Skip to the main content.

1 min read

AD: Viewing full object metadata to determine when an attribute was changed

View the metadata for an AD object to find out more details about when its specific attributes were modified. This is very handy when trying to troubleshoot details about a specific object.. See when and where an attribute was updated which can also help track down who made the change if the entry was captured in the domain controller event logs.

Here’s the syntax and an example of what data you will get back.

Repadmin /showobjmeta DCNAME “full object DN”

C:>repadmin /showobjmeta DC01 “cn=SVCAccount,ou=accounts,dc=domain,dc=corp”

58 entries.

Loc.USN        Originating DC     Org.USN     Org.Time/Date         Ver     Attribute

=======     ===========    ========    =========

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1     objectClass

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1    cn

29079766     DFW1DC01     29079766     2010-03-23 16:23:35    3     sn

29079766     DFW1DC01    29079766     2010-03-23 16:23:35    2     title

16740030     DFW1DC01     16740030     2009-10-28 11:18:43    1     description

39541488     DFW1DC01     39541488     2010-07-12 12:03:56     39     givenName

16740030     DFW1DC01    16740030     2009-10-28 11:18:43     1     whenCreated

29079766     DFW1DC01     29079766     2010-03-23 16:23:35     6     displayName

29079766     DFW1DC01     29079766     2010-03-23 16:23:35     3     co

16741438     DFW1DC01     16741438     2009-10-28 11:42:45     2     department

16740030     DFW1DC01     16740030     2009-10-28 11:18:43     1     name

39259708     SAN1DC02     32310052     2010-07-09 10:52:46     4     userAccountControl

38694997          SAN2DC03     93941776     2010-07-03 17:56:41     1     homeDirectory

38694997          SAN2DC03     93941776     2010-07-03 17:56:41     1     homeDrive

28995344     SAN1DC02     23187706     2010-03-22 15:48:22     4     ntPwdHistory

28995344     SAN1DC02     23187706     2010-03-22 15:48:22     4     pwdLastSet

16740031     DFW1DC01     16740031     2009-10-28 11:18:43     1     primaryGroupID

…………

Most of these details are self-explanatory. Ver is the number of modifications to a particular attribute.

Now you have when and where a specific attribute was modified and can track down who did it by looking in the security log J

Windows Active Directory Schema Versions

There are a couple ways to determine your Windows AD Schema Version: ADSIedit.msc and/or LDP.exe. In this article I use ADSIedit.msc.

Read More

Exchange 2010 Dynamic Distribution Group not working

There is a bug in the creation process for Dynamic Distribution Groups (DDG) in Exchange 2010. When you use the Exchange Management Shell to create a...

Read More

Upgrading to Exchange 2010 SP2

Exchange 2010 Service Pack 2 includes a number of new improvements. For details on all of the features check out Technet. This post will walk through...

Read More