Triggers for Active Directory (VB)

Topic

New Reply

I posted this in the Servers forum, but no response yet. I’m looking for a programmatic solution, so I’m trying in this forum too:

I’ve done a little here and there as far as interfacing with Active Directory programmatically. I’ve gotten pretty used to querying information. But I’ve always wondered if there was a way to set a trigger in Active Directory. I’ll give you an example of what I am talking about.

We are going to a new Anti-Spam process that is offsite. Our email is routed through another companies servers, and they only send us the non-spam. One of the ‘settings’ that we will eventually turn on, will have that external company drop anything not going to a valid email address within our company. ie, if John Smith has jsmith@mycompanysdomain.com as his email address, but there is no johns@mycompanysdomain.com, this external server will simply drop any addresses that it doesn’t know are valid.

One method of doing this is to let that external company ‘query’ our Active Directory. Personally, I wouldn’t care about that, but my boss doesn’t want that. So, instead, we will have to add these users to that anti-spam system whenever we add a new email address to a user, or create a new user in AD that has an email address (we’re using Exchange 2003). If we create a user in AD, with a mailbox, they will NOT get any external emails until we (IT) update the anti-spam company with the new address (and user that has the address).

Now, I know how to do this programmatically, but not the way I’d like. I could build an NT Service in VB, that checks Active Directory for new email addresses (and address to account associations) periodically. If I build the ADSI query right, I could probably get away with doing this once a minute. But what I would LIKE to do, is just have Active Directory ‘alert’ my program when a new address (or a change) has occurred. A trigger. In SQL Server, I can write a trigger for changes in a table. Does Active Directory have anything like this? I use AD a lot, but I’ve never run across a capability like this before.

Thanks in Advance

Reply | Quote

Replies

I sincerely hope that you’ll get a reply here, but don’t hold your breath. Most members who program work with MS Office, I fear that programming Active Directory is outside their scope (it is definitely outside mine).

Reply | Quote

Thanks Hans. I hope I get a reply too. I haven’t found what I am looking for through google yet. I just need to know if it’s possible.

Reply | Quote

We add new users manually at the time of creation. Yes, there is a risk of missing a new alias, but users can tell us pretty quickly if they are unable to receive external email.

With respect to AD, about which I understand very little, can you use auditing to log new/changed objects to an event log and then use a log-monitoring script/program to notify you of those event entries?

Reply | Quote

That’s possible. Honestly, I have code that can get the data I am looking for. Wouldn’t be hard to modify the code so that I can set it as a service to ‘check’ for changes by doing comparisons. I just don’t want to have a service constantly checking AD. I actually have a service I wrote that does check AD for locked user accounts. Runs once a minute….very quick code. There are hooks for all sorts of things, was just hoping there was one for AD.

Reply | Quote

(Edited by HansV to make URL clickable – see Help 19)

I have tried to do something similar to what you are doing only I wanted to connect our AD with our HR system. Same principal. I got the information below from a blog I found somewhere. (Don’t ask me where, it was a while ago). It didn’t help me but have a look and see, you never know.

From the BLOG.
The event notification system doesn’t work like that. It would be nice if it did but it doesn’t. The best you can get with event notification is alerted that there was a change on some part of the tree you are watching and no clue as to what that change was. It isn’t the way you really want to do anything unless you are watching a very limited set of objects.

If you need to do processing based on updates like that you should most likely do something with USN polling. It is one of the three methods MS describes for tracking changes in AD here http://msdn2.microsoft.com/en-us/library/ms677625.aspx%5B/url%5D
End of BLOG stuff

Onward and upward.

Regards,
Kevin Bell

Reply | Quote

This shows some promise. Unfortunately, I’m swamped today, I’ve added that site to my favorites. If I figure out a way to ‘hook’ into AD, I’ll post my solution here.

Reply | Quote