{"id":936,"date":"2017-02-22T11:03:38","date_gmt":"2017-02-22T16:03:38","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=936"},"modified":"2017-02-23T12:33:28","modified_gmt":"2017-02-23T17:33:28","slug":"viewing-active-directory-object-metadata","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=936","title":{"rendered":"Viewing Active Directory Object Metadata"},"content":{"rendered":"

Objects in active directory have a modification timestamp attribute, whenChanged<\/a>, that reflects the time of the last change to the object. This is useful if you want to confirm a change had not been made after a specific time (e.g. the user began having problems at 2PM yesterday, but their object was last changed November of last year … an account change is\u00a0not likely\u00a0to be the cause).<\/p>\n

There is additional stored metadata which provides a modification timestamp (and\u00a0source domain controller for the modification event) for each individual attribute on an object. This can be a lot more useful (e.g. a user’s home directory is incorrect, but the object modification timestamp reflects the fact they changed their password yesterday). To view the metadata, use\u00a0repadmin \/showobjmeta DC-Hostname “objectFQDN”<\/p>\n

I redirect the output to a file; it’s a lot easier to search a text file for the attribute name than scroll through all of the attributes in a DOS window.<\/p>\n

repadmin \/showobjmeta dc.domain.gTLD \"cn=user account,ou=pathToObject,dc=domain,dc=gTLD\" > myaccount.txt\r\n\r\n57 entries.\r\nLoc.USN Originating DSA                       Org.USN   Org.Time\/Date       Ver   Attribute\r\n======= ===============                       ========= =============       ===   =========\r\n20822   92d3c1e5-d4ed-41c7-989f-62a1712b1084  20822     2014-06-08 22:20:57 1     cn<\/a>\r\n...\r\n4659114 Default-First-Site-Name\\DC            4659114   2016-12-29 20:56:21 10    unicodePwd<\/a>\r\n3299408 Default-First-Site-Name\\DC            3299408   2016-01-16 17:03:05 13    lockoutTime<\/a>\r\n4978129 Default-First-Site-Name\\DC            4978129   2017-02-18 21:50:13 90    lastLogonTimestamp<\/a>\r\n4988421 Default-First-Site-Name\\DC            4988421   2017-02-22 10:31:06 54333 msDS-LastSuccessfulInteractiveLogonTime\r\n<\/a>4977488 Default-First-Site-Name\\DC            4977488   2017-02-18 16:21:12 223   msDS-LastFailedInteractiveLogonTime<\/a>\r\n4977488 Default-First-Site-Name\\DC            4977488   2017-02-18 16:21:12 223   msDS-FailedInteractiveLogonCount<\/a>\r\n4977489 Default-First-Site-Name\\DC            4977489   2017-02-18 16:21:18 165   msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon<\/a><\/pre>\n
The originating DSA may be an odd GUID value (the domain controller on which this change was initiated has since been decommissioned) or it may be an AD site and domain controller name.<\/p>\n
The originating timestamp indicates when the attribute’s value was last changed. The version indicates the number of revisions on\u00a0the attribute value – which itself can provide interesting\u00a0information like the number of times an account has been locked out or the number of times a user has changed their password.<\/p>\n
This information can be useful when an account change\u00a0does<\/em> correspond with a user experiencing problems. You can identify the specific attributes that were updated and research those specific values.<\/p>\n
It’s also useful to track down who changed a specific\u00a0attribute value.\u00a0The combination of originating domain controller and\u00a0attribute modification time can make searching for\u00a0the event log record corresponding to a specific change a lot easier — you know which server to search and can filter the log down to records spanning a few seconds.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Objects in active directory have a modification timestamp attribute, whenChanged, that reflects the time of the last change to the object. This is useful if you want to confirm a change had not been made after a specific time (e.g. the user began having problems at 2PM yesterday, but their object was last changed November …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[68,120],"class_list":["post-936","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-active-directory","tag-repadmin"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=936"}],"version-history":[{"count":4,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/936\/revisions"}],"predecessor-version":[{"id":942,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/936\/revisions\/942"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}