No but there are other change tracking mechanisms that can be used.
Honestly creating change log objects in the directory for every change would
be, in my opinion, dangerous. You would either have to
1. Limit the number of objects created.
2. Put a limit on the number of objects based on total space
3. Have a rollover based on 1 or 2
If you didn't implement one of the above your directory could be crashed by
someone doing a lot of changes (for instance my AD takes about 2000-3000
password changes a day alone...). A great DOS attack on anyone implementing
something like that would be to keep sending updates on some attribute
changing it over and over again. You would either roll the change log or run
the directory out of some resource or the sheer number of objects sitting
there would slow it down.
--
www.joeware.net
Terri Warren said:
Does the latest release of Microsoft Active Directory support LDAP
Changelog?
(
http://www1.ietf.org/mail-archive/ietf-announce/Current/msg23035.html) I
believe they did not in Windows 2000.
