Note:I translated Japanese into English using Google Translate.
Thank you, Google.
- Active Directory accounts have "When-Created" and "When-Changed" attributes.
- I am checking when those attributes are updated. However, I just started to verify.
- When user Alice logon, the "lastLogon" attribute is updated, but "whenCahged" is not updated.
- The following information is in the Microsoft article. Please refer to the reference URL for details.
・The Update Frequency of the "When-Created" attribute is "When the object is created."
・The Update Frequency of "When-Changed" attribute is "Each time the object is changed."
- 2019/02/02 ADD
・Some attributes are not replicated between DCs. For example, "lastLogon" is not replicated.
・The System Flags item has the NR*1 flag bit. [MS-ADTS]: System Flags
When-Changed and when-Created are pushed by the DC doing the modification / creation. WhenChanged can be modified by DCShadow. When-created only at object creation. A replication of WhenCreated implies an object creation. If a conflict happens the object is marked as duplicate.— Vincent Le Toux (@mysmartlogon) January 29, 2019
[Note]Please be aware that the verification method not be sufficient.
Create test account Alice on AD. Compare the date and time of the event log with the date and time of "When-Created", and confirm that they match.
Log on to the domain with the Alice account and check the timestamp. Several logon date properties were added to the display.
When Alice first logged on to the domain, "When-Changed" was updated.
Is this update affected by updating attributes such as "lastLogon"? Or, it is "<not set>" at the time of account creation Is it the result of setting "lastLogonTimestamp"?
When Alice logon, the "lastLogon" attribute is updated but "whenCahged" is not updated. (I have not confirmed the update of Last-Logon-Timestamp. LastLogonDate is the result of decoding lastLogonTimestamp?)
I repeated logon and logoff several times, but "when-Changed" was not updated.
I added the Alice account to the Domain Admins group. This operation did not update "When-Changed" of Alice account.(It was not updated by this operation, but it will be updated with related events.)
After adding Alice to the Domain Admins group, I did Logon and LogOff, but "when-Changed" was not updated.
While I was trying other tests, I noticed that "When-Changed" was being updated. So I confirmed the time when "When-Changed" was updated in the event log.
Perhaps, I think that it is an ACL update event of "AdminSDHolder". I was forgotten to confirm the attributes of "adminCount" beforehand.
EID 4738 is also recorded in the event log, but I could not identify which attribute was changed.
I will continue testing.
Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC
*1:FLAG_ATTR_NOT_REPLICATED or FLAG_CR_NTDS_NC, 0x00000001