Hi Joe, I've had a chance to chronologically sort the records produced by the "repadmin /showmeta" command. I now understand that the metadata contains the change date for a particular attribute (you said that, didn't you!). However, none of the records that I have been able to lay my hands on seem to be able to tell me what I am looking for - which is who and when someone set an account so that the password never expires. Both the security record originally produced says "the user account changed" and the metadata says that the userAccountControl attribute changed. Both are pretty generic. How would I find out the specifics - specifically when the "password never expires" bit (part of the userAccountControl attribute) got changed? Thanks for any info!
Mike Thommes -----Original Message----- From: Thommes, Michael M. Sent: Monday, August 11, 2003 8:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify what got changed in a user's account? Hi Joe, Thanks! That was the piece I needed. I now have a complete record of everything that was changed on that user object. Now to digest it....... Mike Thommes -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Mon 8/11/2003 6:31 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] how to identify what got changed in a user's account? I just realized my answer wasn't complete unless you already knew what the meta data output looks like... Basically it will tell you the originating change time/date/where stamp for every attribute of a given object. Ex: F:\Dev\cpp\GetSysInfo>repadmin /showmeta dc=joehome,dc=com DsBindWithCred to localhost failed with status 1753 (0x6d9): There are no more endpoints available from the endpoint mapper. 34 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute ======= =============== ========= ============= === ========= 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 objectClass 6143 Default-First-Site-Name\W2KASDC1 6143 2001-05-16 20:49:14 1 description 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 instanceType 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 whenCreated 1162127 Default-First-Site-Name\W2KASDC1 1162127 2002-10-14 20:18:01 3 nTSecurityDescriptor 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 name 1473 Default-First-Site-Name\W2KASDC1 1473 2001-03-24 00:20:26 2 creationTime 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 forceLogoff 1213281 Default-First-Site-Name\W2KASDC1 1213281 2003-05-03 21:42:57 5 lockoutDuration 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 lockOutObservationWindow 9293 Default-First-Site-Name\W2KASDC1 9293 2001-06-23 19:56:13 2 lockoutThreshold 36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21 11:59:09 2 maxPwdAge 1203175 Default-First-Site-Name\W2KASDC1 1203175 2003-03-20 21:22:33 2 minPwdAge 1221236 Default-First-Site-Name\W2KASDC1 1221236 2003-06-03 23:54:28 3 minPwdLength 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 modifiedCountAtLastProm 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 nextRid 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 pwdProperties 36084 Default-First-Site-Name\W2KASDC1 36084 2001-10-21 11:59:09 3 pwdHistoryLength 1156 Default-First-Site-Name\W2KASDC1 1156 2001-03-24 00:15:46 1 objectSid 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 oEMInformation 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 uASCompat 1409 Default-First-Site-Name\W2KASDC1 1409 2001-03-24 00:16:00 1 domainReplica 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 auditingPolicy 6921 Default-First-Site-Name\W2KASDC1 6921 2001-05-27 14:55:35 2 nTMixedDomain 1539 Default-First-Site-Name\W2KASDC1 1539 2001-03-24 00:20:42 1 rIDManagerReference 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 fSMORoleOwner 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 systemFlags 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 wellKnownObjects 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 objectCategory 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 isCriticalSystemObject 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 gPLink 24569 Default-First-Site-Name\W2KASDC1 24569 2001-08-16 13:33:39 1 gPOptions 1183024 Default-First-Site-Name\W2KASDC1 1183024 2003-01-18 11:43:47 6 ms-DS-MachineAccountQuota 1154 Default-First-Site-Name\W2KASDC1 1154 2001-03-24 00:15:46 1 dc Caching GUIDs. .. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, August 11, 2003 9:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify what got changed in a user's account? There is no change log maintained however you can look at the replication metadata for an object (assuming you have appropriate permissions) that will give you date and time stamps of originating changes. Take a look at repadmin /showmeta. Also if you are nice Robbie might post a code snippet utilizing the IADSTOOLS DLL. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, August 11, 2003 7:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] how to identify what got changed in a user's account? Hi, I am trying to identify exactly what got changed in a user's account (W2K domain). I know that a change will create a Security log record, EventID 642, category "Account Management", type "Success". It will identify the account that got changed ("Target Account ID") and who made the change ( "Caller User Name"). But how do you tell *exactly* what changed? Is there additional logging that must be enabled? Thank for any info! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/