Home »Windows»Active Directory - security events

Finding who made that change

Ask most Windows sysadmins how to find out who made a change to an AD object, and they will gleefully tell you to run EventCombMT from the Account Lockout and Management Tools. This will do the trick - by scanning the eventlogs of all domain controllers for security log entries that match your critera. But is there a better way?

Eventcomb takes quite a while to work if you have a lot of domain controllers to search through, especially if they're dotted around the globe and hanging off of unreliable or slow network connections. Worse, still - the default setting in EventCombMT appears to be to search through the newest events first, working backwards to the oldest alerts. On busy DCs, the relevant log entry may have been expunged. Even if you use the AutoBackupLogFiles registry setting, EventCombMT will only search the current Event Logs of the servers you specify. If you want to search saved event files, you'll need to specify those manually. For each file. On each server.

The best way to narrow things down is to use our friend repadmin with the showmeta switch. This will give you the details of the most recent changes to an object's properties, which it takes from the replication metadata. To use this method, you need to know the object's distinguished name (dn). For example: CN=Dalton\, Mark,ou=London,ou=UK,ou=UserAccounts,dc=europe,dc=example,dc=com. Note the extra backslash in there, which is required because the Common Name (CN) contains a comma itself.
We also need to specify a domain controller to query. If the change is still in the process of replicating between sites, you may see some inconsistent data, although for the most AD implementations, you'd have to be pretty quick to end up in this situation.

The full syntax is: repadmin /showmeta objectDN DomainController. For example:
repadmin /showmeta "CN=Dalton\, Mark,ou=London,ou=UK,ou=UserAccounts,dc=europe,dc=example,dc=com" UK-EURDOM22
Here, we're looking for changes made to Mark Dalton's account, and we're asking the domain controller UK-EURDOM22 for the details. We should see something like this returned:

94 entries.

Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute

=======                          =============== ========= =============        === =========
 204748     c587f74d-55b1-4dd6-a63f-f62c5b18b52b    924165 2003-05-23 12:25:02    1 objectClass

 204748                             LON\UK-EURDOM22    204748 2008-03-29 07:26:30    1 cn

 204748     9ef91853-d74a-483e-8f21-7ab1d4852425   4097147 2004-12-20 10:33:26    1 sn

 204748     9ef91853-d74a-483e-8f21-7ab1d4852425   4097147 2004-12-20 10:33:26    1 l

200229658                             LON\UK-EURDOM21 201800724 2010-07-05 10:01:59    3 title
[...]
9553438                             LON\UK-EURDOM20   6638472 2010-09-03 16:46:46    2 mobile
[...]

The above has been cut down a bit for brevity. We can see that the field mobile was last changed on 3rd September, 2010 - and that the originating DC was UK-EURDOM20. This now saves us the bother of having to scour every single DC and every single saved eventlog file. We now know that we're looking for an event in the security log of UK-EURDOM20 - and we know what time we're looking for, too.

A few notes

You may not have your audit policy configured for the type of event you're looking for. For example - if you don't audit for DS object access, then such access will not be recorded in the logs.
Also - as mentioned above - this will only tell you about the last change to that particular field of an object. If somebody changed the mobile number, then changed it again - you will only have the replication data from the second change. If a field keeps getting reset to some random value, and you need to know about every historical occasion in which this has happened - you are going to need to use EventCombMT to trawl all of the historical logs.