So there have been several posts on problems with loopback detection with AD
and after some thinking and testing I still have no idea to solve my puzzle.

Basically I want to detect and report if a change was made in AD, that was
not done by my driver. Like MMC, LDAP or any tool that operates directly on
I first thought of adding operational data to the event and check if that
exists when the event comes back into the publisher channel.
I thought that if I receive an event without the operational data, my driver
did not create this event.
The trace showed I was wrong. My <add user> event with op-data is received
as <status> event with the op-data attached to it. I use this to send an
e-mail if the <add> was successful or not.
Immediately after this event is processed there is the loopback event. It is
an <add user> event that looks exactly the same as the one I send to AD (and
it does not have the op-data)

For add events it's simple. If the object does not exist in the Identity
Vault (easily checked with a query) it's illegal

Deletes could probably be approached in the same way. I can check the status
of the object that is kept in the Identity Vault.
But if I need to do this checking for all possible scenario's my driver is
authoritative for, like renames, moves or attributes that are changed, it is
just to much work.
If I leave it upto optimize-modify It's to late and I cannot detect.

So there must be a more elaborate way of solving this.

Any idea's?