Hi Joe,
I've had a chance to chronologically sort the records produced by the "repadmin
/showmeta" command. I now understand that the metadata contains the change date for a
particular attribute (you said that, didn't you!). However, none of the records that
I have been able to lay my hands on seem to be able to tell me what I am looking for -
which is who and when someone set an account so that the password never expires. Both
the security record originally produced says "the user account changed" and the
metadata says that the userAccountControl attribute changed. Both are pretty generic.
How would I find out the specifics - specifically when the "password never expires"
bit (part of the userAccountControl attribute) got changed? Thanks for any info!
Mike Thommes
-----Original Message-----
From: Thommes, Michael M.
Sent: Monday, August 11, 2003 8:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] how to identify what got changed in a user's
account?
Hi Joe,
Thanks! That was the piece I needed. I now have a complete record of everything
that was changed on that user object. Now to digest it.......
Mike Thommes
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Mon 8/11/2003 6:31 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] how to identify what got changed in a user's account?
I just realized my answer wasn't complete unless you already knew what
the meta data output looks like...
Basically it will tell you the originating change time/date/where stamp
for every attribute of a given object.
Ex:
F:\Dev\cpp\GetSysInfo>repadmin /showmeta dc=joehome,dc=com
DsBindWithCred to localhost failed with status 1753 (0x6d9):
There are no more endpoints available from the endpoint mapper.
34 entries.
Loc.USN Originating DC Org.USN Org.Time/Date
Ver Attribute
======= =============== ========= =============
=== =========
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 objectClass
6143 Default-First-Site-Name\W2KASDC1 6143 2001-05-16
20:49:14 1 description
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 instanceType
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 whenCreated
1162127 Default-First-Site-Name\W2KASDC1 1162127 2002-10-14
20:18:01 3 nTSecurityDescriptor
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 name
1473 Default-First-Site-Name\W2KASDC1 1473 2001-03-24
00:20:26 2 creationTime
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 forceLogoff
1213281 Default-First-Site-Name\W2KASDC1 1213281 2003-05-03
21:42:57 5 lockoutDuration
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 lockOutObservationWindow
9293 Default-First-Site-Name\W2KASDC1 9293 2001-06-23
19:56:13 2 lockoutThreshold
36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21
11:59:09 2 maxPwdAge
1203175 Default-First-Site-Name\W2KASDC1 1203175 2003-03-20
21:22:33 2 minPwdAge
1221236 Default-First-Site-Name\W2KASDC1 1221236 2003-06-03
23:54:28 3 minPwdLength
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 modifiedCountAtLastProm
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 nextRid
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 pwdProperties
36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21
11:59:09 3 pwdHistoryLength
1156 Default-First-Site-Name\W2KASDC1 1156 2001-03-24
00:15:46 1 objectSid
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 oEMInformation
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 uASCompat
1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24
00:16:00 1 domainReplica
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 auditingPolicy
6921 Default-First-Site-Name\W2KASDC1 6921 2001-05-27
14:55:35 2 nTMixedDomain
1539 Default-First-Site-Name\W2KASDC1 1539 2001-03-24
00:20:42 1 rIDManagerReference
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 fSMORoleOwner
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 systemFlags
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 wellKnownObjects
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 objectCategory
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 isCriticalSystemObject
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 gPLink
24569 Default-First-Site-Name\W2KASDC1 24569 2001-08-16
13:33:39 1 gPOptions
1183024 Default-First-Site-Name\W2KASDC1 1183024 2003-01-18
11:43:47 6 ms-DS-MachineAccountQuota
1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24
00:15:46 1 dc
Caching GUIDs.
..
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, August 11, 2003 9:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] how to identify what got changed in a user's
account?
There is no change log maintained however you can look at the
replication metadata for an object (assuming you have appropriate
permissions) that will give you date and time stamps of originating
changes. Take a look at repadmin /showmeta. Also if you are nice Robbie
might post a code snippet utilizing the IADSTOOLS DLL.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, August 11, 2003 7:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] how to identify what got changed in a user's
account?
Hi,
I am trying to identify exactly what got changed in a user's account
(W2K domain). I know that a change will create a Security log record,
EventID 642, category "Account Management", type "Success". It will
identify the account that got changed ("Target Account ID") and who made
the change ( "Caller User Name"). But how do you tell *exactly* what
changed? Is there additional logging that must be enabled? Thank for
any info!
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
