Skip to the main content.
Talk to an Expert
Talk to an Expert
Linkedin

1 min read

AD: Viewing full object metadata to determine when an attribute was changed

cloudservuscom Jul 13, 2010 7:08:20 AM

Active Directory

View the metadata for an AD object to find out more details about when its specific attributes were modified. This is very handy when trying to troubleshoot details about a specific object.. See when and where an attribute was updated which can also help track down who made the change if the entry was captured in the domain controller event logs.

Here’s the syntax and an example of what data you will get back.

Repadmin /showobjmeta DCNAME “full object DN”

C:>repadmin /showobjmeta DC01 “cn=SVCAccount,ou=accounts,dc=domain,dc=corp”

58 entries.

Loc.USN        Originating DC     Org.USN     Org.Time/Date         Ver     Attribute

=======     ===========    ========    =========

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1     objectClass

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1    cn

29079766     DFW1DC01     29079766     2010-03-23 16:23:35    3     sn

29079766     DFW1DC01    29079766     2010-03-23 16:23:35    2     title

16740030     DFW1DC01     16740030     2009-10-28 11:18:43    1     description

39541488     DFW1DC01     39541488     2010-07-12 12:03:56     39     givenName

16740030     DFW1DC01    16740030     2009-10-28 11:18:43     1     whenCreated

29079766     DFW1DC01     29079766     2010-03-23 16:23:35     6     displayName

29079766     DFW1DC01     29079766     2010-03-23 16:23:35     3     co

16741438     DFW1DC01     16741438     2009-10-28 11:42:45     2     department

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1     name

39259708     SAN1DC02     32310052     2010-07-09 10:52:46     4     userAccountControl

38694997          SAN2DC03     93941776     2010-07-03 17:56:41     1     homeDirectory

38694997          SAN2DC03     93941776     2010-07-03 17:56:41     1     homeDrive

28995344     SAN1DC02     23187706     2010-03-22 15:48:22     4     ntPwdHistory

28995344     SAN1DC02     23187706     2010-03-22 15:48:22     4     pwdLastSet

16740031     DFW1DC01     16740031     2009-10-28 11:18:43     1     primaryGroupID

…………

Most of these details are self-explanatory. Ver is the number of modifications to a particular attribute.

Now you have when and where a specific attribute was modified and can track down who did it by looking in the security log J

Windows Active Directory Schema Versions

cloudservuscom : Mar 4, 2011 1:25:37 PM

There are a couple ways to determine your Windows AD Schema Version: ADSIedit.msc and/or LDP.exe. In this article I use ADSIedit.msc.

Active Directory
Read More

1 min read

Find out when your Password Expires

cloudservuscom : Mar 11, 2010 4:31:52 AM

Few weeks ago I came across this question “How to find out an account’s password expiration date” in one of our internal mailing-list. This looks...

Read More

How to find a Certificate Authority in your Active Directory environment

cloudservuscom : Nov 15, 2012 5:31:19 AM

Most of the projects I work include certificates in some form or fashion. Often the Certificate Authority is something that someone set up once for a...

Read More