Active Directory changes occur a lot, especially when it comes to user accounts. Active Directory is a critical component for any organization, and it’s crucial to monitor and secure it properly. If you need to monitor Active Directory replication changes for users, you’ve come to the right place.
In this tutorial, you’ll learn how to detect changes to your users in Active Directory. You’ll do so by learning how Active Directory detects changes itself and how you can tap into that to get full visibility in your environment.
Let’s learn!
Prerequisites
This article will be a hands-on tutorial. If you’d like to follow along, be sure you have the following:
- An Active Directory domain – This tutorial will use Windows Server 2019 with an Active Directory and forest function set to 2019. but domain controllers (DCs) running Windows 2008 R2 or later should work. The tutorial will be using a domain called test.local with two DCs, DC01 and DC02.
- A domain-joined Windows PC with PowerShell installed. This tutorial will use Windows 10 with Windows PowerShell v5.1.
- A user account as a member of the Domain Admins groups in the domain.
Understanding Active Directory Replication Changes using USNs
Active Directory can potentially contain millions of user accounts in a large enterprise environment. With that many accounts, it’s nearly impossible to know what’s changing on a daily basis. But, by understanding how Active Directory processes change, you can begin to build systems to monitor user account changes.
To understand user account changes or any Active Directory object changes for that matter, you must first understand DC replication. What does replication have to do with detecting changes? Update Sequence Numbers (USNs).
Knowledge of USNs is equally important, even if you only have a single DC replicating in your environment.
DCs consistently maintain a copy of the Active Directory database. They maintain this copy of the database through replication. If that’s true, how do they know when something changes on one DC to initiate a replication? You guessed it. USNs.
When an Active Directory object attribute changes on a DC, that DC increments the USN value for that object, once incremented, it then sends the change along with the USN to all other DCs within the domain.
What is an USN?
Active Directory contains many objects with various types such as users, computers, contacts, etc. Each object contains multiple attributes that can be changed. In addition, each attribute has a specific number attached to it called a USN.
When Active Directory changes an object’s attributes, it automatically increments that attribute’s USN.
How USNs and DC Replication Work
When Active Directory increments, an object attribute’s on a single DC, that DC sends a replication pull request. That pull request notifies that DC’s replication partners to pull the latest attributes from its database. The replication partners then compare their copy of the attribute’s USN with the replication-initiating DC. If the other USN is higher, the destination DC then allows replication to happen.
For example, perhaps you’re in an environment with two DCs. You have a user account for an employee called Faris User. This user account has an attribute called displayName with a value of Faris Malaeb.
Each DC maintains its USN updates and knows the USN of all other DCs. Therefore, all attribute USN values are not the same on every domain controller.
Let’s say an administrator changes the displayName attribute to Faris Maleab2 while connected to DC01. The moment that change happens, DC01 increments the USN for the displayName attribute and notifies DC02 of the change, which then updates its attribute.
Initiating and Monitoring a USN Change
You’ve read enough about USNs; let’s now see how it works in the real world. To do that, you will create a new Active Directory user account and then monitor the USN and how the DCs replicate that user account via Active Directory replication.
First, create the Active Directory user account. To do that:
1. Open Active Directory Users and Computers (ADUC) either on via a domain controller’s desktop or remotely. This tutorial will connect to DC01.
2. Right click on any organizational unit (OU) and select New —> User.
3. Fill in the First Name User1 and the User logon name of user1 and click Next.
4. Create a random password and click Next and Finish.
5. Now, open the user account and click on the Attribute Editor tab. In the Attributes list, scroll down a bit until you see USN attributes called uSNCreated and uSNChanged.
The uSNCreated attribute is the initial value when the object was created; this value is fixed. The uSNChanged attribute is the value that represents the updated version.
6. Open PowerShell on DC01 and run the following command to see the USN value in DC01’s database. The following command uses the Get-AdUser cmdlet to query the DC01 server for the user account named user1. Once found, it then returns the uSNCreated and uSNChanged attributes of that user account.
Notice that the uSNCreated attribute is 83649 and the uSNChanged attribute is 269605.
Get-ADUser user1 -Properties uSNCreated,uSNChanged -Server dc01.test.local | Select-Object UserPrincipalName,uSNCreated,uSNChanged
7. Now, run the same command, but this time, connect to DC02. Notice the uSNCreated attribute is 16647 and the uSNChanged attribute is 30114.
Get-ADUser user1 -Properties uSNCreated,uSNChanged -Server dc02.test.local | Select-Object UserPrincipalName,uSNCreated,uSNChanged
8. Change the City attribute on the user1 user account on DC01 to initiate an attribute change. Once this happens, DC01 updates the uSNChanged value for the User1 object, making it higher than the previous value.
At this time, DC01 will notify DC02 of the attribute change. Set-ADUser user1 -City "Dubai"
Set-ADUser user1 -City "Dubai"The uSNCreated attribute remains the same throughout as it was the initial value when the object was created.
9. Now, rerun Get-AdUser against both DCs to see the uSNChanged attribute has increased on both DCs.
Monitoring USN Changes with Repadmin
Now that you know how USNs get updated let’s now jump into a demo on how you can monitor for those Active Directory changes with Microsoft’s replication administration (repadmin) tool. Repadmin is a tool that comes with Active Directory that allows you to perform replication troubleshooting between DCs in an Active Directory forest.
Assuming you’re still on DC01’s desktop:
1. Open PowerShell.
2. Run the following repadmin command to list all of the properties of the user1 user account along with its version number. The below example assumes the user1 user account is located in the Test OU of the tutorial’s test.local Active Directory domain.
repadmin /ShowObjMeta dc01 CN=User1,OU=Test,DC=test,DC=localThe
/ShowObjMetaparameter requires a domain controller to contact and the object’s distinguished name. The output returned displays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server’s GUID and Date and Timestamp.
You’ll notice below that repadmin has a Ver column. This Version (Ver) column is an incrementing number representing how many times the attribute has changed. This value is the indicator used to detect where a change has been made along with the date.
Take specific note of the displayName attribute. The version is 3, meaning that attributes value has changed three times.
3. Run the below PowerShell command to make a change to the displayName attribute for the User1 user account.
Set-ADUser User1 -DisplayName "I Am user 1"4. Now, rerun repadmin again with the same command as step two to see the USNs and version have both incremented and the Org. Time/Date has updated.
repadmin /ShowObjMeta dc01 CN=User1,OU=Test,DC=test,DC=local
Conclusion
You’ve now seen how USNs work and how to use Microsoft’s repadmin utility to track Active Directory replication changes.
Armed with your newfound knowledge, how will you use your knowledge of USNs and repadmin to monitor Active Directory user accounts in your environment?
