NetPro Tracks Changes in Windows AD

NetPro's Directory Lockdown 3.0 tool eases management of Windows Active Directory.

NetPro Computing Inc.s Directory Lockdown 3.0 makes it easier than previous versions to get notifications when changes are made in an IT shop running Microsoft Corp.s Active Directory.

Although a tad pricey at $9 per user for a perpetual license plus a 20 percent annual maintenance fee, Directory Lockdown was a nice addition to the management tools we used in our Active Directory testbed. Significantly, this version added support for Microsoft Operations Manager, which let us forward alerts to the MOM console.

Version 3.0 builds on NetPros support for management consoles, including Hewlett-Packard Co.s OpenView NNM (Network Node Manager), which we also used in our Directory Lockdown tests. However, Directory Lockdown competitors such as Computer Associates International Inc.s Unicenter NSM (Network and Systems Management) Active Directory Management Option strive to interact with a wider array of third-party management consoles. eWEEK Labs recommends that IT managers put interoperability with network management consoles high on their check-off list.

Directory Lockdown 3.0

NetPros Directory Lockdown makes short work of tracking and controlling changes in a Microsoft Windows Active Directory environment. Directory Lockdown 3.0 gives system managers two choices: complete control or a new alert-only agent that sends messages to the central management console only when Active Directory is changed. Directory Lockdown is priced at $9 per user for a perpetual license, plus a 20 percent annual maintenance fee.
















  • PRO: New integration with MOM; supplants manually tracking Active Directory changes.
  • CON: Agents cannot be easily changed after installation.

• CAs Unicenter NSM Active

We found it relatively easy to integrate Directory Lockdown with various management consoles, including OpenView NNM and MOM. We set up Directory Lockdown to send events to our Ipswitch Inc. WhatsUp Gold network monitoring tool via SNMP traps. We were able to get the messages from Directory Lockdown to WhatsUp Gold with only a few configuration missteps along the way.

Current users of Directory Lockdown will notice that the new alert-only agent is like a scaled-back version of the complete response client that shipped with previous versions. We liked the alert-only agent because it sent a message when we made changes to our Active Directory environment without locking the Windows domain controller, as is the case with the complete response client.

For example, we were able to get a notification when we changed Active Directory site characteristics without having to worry about also authorizing those changes in Directory Lockdown.

Because Active Directory replication extends to the boundary of the network, which could encompass many Active Directory domain controllers, we liked the fact that system administrators could make changes without having to get approval. However, IT managers who want the extensive control and security provided by the complete response agent still have that option. Both agents have the same price.

We installed Directory Lockdown in a testbed that was composed mainly of Windows 2000 servers, with a couple of Windows 2003 enterprise servers as well. We had to decide which of the two agents to install on our domain controllers. A single agent that can act either as a complete response agent or an alert-only agent and is configurable on the fly should be available sometime early next year, NetPro officials said.

We scored the two-agent approach as a minus because we had to make deployment decisions that werent easy to change later in the tests. Until the single agent is available, we recommend that IT managers install the complete response agent on machines that have any chance of being a security risk. Active Directory domain controllers in trusted environments are good candidates for the alert-only agent.

We liked the Directory Lockdown connector for MOM. Its clear to us that MOM is coming into its own for organizations that rely on Windows servers. Directory Lockdown is only the latest of several products—System Management Arts Inc.s InCharge is another—that can send alerts to the MOM console. This is a big advantage for system management staff because it means that Directory Lockdown is easy to integrate into an existing management platform.

Senior Analyst Cameron Sturdevant can be reached at