Logging and Auditing Capabilities

Directory Update, Directory Manager, and Directory Password provide some limited logging and auditing capabilities. This auditing or logging capability is one of two functions: Writing changes to a text file and/or writing the last date/time of the last change to an attribute in Active Directory. These functions are controlled via the auditing section of the AppSettings.XML file. This section of this file is shown below.

<!-- Ensure that the "Application Pool" account (usually NETWORK SERVICE) has "Modify" permissions to the
Logs folder. -->
<auditing>
  <auditingAttribute enabled="no" attribute="extensionAttribute11" showUserLastUpdate="yes" 
    text="Your last update was" />
  <auditingLogFile enabled="no" logFileFolder="c:\inetpub\wwwroot\directoryupdate\logs">
    <headers>
      <dateTime  text="Date/Time" />
      <userName  text="User Name" />
      <sourceIp  text="Source IP" />
      <fieldName text="Field Name" />
      <oldValue  text="Old Value" />
      <newValue  text="New Value" />
    </headers>
  </auditingLogFile>
</auditing>

Logging Changes to an Attribute

By default, if you enable the auditingAttribute option, we will log the last date and time of the last last change to the attribute specified (extensionAttribute11 by default). To use one of the extenstionAttributes, your Active Directory forest must have been prepped for some versoinThe Directory Update AppSettings.XML file includes an option called showUserLastUpdate that will show the user the last date/time that they used Directory Update.

The auditingAttribute feature can also be used to check from a script to see how recently someone has used Directory Update and remind them to check their information. We have an unsupported scripted we call the Auto-Launch script that can be used for this purpose.

Logging Changes to a Text File

You can Directory Update, Directory Manager, and Directory Password to write changes to a log file via the auditingLogFile option. This will write information such as the user who made the change, the IP address from which the change was made, the value changed, the old value and the new value.

Image

There are a few things that you should be aware of when using the auditingLogFile feature:

  • A new log file is created each day based on the local time
  • Older log files are not purged automatically
  • Files are tab-separated value files and are best viewed via a program like Excel
  • Create a dedicated IIS application pool and ensure that the Network Service user has "Modify" permissions to the log file folder