Ah, good old Repadmin, it’s been a friend of mine since I started managing multi-DC Active Directory environments. It’s a very handy tool for checking or forcing replication, and managing the KCC. I won’t lie, I usually don’t use most of its options, it usually ends up with basic troubleshooting before I can put my finger on the problem.
I’ve recently had a call with Enterprise Security Consultant Haim Nachmias, who introduced me to a pretty neat option in Repadmin – showobjmeta. By using showobjmeta you can see some pretty detailed information about Active directory objects, such as how many times a specific attribute was changed, when it was changed last (which isn’t that exciting given that you can do it via Active Directory Users and Computers) and on which DC the change took place.
For group objects, for example, you can see when someone was added to the group, and if they were a member of it at some point in the past, you can see the fact that they were a member of the group as well as when they were removed from it. The usage is pretty simple. You just open cmd and type:
repadmin /showobjmeta <DC Name> <ObjectDN>
Assuming you have the proper permissions, you’ll be presented with the output in table format (If it’s kind of garbled, my advice is to invoke this command in a PowerShell window because you can expand the window to make it look a little less ugly).
So what do we have here? Let’s go over the columns:
- Loc. USN (Local Update Sequence Number) – Sort of like a serial number for an update that happened, this number is different across DCs.
- Originating DSA (Directory Service Authority) – The DC from which the change originated
- Org. USN (Organizational Update Sequence Number) – Just like the first one, but it’s the same across all DCs
- Org. Time/Date – Well, I mean, I think it’s self explanatory 🙂
- Ver (Version) – A change counter, if the version is 1 that means the attribute hasn’t been changed, if it’s 2 that means it was changed once, and so on
- Attribute – Which attribute of the object was changed
Now that we’re all on the same page, let’s invoke this on a slightly more interesting object – a security group.
As you can see, I’ve switched to a PowerShell window for the reason I stated earlier.
We’re already familiar with the first table, but hey, what’s that second part? Group membership history! You can see some similarities between the 2 tables, for example the USNs and Originating DSA. The Ver column acts the same way, each time a directory identity is added or removed from the group, the counter is incremented by 1. Last mod time is the time on which the user was added/removed, for example, the user that starts with “Orel” is not currently present in the group, and he was removed from the group on March 24th, the user that starts with “Dog” is indeed present in the group, and he was added on March 24th.
To summarize, repadmin can be a fairly powerful and useful tool to dig a little deeper into the internals of your Active Directory infrastructure.