AD Replication Metadata (when did that change?)
There was a discussion on the NG about determining when a user was disabled. The initial request was to determine this based on whenChanged, but I thought that could be invalid as you can easily change an account after it was disabled. I can not think of a way to be sure, but the best way I can think of is to use the replication metadata on the attribute userAccountControl (the second bit is what determines if its disabled or not.) While it is possible to change the useraccountcontrol after a user is disabled it is unlikely.
More info for UserAccountControl bits
http://support.microsoft.com/kb/305144
Of course the next question was how do you check the Replication Metadata for an attribute on and AD object?
Enter Get-ADObjectREplicationMetadata.ps1
This uses
System.DirectoryServices.ActiveDirectory.DirectoryContext
– http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectory.directorycontext.aspx
System.DirectoryServices.ActiveDirectory.DomainController
– http://msdn2.microsoft.com/en-gb/library/system.directoryservices.activedirectory.domaincontroller.aspx
# Brandon Shell (www.bsonposh.com)
# Purpose: Get attribute(s) Replication Metadata from a Domain controller.
Param($Domain,$objectDN,$property)
# Sets Context to Domain for System.DirectoryServices.ActiveDirectory.DomainController
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$domain)
# .NET Class that returns a Domain Controller for Specified Context
$dc = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)
# GetReplicationMetadata returns metadate from the DC for the DN specified.
$meta = $dc.GetReplicationMetadata($objectDN)
if($property){$meta | %{$_.$Property}}else{$meta}
This will return either all the metadata or just the metadata for a specific attribute. I should note that if you do not specify an attribute it returns all of them. You should expect to parse these as each attribute has a child object with the data in it.
All Attributes. The value can be found by .PropertyName
Name Value
—- —–
countrycode System.DirectoryServices.ActiveDirectory.AttributeMetadata
cn System.DirectoryServices.ActiveDirectory.AttributeMetadata
mail System.DirectoryServices.ActiveDirectory.AttributeMetadata
scriptpath System.DirectoryServices.ActiveDirectory.AttributeMetadata
ntsecuritydescriptor System.DirectoryServices.ActiveDirectory.AttributeMetadata
accountexpires System.DirectoryServices.ActiveDirectory.AttributeMetadata
displayname System.DirectoryServices.ActiveDirectory.AttributeMetadata
profilepath System.DirectoryServices.ActiveDirectory.AttributeMetadata
primarygroupid System.DirectoryServices.ActiveDirectory.AttributeMetadata
unicodepwd System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectclass System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectcategory System.DirectoryServices.ActiveDirectory.AttributeMetadata
instancetype System.DirectoryServices.ActiveDirectory.AttributeMetadata
homedrive System.DirectoryServices.ActiveDirectory.AttributeMetadata
samaccounttype System.DirectoryServices.ActiveDirectory.AttributeMetadata
homedirectory System.DirectoryServices.ActiveDirectory.AttributeMetadata
whencreated System.DirectoryServices.ActiveDirectory.AttributeMetadata
useraccountcontrol System.DirectoryServices.ActiveDirectory.AttributeMetadata
msmqsigncertificates System.DirectoryServices.ActiveDirectory.AttributeMetadata
dbcspwd System.DirectoryServices.ActiveDirectory.AttributeMetadata
title System.DirectoryServices.ActiveDirectory.AttributeMetadata
samaccountname System.DirectoryServices.ActiveDirectory.AttributeMetadata
supplementalcredentials System.DirectoryServices.ActiveDirectory.AttributeMetadata
userparameters System.DirectoryServices.ActiveDirectory.AttributeMetadata
givenname System.DirectoryServices.ActiveDirectory.AttributeMetadata
description System.DirectoryServices.ActiveDirectory.AttributeMetadata
lmpwdhistory System.DirectoryServices.ActiveDirectory.AttributeMetadata
pwdlastset System.DirectoryServices.ActiveDirectory.AttributeMetadata
msnpallowdialin System.DirectoryServices.ActiveDirectory.AttributeMetadata
codepage System.DirectoryServices.ActiveDirectory.AttributeMetadata
name System.DirectoryServices.ActiveDirectory.AttributeMetadata
ntpwdhistory System.DirectoryServices.ActiveDirectory.AttributeMetadata
userprincipalname System.DirectoryServices.ActiveDirectory.AttributeMetadata
admincount System.DirectoryServices.ActiveDirectory.AttributeMetadata
objectsid System.DirectoryServices.ActiveDirectory.AttributeMetadata
sn System.DirectoryServices.ActiveDirectory.AttributeMetadata
msmqdigests System.DirectoryServices.ActiveDirectory.AttributeMetadata
logonhours System.DirectoryServices.ActiveDirectory.AttributeMetadata
lastlogontimestamp System.DirectoryServices.ActiveDirectory.AttributeMetadata
Here is a specific Attribute
Name : userAccountControl
Version : 8
LastOriginatingChangeTime : 9/15/2005 1:45:32 PM
LastOriginatingInvocationId : eeaeb6f9-8422-dddd-as34-04d7bd779285
OriginatingChangeUsn : 47264036
LocalChangeUsn : 49555172
OriginatingServer : dc.my.lab.domain
tshell :: Dec.21.2007 :: Active Directory, HowTo, Powershell, Scripting :: 7 Comments »
