Thanks Martin; this is helpful. I'm not sure I understand the rationale behind tracking changes to the "manager" field (which is unlikely to have any security implications) but not "userWorkstations" (which definitely does), but I will send feedback from the MDI portal about that.
www.000webhost.com