Ever wondered how to work out when a particular attribute of an AD object has changed?

  • Article

Hi all

I recently got asked to work out when a particular Active Directory object attribute was changed. This information isn't something that you typically need to work out each day, and the information isn't readily available from within AD Users and Computers. The way to work it out is to fire up good old LDP.exe.

So to start tracking down when the attribute changed open up LDP.exe which is built into Windows Server 2008 R2. Fire up ldp.exe from a command prompt or via the Start Menu..

Once you are in LDP, Connect and then Bind to a DC in a your AD site (Connection, Connect).

Figure 1 - Connect dialog in LDP.

Once connected and bind'd, in the View menu select the Tree option. In the BaseDN drop down select your domain DN.

Figure 2 - Start up Tree View for the Domain Partition.

You can now see that in the left pane of LDP you have a clickable tree view of your domain. Double click the + icon in the tree view and navigate down to the object you are interested in finding out more information on. I have navigated to one of my test accounts, shown below, and here you can see the attribute values that have been set for this object. We can see attribute values but there isn't any information here about when a particular attribute changed. Where do we go now?

Figure 3 - Navigating to the object of interest.

Well, if you right click the object you are interrogating and select Advanced, Replication Metadata you get to the detailed information around when each attribute was changed and on which DC.

Figure 4 - View Replication Metadata.

As you can see in the diagram below, LDP shows me the replication information that is stored in Active Directory for this object. It shows me when each attribute was last changed (or originally set when the object was created). I added a extensionAttribute8 (EA8) value manually to the object at 10.59PM on the 4th of August. For this example I made the change with ADUC and only made a change to the extensionAttribute8 attribute. LDP shows me that in the AD database the EA8 attribute was changed at 10.59PM, with a version (Ver) of 1. A version of 1 is set as it was the first time I updated that attribute. The originating DSA value tells me the Domain Controller where this change was made (in my case a single DC environment). Local USN and Originating USN indicate the USN value associated with the change that is used by AD replication. If you want to know more about USNs and how they are used in AD replication have a look at this comprehensive article https://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx

Figure 5 - The replication metadata for my Izzy test object.

How do I work out what AttId is tied to the attribute I am interested in?

In this example I knew I had changed a single attribute (EA8) for that object recently so I didn't need to work out what AttId I was working with. If you are not sure what AttId you should be checking the originating time/date for, update the same attribute on a test object in your domain and then view the test object's replication metadata in LDP. The attribute that changed at the time you made your attribute change is the AttId that will be used for all like objects in your domain.

There'll be a better way of getting to the AttId from within Active Directory, I'll post the more efficient method when I get chance to pick Chad aka the "AD Master"'s brain. :)

Enjoy!

Steve