How to track any attribute change
- Assumption #1: DS Access enabled in Group Policy
- Assumption #2: audit is enabled on the obejct you want to track ( SACL entries)
- run "repadm /showobjmeta DCName DN_of_object"
- Check the change time and origin DC of the attribute
- Check event id 4662 for that time point on the origin DC
- You may see several 4662 events
- You should see Subject, Object, and Operation info in the event, and look for operation type "Write Property"
- In "properties" section, it list only GUID of the property, so you will have to match it up to AD schema here
- Obviously step 8 is near to impossible as there are a few hundreds attributes and you don't want to check them one by one
- So you can also just search the GUID from schema context. The query string will look like something like this "schemaIDGUID=#($U@()&%)@" BUT YOU CANNOT USE THE GUID FROM THE EVENT VIREW! You have to convert it first
- How to convert a GUID reported in event viewer to a LDAP query filter: this page. Life is hard, isn't it?!