Viewing the History of an Active Directory Object with Replication Metadata

I answered a question via Twitter the other day as to whether or not it was possible to see when someone was added to a group without relying on audit information. The good news is that the answer is “Yes!” – assuming your forest is running in the Windows Server 2003 Forest Functional Level (FFL2) or better, and that the user was added after you upgraded your forest to this level. You can also see when a user was removed, however once they’ve been removed you won’t be able to see when they were added.

Start with FFL2, linked values, such as group membership replicate individually via linked value replication (LVR). In Windows 2000, linked attributes replicated as a single block of data which led to issues around groups with large memberships. Active Directory also stores some additional data called Replication Metadata. Inside the metadata is information about the versions of attributes, when they were last changed, and where the change originated. Since links replicate individually, each link value has metadata you can use to determine when the user was added to the group. To look at the replication metadata for an object, you’ll need to provide the object’s distinguished name. In this case, I’m going to look at the group “Test Group” in my domain:

repadmin /showobjmeta test-dc01 "CN=Test Group,OU=Groups,DC=brianlab,DC=local"

The output of this command will vary, but, in my environment it looks like this:

13 entries.

Loc.USN                      Originating DSA       Org.USN   Org.Time/Date         Ver Attribute

=======                      ===============       ========= =============         === =========

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectClass

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  cn

686100                       TestSite\TEST-DC01    686100    2010-10-27 14:06:19    2  description

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  instanceType

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  whenCreated

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  nTSecurityDescriptor

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  name

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectSid

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  sAMAccountName

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  sAMAccountType

685899                       TestSite\TEST-DC01    685899    2010-10-25 12:56:19    1  sIDHistory

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  groupType

685896                       TestSite\TEST-DC01    685896    2010-10-25 12:56:19    1  objectCategory

3 entries.

Type     Attribute     Last Mod Time       Originating DSA     Loc.USN Org.USN Ver Distinguished Name

=======  ============  =============       =================   ======= ======= === =============================

ABSENT   member        2010-11-05 16:55:28 TestSite\TEST-DC01  749327  749327   2  CN=Brian Desmond,OU=Users,DC=brianlab,DC=local

PRESENT  member        2010-11-05 16:55:02 TestSite\TEST-DC01  749320  749320   1  CN=Test User 01,OU=Users,DC=brianlab,DC=local

PRESENT  member        2010-11-02 12:48:34 TestSite\TEST-DC01  730720  730720   1  CN=Doe\, John,OU=Users,DC=brianlab,DC=local

There are a couple key takeaways here. The first is that you can see the version numbers of each of the attributes. In this case, none of the attributes have been modified since the group was created, except for the description attribute. Description was updated once a couple days later. At the bottom of the output is the listing for each linked attribute. In this case I only have the member attribute populated, but, if for example the manager linked attribute was populated, it would be listed here as well. On 11/5, my user was removed from the group, and shortly before that, Test User 01 was added. On 11/2 John Doe was added. You can see that Test User 01 was added before I was removed since the USN for Test User 01’s link is a bit lower.

Leave a Reply

Your email address will not be published. Required fields are marked *