active-directory
Can someone explain what the 'whenChanged ' attribute is for in AD. We have recently been running a report on this attribute because I believe this attribute will will tell what accounts have changed in Active Directory but we are getting loads of reported updates on user accounts that I cannot explain
thanks
On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.
That should set it up so that the specified account can read the group memberships of all User accounts in the domain.
Scan the Security event log on every computer looking for a logon of that user account.
Best Answer
The whenChanged attribute is updated anytime a local write occurs. It's not a replicated attribute (e.g. maintained locally on each domain controller).
If you want to see what changed specifically,
Look at repadmin /showobjmeta:"DN of object goes here".
Thanks, Brian Desmond Active Directory MVP