Track past changes in your AD accounts (users & computers), even if no event logs exist - e.g. not collected, no retention/overwritten, wiped (e.g. during an Incident Response) etc. Uses Replication metadata history parsing.

No special permissions required (non-admin AD user is ok).

Supports offline mode as well, using a consistent copy of the NTDS.dit file.

Note 1: Offline operations do not show attribute value, yet all other information is there (LastChangeTime, NumberOfChanges, DaysSinceLastChange etc., including Enabled/Disabled status, AdminCount etc.).

Note 2: The ActiveDirectory module is required Only for ONLINE operations (live DCs), and not needed for Offline operations.

Example code on how to create a custom accountnames.txt file to query changes for a specific set of users

Create an accounts file that will query changes for all administrative users (adminCount=1)

1st, query the account names and save to text file:

$a = ([adsisearcher]'(&(ObjectCategory=Person)(ObjectClass=User)(admincount=1)(!(samaccountname=krbtgt)))').FindAll(); $a.Properties.samaccountname | sort | Out-File .\accountnames.txt

2nd, Run the script, from the same directory as the accountnames.txt file.

3rd, Identify the output csv file, e.g. ad-repl*, and import it to memory:

$res = import-csv .\AD-Replication-Metadata-History_11001510002023.csv -Delimiter ";"

4th - group it by objects: $grouped = $res | group Object

5th - ensure you have the object you want to query/examine:

$grouped | where Name -like "cn=administrator,*"

6th, Can also get specific data, e.g. Total logons for this account (from all DCs, summed up):

$grouped | where Name -like "cn=administrator,*" | select -ExpandProperty group | where AttributeName -eq "LogonCount" | Measure-Object -Property attributevalue -Sum | select -ExpandProperty Sum