AD Replication Metadata (when did that change?)
There was a discussion on the NG about determining when a user was disabled. The initial request was to determine this based on whenChanged, but I thought that could be invalid as you can easily change an account after it was disabled. I can not think of a way to be sure, but the best way I can think of is to use the replication metadata on the attribute userAccountControl (the second bit is what determines if its disabled or not.) While it is possible to change the useraccountcontrol after a user is disabled it is unlikely.
More info for UserAccountControl bits
http://support.microsoft.com/kb/305144
Of course the next question was how do you check the Replication Metadata for an attribute on and AD object?
Enter Get-ADObjectREplicationMetadata.ps1
This uses
System.DirectoryServices.ActiveDirectory.DirectoryContext
– http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectory.directorycontext.aspx
System.DirectoryServices.ActiveDirectory.DomainController
– http://msdn2.microsoft.com/en-gb/library/system.directoryservices.activedirectory.domaincontroller.aspx
# Brandon Shell (www.bsonposh.com)
# Purpose: Get attribute(s) Replication Metadata from a Domain controller.
Param($Domain,$objectDN,$property)
# Sets Context to Domain for System.DirectoryServices.ActiveDirectory.DomainController
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$domain)
# .NET Class that returns a Domain Controller for Specified Context
$dc = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)
# GetReplicationMetadata returns metadate from the DC for the DN specified.
$meta = $dc.GetReplicationMetadata($objectDN)
if($property){$meta | %{$_.$Property}}else{$meta}
This will return either all the metadata or just the metadata for a specific attribute. I should note that if you do not specify an attribute it returns all of them. You should expect to parse these as each attribute has a child object with the data in it.
All Attributes. The value can be found by .PropertyName
Name Value
—- —–
countrycode System.DirectoryServices.ActiveDirectory.AttributeMetadata
cn System.DirectoryServices.ActiveDirectory.AttributeMetadata
mail System.DirectoryServices.ActiveDirectory.AttributeMetadata
scriptpath System.DirectoryServices.ActiveDirectory.AttributeMetadata
ntsecuritydescriptor System.DirectoryServices.ActiveDirectory.AttributeMetadata
accountexpires System.DirectoryServices.ActiveDirectory.AttributeMetadata
displayname System.DirectoryServices.ActiveDirectory.AttributeMetadata
profilepath System.DirectoryServices.ActiveDirectory.AttributeMetadata
primarygroupid System.DirectoryServices.ActiveDirectory.AttributeMetadata
unicodepwd System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectclass System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectcategory System.DirectoryServices.ActiveDirectory.AttributeMetadata
instancetype System.DirectoryServices.ActiveDirectory.AttributeMetadata
homedrive System.DirectoryServices.ActiveDirectory.AttributeMetadata
samaccounttype System.DirectoryServices.ActiveDirectory.AttributeMetadata
homedirectory System.DirectoryServices.ActiveDirectory.AttributeMetadata
whencreated System.DirectoryServices.ActiveDirectory.AttributeMetadata
useraccountcontrol System.DirectoryServices.ActiveDirectory.AttributeMetadata
msmqsigncertificates System.DirectoryServices.ActiveDirectory.AttributeMetadata
dbcspwd System.DirectoryServices.ActiveDirectory.AttributeMetadata
title System.DirectoryServices.ActiveDirectory.AttributeMetadata
samaccountname System.DirectoryServices.ActiveDirectory.AttributeMetadata
supplementalcredentials System.DirectoryServices.ActiveDirectory.AttributeMetadata
userparameters System.DirectoryServices.ActiveDirectory.AttributeMetadata
givenname System.DirectoryServices.ActiveDirectory.AttributeMetadata
description System.DirectoryServices.ActiveDirectory.AttributeMetadata
lmpwdhistory System.DirectoryServices.ActiveDirectory.AttributeMetadata
pwdlastset System.DirectoryServices.ActiveDirectory.AttributeMetadata
msnpallowdialin System.DirectoryServices.ActiveDirectory.AttributeMetadata
codepage System.DirectoryServices.ActiveDirectory.AttributeMetadata
name System.DirectoryServices.ActiveDirectory.AttributeMetadata
ntpwdhistory System.DirectoryServices.ActiveDirectory.AttributeMetadata
userprincipalname System.DirectoryServices.ActiveDirectory.AttributeMetadata
admincount System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectsid System.DirectoryServices.ActiveDirectory.AttributeMetadata
sn System.DirectoryServices.ActiveDirectory.AttributeMetadata
msmqdigests System.DirectoryServices.ActiveDirectory.AttributeMetadata
logonhours System.DirectoryServices.ActiveDirectory.AttributeMetadata
lastlogontimestamp System.DirectoryServices.ActiveDirectory.AttributeMetadata
Here is a specific Attribute
Name : userAccountControl
Version : 8
LastOriginatingChangeTime : 9/15/2005 1:45:32 PM
LastOriginatingInvocationId : eeaeb6f9-8422-dddd-as34-04d7bd779285
OriginatingChangeUsn : 47264036
LocalChangeUsn : 49555172
OriginatingServer : dc.my.lab.domain
tshell :: Dec.21.2007 :: Active Directory, HowTo, Powershell, Scripting :: 7 Comments »
Any idea why whenChanged does not seem to appear in an object’s metadata? I use “repadmin /showobjmeta ….” but it does not show up in that.
Thanks.
@Davek, That sounds odd… can tell me exactly what your doing?
Thanks for your reply tshell – I’m doing this:
repadmin /showobjmeta “”
and I get the expected output e.g.
79 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
1842529 956f5c1f-97f3-4dc0-b6da-7c6db53f6f5e 164593 2002-04-19 11:43:04 1 objectClass
…..
with a line for each attribute including whenCreated. But there is no line for whenChanged. This is consistent behaviour in my environments. I get whenChanged fine when I query using LDAP etc.
Sorry lost some of the command I was trying to enter due to mark-up, though there’s nothing special there:
repadmin /showobjmeta dcname DN-of-account
@Davek, Oh… I understand what your asking now. WhenChanged is an attribute on the object. You will not see it in metadata as it is not replicated.
http://msdn.microsoft.com/en-us/library/ms680921(VS.85).aspx
Thank you very much, that explains it, should have thought of that.
Since you’re there, I wonder if you’d mind giving your view on another question in this area, which is really what led me to this anyway. What I really want to know is: exactly when is whenChanged updated on an object on a DC? It was suggested to me that whenChanged is not updated when lastLogonTimestamp is changed, however my observations suggest this is not the case – i.e. whenChanged IS updated when lastLogonTimestamp is changed. On the other hand, I noticed that whenChanged is not always updated when lastLogon is changed (which is another non-replicated attribute). Do you know what the rule is here, i.e. which attributes do or don’t cause whenChanged to be updated when they are changed?
That seems odd…. whenChanged is updated locally and doesn’t replicate but I would expect it updated any time a change was made regardless if it was replicated or locally changed.