Finding proof of eDirectory Sabotage
Novell Cool Solutions: Trench
Digg This -
Posted: 28 Oct 2003
We recently posted this OPEN CALL in the Q&A, and got some interesting ideas. If you have something you'd like to add, let us know.
Question: I started my job two years ago and the tech that was here before me was jealous because he wanted the position. I believe he is sabotaging my work to obtain my position even though he is not Novell certified. I handle network requests for new users and have noticed some of them have been deleted and I get a second E-mail asking why the user was not created. Please let me know if there is a way to track these changes in NDS?
Here are some options:
1) Turn on NDS auditing. You do not mention what platform you are running eDirectory on, but if it is NetWare, you can easily turn on auditing and see what is happening.
2) How many servers are involved? If you have a server to spare, put a replica of the affected container(s) on it. Once you create a new user, verify that the new account shows up on the spare server, and then unplug the server from the wire! Then when you are accused of not creating the user, you can show them the account in the offline replica and prove that the account did exist but was deleted afterwards!
3) Check for obituaries. If someone is deleting the accounts, and you become aware of it quick enough, chances are you might find some lingering obituaries from the deleted objects that have not cleared yet.
4) After creating new accounts, perform an LDAP dump (to an LDIF file). Then when the account disappears you can use the LDIF file to prove that the account did exist at some point.
5) Use DirXML eDirectory to text file driver to track all changes in a text file.
So, you see eDirectory gives you plenty of options :)
Have you thought about exporting (via LDIF or GroupWise export) the userid, surname, context and default server/home directory info to a text file? Do it after you have completed creating a batch of new users and there's your proof, and a great way to restore user default server/ home directory info in an emergency.
Or if you're really customer focused, login to each account (for testing purposes) so you also export the last login time and that way you have proof that their account was working.
Alternately a few simple screencaps of the accounts at creation time could work just as well.
If DSMETER from VisualClick software were deployed in this situation he/she would be able to track the changes being made to eDir and therefor find who/when/how these objects are being deleted.
I'm not sure this is the ideal solution as I'm not using their product right now, but it sure sounds like the feature set would provide what is needed.
From their website (www.visualclick.com):
DSMETER provides you with exceptional abilities to track NDS and eDirectory Security Activity. The following list outlines DSMETER's major security tracking options:
- Additions to Security Equivalence
- Changes in Group Membership
- Changes in Organizational Role Occupants
- Successful Password Changes
- Failed Password Changes
- Object Creation
- Object Deletion
- Changes in Object Security that result in Supervisory Privileges
- Changes in Object Security that result in other Privileges
- Changes in Inherited Rights Filters (IRFs)
Does the old admin have delete object rights? If so can these be taken away? With eDir, you can set eDir rights, or set a role and apply the role to a group of users.
You can use ZENworks for Servers.
You will get a lot of information what's going on in your network including the ID of the person who did it.