all child's.

I found out that monitoring of Active directory on this way is not a best practice because in case if there is a lot of users - 10k for example not all changes will be triggered. So since you have to have previous state of object that you want to monitor you can use some of the other two methods from provided link to accomplish this task. I assume that you have to set some timer for every 5sec for example and check the appropriate field of the object.

Community
  • 1
  • 1
Dan
  • 448
  • 10
  • 20
  • Also if someone know how to create workaround for limitation for 5 objects from provided link(3rd solution) he can post his answer! Thanks – Dan Oct 05 '16 at 20:55