Active Directory Domain Services Auditing - events

I'll try to explain my goal as good as I can;
I want to trigger a script whenever there is a new computer added to a Organizational Unit.
To do this i need to activate the logging of this event under the local security policy/audit policy. I guess my question is, do I need to do this on all the domain controllers, or is it enough to do it one just one?
Also, is it possible to see the event from a member server with the Management Tools pack installed? As I don't want to put too much work on the Domain Controllers.

Here is the Microsoft article that gives 4 ways of tracking changes in Microsoft Active-Directory. You will find everything you need from configuring the eventlog to receiving notifications by way of different kind of polling.

Related

Am I "Allowed" to add a default constraint directly to DB in Dynamics 365?

Wondering if anyone can help a total newbie to Dynamics 365. Have started working on an existing implementation of Dynamics 365 (on premise) and am told by current developers that under no circumstances can I amend a column in a table for one of our entities directly on the DB. I am simply wanting to default an INT column to value 1.
They tell me "Dynamics is a black box and you will be breaking the law if you amend directly". This can't be true can it?
Thanks for any advice you can offer.
Building on what Josh said, it is true that the Dynamics SQL database is a black box. Everything must be done through the API with the exception of creating custom indexes on tables and reading from the "Filtered" views.
(And with the new T-SQL endpoint in preview for the online product, you're able to run SQL select queries against an online org.)
The reason for this that all events in Dynamics go through the "platform" via messages. For example, you might have plugin or workflow automation that triggers on the Update of an Account. When the platform receives the "Update" message for an Account, it searches for subscribers to that event and runs any subscribed processes. If you write a change directly to an Account record in SQL, you deprive the platform of the opportunity to run its processes for that event.
And it is good to note that Microsoft uses the same event framework for internal events. So, if you say, "Well, I have no custom plugins or workflows running on the Update message for Accounts so I can edit Accounts directly in SQL." By doing so you'd still risk breaking an internal Microsoft process that triggers on that event.
In a nutshell the platform's need to process ALL events is why direct updates to the database are unsupported. If you do them, Microsoft will refuse to support your system.
Another consideration is that if you ever want to move to the Dynamics Online, writing to the database isn't even possible, so you'd have to redo any automation that relied on that. This is another reason why everyone generally accepts the need to customize their system in the supported way.
Do people occasionally do unsupported things, with good justification? Yes, perhaps most commonly in making unsupported changes to the UI. Even so, writing directly to the database is among the highest offenses to be avoided.
Back to your scenario... it can be jarring to discover that the SQL database is off limits for any direct writing or schema changes. Fortunately Dynamics provides many other automation "hooks" including client-side JavaScript, Business Rules, Power Automate Flows, workflows, and plugins (synchronous and asynchronous).
To set a default value in the UI, the options include a Business Rule and JavaScript. To set a default value in the database, a synchronous workflow or plugin would do the trick.
The Developer Guide is a good place to start.
This would be considered an “unsupported” customization by Microsoft. If it breaks something in the logic of the app, Microsoft won’t help you fix it. If you ever move to Online instead of On-premise, you won’t have this ability. The current developers are battle-hardened and are trying to help you. This is a very bad idea - better would be to create a plug-in on Create of that entity that sets up default values for null fields. This way your logic is in the app with all the other custom logic and is supported.

Is there a way to connect to Exchange Online using Logic Apps? Do I need to use a REST-api or EWS?

i'm quite new to Logic Apps. I got the task to make an auto reply function within Logic Apps that integrates with Exchange Online. Now I already performed this task using Outlook, but I have to be able to apply it to multiple mailboxes or even the entire company using Exchange. I'm about to get access to the Exchange Admin Center soon, but I don't really know how to start due to the fact that there is no simple way to make a connection to Exchange using Logic Apps. After some research, I think it's necessary for me to somehow make use of a REST API (I also read about the use of Exchange Web Services) to get the information I need, but my knowledge about this is quite small. I guess I'm gonna have to use a program like Postman to request information, so that I can start creating Custom Connectors to Exchange. If anybody has some understanding about this, feel free to reply and help me out! I will forever be gratefull!
There are several different approaches you could take to this if you (or probably they in your case) want your logic app to do all the work then you should use the Graph API rather then EWS (while its possible because its older API you'll loose marks on your assignment) have a look at http://martink.me/articles/using-microsoft-graph-in-logic-apps which covers the basics of what to do. To Get access to mailboxes tenant wide then you need to assigned Application Permission and get certificate (and store that in the KeyVault on Azure etc).
You can do this using Inbox Rules https://learn.microsoft.com/en-us/graph/api/mailfolder-post-messagerules?view=graph-rest-1.0&tabs=http and the Exchange Server will do all the work when it comes to doing the Auto-response (and has loop detection logic already) and your logic app then just need to do the Creation and management of the Rules.
But I would suggest you clarify with the person who assigned you the task whether they want the logic app to do the response (eg using the Graph API) or if its okay for the Exchange Server to do this for then (which should be more reliable).
You can also create Rules via the Exchange Admin Center and you could probably also through in Power Automate into the mix to do Autoresponse's so I'd clarify what they want so you don't waste time building something they don't want.

slack show webhooks configured for user when they leave

We've had a DevOps member leave recently and have had complaints that all of the integrations (incoming webhooks) that they had set up have stopped working... (once the user was disabled).
One suggestion for dealing with this was to notify the affected channels when we deactivate the user, but I can't find in the API methods a way to look up which channels a user might have configured these webhooks for...
Anyone had to do something like this?
To get the apps and internal integrations that have been installed by a specific user use the API method called team.integrationLogs.
This method lists the integration activity logs for a team, including
when integrations are added, modified and removed. This method can
only be called by Admins.
For a programmatic solution you will need to go through all log entries for one user / app to find out its latest status.
However, it might still become difficult to reinstall all that apps / setup all that webhooks again properly after a DevOps member has left depending on how good your documentation is. We have therefore started using a generic admin user (e.g. "slackadmin") as main installer for all important apps / integrations for our workspace.

SSRS Subscription Permissions

I can't find much about this online so I was wondering if someone knew here.
Is SSRS 2005 if a user creates a subscription, will other users be able to view and edit those subsciptions? If not, is it possible to make subsciriptions visible to everyone?
Thanks
Quick answer is no.
Long answer is:
AFAIK, there is no site-wide subscription management functionality. The best you can do within Report Manager is site-wide schedule management, which allows admins to set up schedules at preferred times and let users choose those schedules when creating their subscriptions.
Our solution for controlling/centralising subscriptions was to set up a generic Windows user, log in to Report Manager and use that user to create all subscriptions. This means that all requests for subscriptions go through the IT department (+ or - depends on your situation. We didn't want users creating subscriptions themselves). All users who know the generic username/password can manage subscriptions in one place. Not ideal but it works for us.
Another option is that all the data for subscriptions is held on the Server, either in the Reporting Services database or in the Jobs themselves. If you are brave you can delve in and set up some sort of interface to access this.
This is definitely an area in which I find SSRS lacking.
Update:
You live and learn. I've just found that (provided you have sufficient privileges) if you open a report, then go to the subscriptions tab, you can view and edit any subscriptions that are set up on this report by any user. Still not ideal as you don't get an overview of the subscriptions across the system but better than the bleak picture I painted previously!

Windows Centralized Configuration for third party applications?

We are looking at a standard way of configuring the various "endpoints" of our application. Our application is a distributed system with Windows Desktop applications, Windows Server "services" and databases.
We currently configure each piece using XML files. This is getting a little out of hands as we work with larger customers who can have dozens of Servers running our application and hundreds of desktop clients.
Can anyone recommend a Microsoft technology or a third party that would allow us to centralize all that configuration information and manage it in a one place for all our applications? Any changes would be "pushed" to the endpoint(s) that are interested.
For example, if we were to change the login for one of our database, we would make that change on the database, then reflect that change in our centralized system. Following that last step, any service that needs to connect to the database would be notified of the change (and potentially receive the new data). How and what each endpoint does with that information is outside the scope of the system.
Our primary business is not "Centralized Configuration Services". We are a GIS company that provides solutions for various utilities worldwide.
I've done a couple of things to give myself this functionality over the years. I build enterprise applicatons that may be distributed across many servers. I don't want to bury config settings in each services config file or each web server's web.config file. For application specific stuff I usually create an application settings table in the app's database. The table only has two fields. SettingName and SettingValue. I then write a web or wcf service whose sole function it is to retrieve these settings. I write a function called GetSetting where you pass "SettingName" and it returns SettingValue or an empty string if your setting is not found. This way I can store all application settings for all components of the application in one spot. Maintenance and troubleshooting for this is really easy, I'm not hunting through scads of config files spread across a dozen web and app servers.
For larger scale apps I might create a separate AppSettings database where I add a new field to my table mentioned above. ApplicationName. My web or wcf service for this approach has the same method call (GetSetting) only at this scope I pass ApplicationName and SettingName and it returns SettingValue or an empty string.
Doing either of these things allows you to centralize all app settings for any size application or IT shop. It has worked really well for us.
You could use RSS together with BitTorrent to distribute changes. See Wikipedia. It is not MS specific however, but should provide the flexibility you need - a configuration server holding the configuration and providing the feeds needed to configure the clients and possibly servers.
Any VCS through a secure channel?
For example, git through ssh (both available in cygwin).
I think the first step is to have the secure channel (if you want the push ability, pulling might be different).
As for managing the "versions" in different "branches", what's better than a version control system?
As it goes for the Microsoft requirement, well the Microsoft sofwares in that exists in that area would suck pretty bad in your case (as in not the best tool for the job).

Resources