Objects in active directory have a modification timestamp attribute, whenChanged, that reflects the time of the last change to the object. This is useful if you want to confirm a change had not been made after a specific time (e.g. the user began having problems at 2PM yesterday, but their object was last changed November of last year … an account change is not likely to be the cause).
There is additional stored metadata which provides a modification timestamp (and source domain controller for the modification event) for each individual attribute on an object. This can be a lot more useful (e.g. a user’s home directory is incorrect, but the object modification timestamp reflects the fact they changed their password yesterday). To view the metadata, use repadmin /showobjmeta DC-Hostname “objectFQDN”
I redirect the output to a file; it’s a lot easier to search a text file for the attribute name than scroll through all of the attributes in a DOS window.
repadmin /showobjmeta dc.domain.gTLD "cn=user account,ou=pathToObject,dc=domain,dc=gTLD" > myaccount.txt 57 entries. Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute ======= =============== ========= ============= === ========= 20822 92d3c1e5-d4ed-41c7-989f-62a1712b1084 20822 2014-06-08 22:20:57 1 cn ... 4659114 Default-First-Site-Name\DC 4659114 2016-12-29 20:56:21 10 unicodePwd 3299408 Default-First-Site-Name\DC 3299408 2016-01-16 17:03:05 13 lockoutTime 4978129 Default-First-Site-Name\DC 4978129 2017-02-18 21:50:13 90 lastLogonTimestamp 4988421 Default-First-Site-Name\DC 4988421 2017-02-22 10:31:06 54333 msDS-LastSuccessfulInteractiveLogonTime 4977488 Default-First-Site-Name\DC 4977488 2017-02-18 16:21:12 223 msDS-LastFailedInteractiveLogonTime 4977488 Default-First-Site-Name\DC 4977488 2017-02-18 16:21:12 223 msDS-FailedInteractiveLogonCount 4977489 Default-First-Site-Name\DC 4977489 2017-02-18 16:21:18 165 msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon
The originating DSA may be an odd GUID value (the domain controller on which this change was initiated has since been decommissioned) or it may be an AD site and domain controller name.
The originating timestamp indicates when the attribute’s value was last changed. The version indicates the number of revisions on the attribute value – which itself can provide interesting information like the number of times an account has been locked out or the number of times a user has changed their password.
This information can be useful when an account change does correspond with a user experiencing problems. You can identify the specific attributes that were updated and research those specific values.
It’s also useful to track down who changed a specific attribute value. The combination of originating domain controller and attribute modification time can make searching for the event log record corresponding to a specific change a lot easier — you know which server to search and can filter the log down to records spanning a few seconds.