Monitoring of UPN name

  • Thread starter Thread starter gudel
  • Start date Start date
G

gudel

Hello,

Since we got a security related incident here, we're looking for a way
to monitor changes of the UPN (ex. by an external editor). First we
used a script that was run in an x minutes intervall, but since you
don't know how fast a possible attacker will undo his change there must
be a more complete solution when the changing is done.

Is there any way do get this?

Thank you for tipps and comments.

Martin
 
The only way to guarantee you are catching this is to be running dirsync agents
against every single DC in a domain/forest. A UPN change is a replicating change
so if you are constantly polling the dirsync agents you would catch it. You
can't just watch once DC because if the change occurs and is changed back prior
to replication, you will see that a change occurred but won't know what. If that
is ok, then you don't need any of this, you just need to watch the version
number of the userprincipalname as there is no way around not updating that.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top