RE: [ActiveDir] how to identify what got changed in a user's account?

Mon, 11 Aug 2003 16:36:19 -0700 

I just realized my answer wasn't complete unless you already knew what
the meta data output looks like...

Basically it will tell you the originating change time/date/where stamp
for every attribute of a given object.

Ex:

F:\Dev\cpp\GetSysInfo>repadmin /showmeta dc=joehome,dc=com
DsBindWithCred to localhost failed with status 1753 (0x6d9):
    There are no more endpoints available from the endpoint mapper.

34 entries.
Loc.USN                          Originating DC   Org.USN  Org.Time/Date
Ver Attribute
=======                          =============== ========= =============
=== =========
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 objectClass
   6143         Default-First-Site-Name\W2KASDC1      6143 2001-05-16
20:49:14    1 description
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 instanceType
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 whenCreated
1162127         Default-First-Site-Name\W2KASDC1   1162127 2002-10-14
20:18:01    3 nTSecurityDescriptor
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 name
   1473         Default-First-Site-Name\W2KASDC1      1473 2001-03-24
00:20:26    2 creationTime
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 forceLogoff
1213281         Default-First-Site-Name\W2KASDC1   1213281 2003-05-03
21:42:57    5 lockoutDuration
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 lockOutObservationWindow
   9293         Default-First-Site-Name\W2KASDC1      9293 2001-06-23
19:56:13    2 lockoutThreshold
  36084         Default-First-Site-Name\W2KASDC1     36084 2001-10-21
11:59:09    2 maxPwdAge
1203175         Default-First-Site-Name\W2KASDC1   1203175 2003-03-20
21:22:33    2 minPwdAge
1221236         Default-First-Site-Name\W2KASDC1   1221236 2003-06-03
23:54:28    3 minPwdLength
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 modifiedCountAtLastProm
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 nextRid
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 pwdProperties
  36084         Default-First-Site-Name\W2KASDC1     36084 2001-10-21
11:59:09    3 pwdHistoryLength
   1156         Default-First-Site-Name\W2KASDC1      1156 2001-03-24
00:15:46    1 objectSid
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 oEMInformation
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 uASCompat
   1409         Default-First-Site-Name\W2KASDC1      1409 2001-03-24
00:16:00    1 domainReplica
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 auditingPolicy
   6921         Default-First-Site-Name\W2KASDC1      6921 2001-05-27
14:55:35    2 nTMixedDomain
   1539         Default-First-Site-Name\W2KASDC1      1539 2001-03-24
00:20:42    1 rIDManagerReference
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 fSMORoleOwner
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 systemFlags
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 wellKnownObjects
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 objectCategory
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 isCriticalSystemObject
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 gPLink
  24569         Default-First-Site-Name\W2KASDC1     24569 2001-08-16
13:33:39    1 gPOptions
1183024         Default-First-Site-Name\W2KASDC1   1183024 2003-01-18
11:43:47    6 ms-DS-MachineAccountQuota
   1154         Default-First-Site-Name\W2KASDC1      1154 2001-03-24
00:15:46    1 dc
Caching GUIDs.
..







-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, August 11, 2003 9:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] how to identify what got changed in a user's
account?


There is no change log maintained however you can look at the
replication metadata for an object (assuming you have appropriate
permissions) that will give you date and time stamps of originating
changes. Take a look at repadmin /showmeta. Also if you are nice Robbie
might post a code snippet utilizing the IADSTOOLS DLL. 

  joe



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, August 11, 2003 7:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] how to identify what got changed in a user's
account?


Hi,
    I am trying to identify exactly what got changed in a user's account
(W2K domain).  I know that a change will create a Security log record,
EventID 642, category "Account Management", type "Success".  It will
identify the account that got changed ("Target Account ID") and who made
the change ( "Caller User Name").  But how do you tell *exactly* what
changed?  Is there additional logging that must be enabled?  Thank for
any info!
 
Mike Thommes
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to