How do you audit changes to delegation in ARS

As Aidar noted, there are two layers to this:

1) A new member getting added to a trustee group that is allowed to manage groups. This is easy to trap with a workflow that looks for a group membership change
2) Create of a new access template link granting a trustee group the ability to manage groups.

Below is some sample code to achieve trapping the creation of a new access template link.

(You would need to link this post create handler to this container: CN=AT Links,CN=Configuration)

Function OnPostCreate ($Request)
{

If ($Request.class -ne 'edsACE') {return}

# Store the initiator of the delegation

$Request.whoami([ref]$InitiatorSam,[ref]$InitiatorDN)

Get-QARSAccessTemplateLink -proxy -Identity $Request.GUID | select directoryobjectdn,trustee,accesstemplate | %{

# Add the initiator info to the details we obtained about the delegation link

$_ | Add-Member -MemberType NoteProperty -Name Initiator -Value $InitiatorDN

# Send all the details to a log file

$_ | export-csv "C:\scripting\Detect_Delegation\Delegations_Log.txt" -NoTypeInformation -Append

}

}

I don't see a history option in the context menu when selecting the AT Links folder but I'll definitely try using a policy as you suggested - but if there is no built in method perhaps this should be an enhancement request.

We have CAAD sop we can see and monitor changes to groups and ACL updates on any objects in the domain, but of course the user account making these changes is the ARS service account. In the case of delegating rights, and specifically syncing them to AD, the method used to update the initiator in the CAAD event does not work for delegating rights.

I'll raise this as an issue with Dell - I just wanted to check I was not missing something obvious.

I will post the following email snippet of the reply that I received for my service request (from December, 2015):
"|SR Number:3172659| - Change History for internal ARS delegation changes?"
-----
At this time, access template linkage modifications are not tracked in the Change History. These do show up in the event viewer under the EDM Server event log, however they're not very straight-forward as they deal with object GUID's and object SID's rather than their display names. Even if you grab the Object GUID from the access template in question, it's displayed in a different format than what's recorded in the event log. Unfortunately there are several different methods of displaying GUID values and in this case, they've used 2 different methods. On top of that, they use a different format to write the Trustee SID in the event log than they use to display it on an object properties.

At this point, I wouldn't have any good advice for finding this information other than a lot of work converting values and searching through the event log.

Please let me know if you'd like me to submit an enhancement request on your behalf to implement Change History logging of Access Template linkages.
-----

That's the last time I looked into this.
-Steve

I'd say that the script I posted above overcomes the limitations described in the SR response.

i.e. with respect to doing the GUID translation