I can get some interesting metadata of an AD object using ActiveDirectoryReplicationMetadata, e.g. Version, LocalChangeUSN, OriginatingChangeUSN, OriginatingServer, ... with the following code:
DirectoryContext domainContext = new DirectoryContext(DirectoryContextType.Domain, "targetDomainName", "validUserInDomain", "validUserPassword");
var domain = System.DirectoryServices.ActiveDirectory.Domain.GetDomain(domainContext);
var dc = domain.FindDomainController();
var metadata = dc.GetReplicationMetadata("distinguishedNameOfWantedObject");
Is there any way in C# to also get the information which account did the last change?
NB: I know that I can turn on AD DS Auditing and query the event log for that information but I need to know if there is a solution without the event log.
I would check the domain controller to see if it is logging anything, otherwise you will probably have no choice other than to enable the logging in AD itself.
None
0 Points
1 Post
Who changed an attribute in Active Directory?
Jul 02, 2015 08:45 AM|ToM1202|LINK
I can get some interesting metadata of an AD object using ActiveDirectoryReplicationMetadata, e.g. Version, LocalChangeUSN, OriginatingChangeUSN, OriginatingServer, ... with the following code:
DirectoryContext domainContext = new DirectoryContext(DirectoryContextType.Domain, "targetDomainName", "validUserInDomain", "validUserPassword"); var domain = System.DirectoryServices.ActiveDirectory.Domain.GetDomain(domainContext); var dc = domain.FindDomainController(); var metadata = dc.GetReplicationMetadata("distinguishedNameOfWantedObject");Is there any way in C# to also get the information which account did the last change?
NB: I know that I can turn on AD DS Auditing and query the event log for that information but I need to know if there is a solution without the event log.
ActiveDirectory
All-Star
35169 Points
9930 Posts
Moderator
Re: Who changed an attribute in Active Directory?
Jul 02, 2015 08:54 AM|bbcompent1|LINK
I would check the domain controller to see if it is logging anything, otherwise you will probably have no choice other than to enable the logging in AD itself.
ActiveDirectory
Member
10 Points
1 Post
Re: Who changed an attribute in Active Directory?
Jul 20, 2015 06:38 AM|andrewscolt|LINK
I would suggest you to enable auditing and it will let you track the changes made in active directory.
This PDF article provides step-wise instructions to enable auditing and track all critical changes into real time even at granular level : http://www.lepide.com/guide/enable-active-directory-security-auditing.pdf
ActiveDirectory