Active Directory Metadata PowerShell

Hello,

Active Directory metadata are a very interesting subject. In the old days, we used to use repadmin.exe tool to access them. Nowadays, PowerShell is here to help.

Active Directory Metadata Repadmin

RepAdmin is a very powerful tool, hereunder an example to see the metadata of the default naming context of D2K12R2.local Active Directory domain.

repadmin /showobjmeta dc1 "DC=D2K12R2,DC=local"

Active Directory Metadata PowerShell

We can do the same with PowerShell, it’s even better because we got a object that is easier to handle then a full text output of a binary file.

Get-ADReplicationAttributeMetadata -Object 'DC=D2K12R2,DC=LOCAL' -Server DC1

Because it’s an object, we can use Out-GridView:

There is a lot of useful information in this. For example, you can see that the “gplink” attribute is version 3, that means it has been modified twice. You can also see that the default password policy is at version 2.

You can use this on every object in Active Directory, but some are more useful than others.

Admins Users

You can query metadata for one user :

Get-ADUser -Identity Administrator | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

Or for every admins :

Get-ADUser -Filter {AdminCount -eq 1} | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

If you filter on “Version” superior to 1, you can have a list of all attributes modified at least one time on every administrators in the current domain. You can also know from which domain controller and when the modification happened.

You can use this to check the number of password change, the number of ACL change, and a lot of nice things to know.

Admins Groups

You can query the metadata of all the adminis groups with:

Get-ADGroup -Filter {AdminCount -eq 1} | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

Now, you can see the modified attributes list on each administration groups of the current domain. You can see that members changes, the added and remove date of each member, that’s very helpful:

This information is used for the Active Directory replication and should be present for at least the duration of the TombStoneLifeTime. You can track administrative group membership, event for deleted users, as you can see in the screenshot capture above (their name contains “ADEL”).

Organizational Units

Just like users and groups:

Get-ADOrganizationalUnit -Filter * | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

Metadata of the organizational units are useful to track changes about group policy link, delegation and such.

Trusts

Get-ADTrust -Filter * | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

Metadata of Active Directory trusts contains valuable information about trust directions, UPN routing, and attribute (transitive, SID Filtering, forest, external, etc…).

AdminSDHolder

If you want to please your CISO, you may want to monitor the SecurityDescriptor of the AdminSDHolder object, indeed, those ACL are copied to each and every privilege account/group in the domain. You can read more about it here.

Get-ADObject -Identity "CN=AdminSDHolder,CN=System,$((Get-ADRootDSE).defaultNamingContext)" | Get-ADReplicationAttributeMetadata -Server DC1 | Out-GridView

In my lab,, the SecurityDescriptor has been changed 6 times, in a production environment, it shouldn’t be that high, or you should be aware of it.

Conclusion

There is several way of getting Active Directory metadata, some a more convenient than others, but they all get the same data.

Active Directory metadata contains a lot of data, not all is interesting, but with a few object manipulation and filter, you can get the useful information out.