A couple of weeks back, I found myself having to investigate what had caused an Active Directory user account to be updated. We could see the last modified time on the Object tab for a user account in Active Directory Users and Computers (dsa.msc
) and it’s also available using PowerShell.
What I really wanted to know though, was what attribute(s) on the object had changed.
It turns out that viewing Active Directory object updates is remarkably simple – even as a normal (non-admin) user. First of all you need to know the distinguished name (DN) for the object. If you don’t have access to any administrative tools then the following script might be useful (taken from the “Hey, Scripting Guy!” blog):
Set objSysInfo = CreateObject("ADSystemInfo")
strUserName = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUserName)
strOUName = objUser.Parent
Set objOU = GetObject(strOUName)
Wscript.Echo objOU.distinguishedName
If you run this script, it will display something like:
OU=Users,OU=companyname,DC=domainname,DC=tld
I also needed to know the name of a domain controller – that’s easy as the %logonserver%
environment variable will provide the information.
Armed with that information, I could then use the repadmin.exe
command to find out some more information about the user object. I did need to install the Remote Server Administration Tools (RSAT) for Windows 8.1 to get repadmin on a client machine (there are similar RSAT packages for Windows 7 and Windows 10 too). Specifically, the command I used was repadmin.exe /showobjmeta servername "CN=Mark Wilson,OU=Users,OU=companyname,DC=domainname,DC=tld"
The resulting output contains all sorts of information, including which domain controller made the update for each attribute, at what date/time, to which version, and with which unique serial number (USN). So, for example, I can see the date when my password was last set (from unicodePwd, ntPwdHistory, and pwdLastSet) and that it was version 6. There’s more information in Rick Bergman’s Ask Premier Field Engineering (PFE) post on how to track the who, what, when and where of Active Directory attribute changes.