Active Directory Changes Operation

Overview

An Active Directory (AD) Changes operation queries the target Active Directory instance and determines whether an currently undetected change has been made, using the Update Sequence Number (USN) method (see here for more information). A change token is assigned to its encapsulating operation list if a change has occurred for a specified filter since the last detected change.

This operation allows users to detect changes within a specific subtree, whereas the Active Directory Sync Changes operation does not. List and Read permissions for the specified account are all that is required on each container in the subtree to check for changes. This method, however, does not replicate across domain controllers, and as such, results will be unpredictable should another DC be targeted.

The Active Directory Changes operation will always return changes on its first run. If this is not the case, it may mean that the account does not have sufficient access to the instance, or that the LDAP filter specified is not correct. Active Directory tools such as ADSI Edit and LDP.exe may prove useful in checking these credentials are correct and that expected changes will be successfully retrieved with the security settings specified.

Technical Requirements

The AD Changes operation requires an operational target Active Directory instance to check for changes against. This target Active Directory instance needs to be configured with a set of access privileges which will facilitate the connection details specified by the selected AD Agent.

Usage

The AD Changes operation will only allow its encompassing operation list to begin its run if changes are detected in the target Active Directory instance.

Configuration

In addition to the common operation configuration settings shared by all Changes Operations, the Active Directory Changes operation requires the following by way of configuration:

Name Description
Filter LDAP filter to apply to search results.
Organizational unit name Base organizational unit to begin searching on.
Check Tombstone Whether deleted objects should be picked up by executing a different query.
Tombstone Filter Separate query to be applied if check tombstone is enabled. Default (&(isDeleted=true)(objectClass=user))
CHECK: An Active Directory agent is required to configure an Active Directory Changes operation.

Image 3532

Operation Active Directory Changes Operation

Is this article helpful for you?