Thursday, February 3

A new tool for Identity Management: AD Event Push SDK

I had a brainstorm last night. Most Identity Management systems poll Active Directory to pull changes on a periodic basis. And admittedly, that approach is often sufficient. But, here's an alternative that gets you real-time push updates from AD with the person who made the change (which is often useful for work flow/approval and audit trail purposes):

A small utility service that sits on the DC waiting for changes
Picks up events in real-time
Sends event info to a DLL that you compile

The DLL determines what to do with the info based on:
- Who did it
- What groups the person is a member of
- What happened (add/mod/del)
- Which object or object-type was affected (admin accounts, service accounts, etc)
- Which attributes changed
- In which OU the event occurred
- etc.

Possible outcomes may be to trigger an Identity Management process or work flow, open a help desk ticket, generate an alert, etc.

The programming would be very similar to building an ILM management agent.

So, IDM friends, would this be useful? If you have a project in mind or just want to play with it, let me know. NetVision has had this agent for years but we add a lot of capability around it. I'm wondering if there's some value for you if we strip it down to a single DLL that you would control. Let me know.


Matt Pollicove said...


I don't think there's such as thing as too many tools. Ever.

However some tools are easier to implement than others, particularly tools that need to be installed on the domain controller. It's a tough enough battle to do GINA replacements for password hooks.

However, if the tool were approved and on there for another purpose, and I could get that kind of AD monitoring approved by the Info Security and Change Management boards, I wouldn't mind at all.

Otherwise, it's still comparing USNchanged values for me.


Matt Flynn said...

Thanks Matt! IMHO, GINA replacements should be a tougher battle - I think it's more difficult to manage something that needs to be installed on user desktops than something that would be deployed to DCs (which are more easily managed). I get that people don't like installing components to a DC, but we've already proven that they'll do it when there's value to be had. So, what I'm really wondering is whether there's value (in the mind of the IAM buyer) in having AD push/respond in real-time and provide WHO did it, which you don't get with USNchanged values.