Active Directory Metadata PowerShell
Hello,
Active Directory metadata are a very interesting subject. In the old days, we used to use repadmin.exe tool to access them. Nowadays, PowerShell is here to help.
Active Directory Metadata Repadmin
RepAdmin is a very powerful tool, hereunder an example to see the metadata of the default naming context of D2K12R2.local Active Directory domain.
repadmin /showobjmeta dc1 "DC=D2K12R2,DC=local"
Active Directory Metadata PowerShell
We can do the same with PowerShell, it’s even better because we got a object that is easier to handle then a full text output of a binary file.
Get-ADReplicationAttributeMetadata -Object 'DC=D2K12R2,DC=LOCAL' -Server DC1
Because it’s an object, we can use Out-GridView:
There is a lot of useful information in this. For example, you can see that the “gplink” attribute is version 3, that means it has been modified twice. You can also see that the default password policy is at version 2.
You can use this on every object in Active Directory, but some are more useful than others.
Admins Users
You can query metadata for one user :
Get-ADUser -Identity Administrator | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView
Or for every admins :
Get-ADUser -Filter {AdminCount -eq 1} | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView
If you filter on “Version” superior to 1, you can have a list of all attributes modified at least one time on every administrators in the current domain. You can also know from which domain controller and when the modification happened.
You can use this to check the number of password change, the number of ACL change, and a lot of nice things to know.
Admins Groups
You can query the metadata of all the adminis groups with:
Get-ADGroup -Filter {AdminCount -eq 1} | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView
Now, you can see the modified attributes list on each administration groups of the current domain. You can see that members changes, the added and remove date of each member, that’s very helpful:
This information is used for the Active Directory replication and should be present for at least the duration of the TombStoneLifeTime. You can track administrative group membership, event for deleted users, as you can see in the screenshot capture above (their name contains “