Running a LDAP query on a daily basis to collect user names. This works just fine.
When an account is removed from the AD and the query runs again, the name will be deleted from the list. Is there a way to avoid the username from being deleted from the list?
I would like to have a track record in the Watchlist that only adds names but never deletes.
Here's how I'd try to do it.
Hope this helps. I think it'll work, but feel free to tell me if I'm way off-base here.
that was a really good suggestion I must say.
It won't work tho in my scenario(I didn't mention this so you had no clue about it, sorry about that) but this is the whole scenario:
LDAP query collecting Name value(CN) for all users starting, for instance, with "123".
I will use this list to monitor when these user is getting added to a group, for instance, Windows Security Event 4728: A member was added to a security-enabled global group
.The problem with this event is that Destination User field is populated with the CN value. This makes it impossible to know if the user start with 123 or anything else. Since I only wanna monitor the users starting with 123 I need to run the LDAP query to collect the CN value for correlation between the AD event and Watchlist.
Join the club of putting in a PER to have McAfee create a generic "User" field similar to the "IP Address" field (which can be used for either Source or Destination IP).
The more of us that request this enhancement, the more likely they are to add it in a future release.