Looking at AD Metadata with Repadmin in 2026
Ah, good old Repadmin, it’s been a friend of mine since I started managing multi-DC Active Directory environments. It’s a very handy tool for checking or forcing replication, and managing the KCC. I won’t lie, I usually don’t use most of its options, it usually ends up with basic troubleshooting before I can put my finger on the problem.
I’ve recently had a call with Enterprise Security Consultant Haim Nachmias, who introduced me to a pretty neat option in Repadmin - showobjmeta. By using showobjmeta you can see some pretty detailed information about Active directory objects, such as how many times a specific attribute was changed, when it was changed last (which isn’t that exciting given that you can do it via Active Directory Users and Computers) and on which DC the change took place.
For group objects, for example, you can see when someone was added to the group, and if they were a member of it at some point in the past, you can see the fact that they were a member of the group as well as when they were removed from it. The usage is pretty simple. You just open cmd and type:
repadmin /showobjmeta <DC Name> <ObjectDN>
Assuming you have the proper permissions, you’ll be presented with the output in table format (If it’s kind of garbled, my advice is to invoke this command in a PowerShell window because you can expand the window to make it look a little less ugly).
Columns and their meaning
So what do we have here? Let’s go over the columns:
- Loc. USN (Local Update Sequence Number)- Sort of like a serial number for an update that happened, this number is different across DCs.
- Originating DSA (Directory Service Authority)- The DC from which the change originated
- Org. USN (Organizational Update Sequence Number) - Just like the first one, but it’s the same across all DCs
- Org. Time/Date - Well, I mean, I think it’s self explanatory :)
- Ver (Version) - A change counter, if the version is 1 that means the attribute hasn’t been changed, if it’s 2 that means it was changed once, and so on
- Attribute - Which attribute of the object was changed
Now that we’re all on the same page, let’s invoke this on a slightly more interesting object - a security group.
As you can see, I’ve switched to a PowerShell window for the reason I stated earlier.
We’re already familiar with the first table, but hey, what’s that second part? Group membership history! You can see some similarities between the 2 tables, for example the USNs and Originating DSA. The Ver column acts the same way, each time a directory identity is added or removed from the group, the counter is incremented by 1. Last mod time is the time on which the user was added/removed, for example, the user that starts with “Orel” is not currently present in the group, and he was removed from the group on March 24th, the user that starts with “Dog” is indeed present in the group, and he was added on March 24th.
Modern QoL Tip: Exporting to CSV
The standard repadmin output is a bit of a mess to read in the console. If you are auditing a group with hundreds of members, use the /csv flag and open it in Excel or VS Code:
repadmin /showobjmeta /csv IL1-LAB-DC "CN=Google Users,OU=Security Groups,OU=TLVLAB,DC=TLVLAB,DC=LOCAL" | Out-File .\MetadataAudit.csvThe 2026 Way: The PowerShell Equivalent
If you want to stay strictly within native PowerShell (perhaps for a report), you can use the Get-ADReplicationAttributeMetadata cmdlet. It provides the same data as objects, allowing for better filtering:
# Show only attributes changed in the last 7 days
Get-ADReplicationAttributeMetadata -Object "CN=John Doe,OU=Users,DC=TLVLAB,DC=LOCAL" -Server IL1-LAB-DC |
Where-Object { $_.LastOriginatingChangeTime -gt (Get-Date).AddDays(-7) } |
Select-Object AttributeName, LastOriginatingChangeTime, OriginatingServerWhy this still matters
In the era of Windows Server 2022 and 2025, Active Directory is more “attacked” than ever. Tools like repadmin aren’t just for fixing replication errors anymore; they are for Identity Forensics.
The next time someone asks, “Who changed this?”, don’t just shrug—look at the metadata.
Enjoyed this post? Why not look at my other posts as well? :)