@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Active Directory When-Created and When-Changed (1)

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Summary:

  • Active Directory accounts have "When-Created" and "When-Changed" attributes.
  • I am checking when those attributes are updated. However, I just started to verify.
  • When user Alice logon, the "lastLogon" attribute is updated, but "whenCahged" is not updated.
  • The following information is in the Microsoft article. Please refer to the reference URL for details.
    ・The Update Frequency of the "When-Created" attribute is "When the object is created."
    ・The Update Frequency of "When-Changed" attribute is "Each time the object is changed."
  • 2019/02/02 ADD
    ・Some attributes are not replicated between DCs. For example, "lastLogon" is not replicated.
    ・The System Flags item has the NR*1 flag bit. [MS-ADTS]: System Flags
  •  

 ----------

[Note]Please be aware that the verification method not be sufficient.

Create test account Alice on AD. Compare the date and time of the event log with the date and time of "When-Created", and confirm that they match.

f:id:hideakii:20190127085057p:plain

f:id:hideakii:20190127085208p:plain

f:id:hideakii:20190127092635p:plain

Log on to the domain with the Alice account and check the timestamp. Several logon date properties were added to the display.

When Alice first logged on to the domain, "When-Changed" was updated.

Is this update affected by updating attributes such as "lastLogon"? Or, it is "<not set>" at the time of account creation Is it the result of setting "lastLogonTimestamp"?

f:id:hideakii:20190127093358p:plain

When Alice logon, the "lastLogon" attribute is updated but "whenCahged" is not updated. (I have not confirmed the update of Last-Logon-Timestamp. LastLogonDate is the result of decoding lastLogonTimestamp?)

I repeated logon and logoff several times, but "when-Changed" was not updated.

 

Next test,
I added the Alice account to the Domain Admins group. This operation did not update "When-Changed" of Alice account.(It was not updated by this operation, but it will be updated with related events.) 

After adding Alice to the Domain Admins group, I did Logon and LogOff, but "when-Changed" was not updated.

f:id:hideakii:20190127094943p:plain

f:id:hideakii:20190127095151p:plain

While I was trying other tests, I noticed that "When-Changed" was being updated. So I confirmed the time when "When-Changed" was updated in the event log.

f:id:hideakii:20190127103639p:plain

Perhaps, I think that it is an ACL update event of "AdminSDHolder". I was forgotten to confirm the attributes of "adminCount" beforehand.

EID 4780

f:id:hideakii:20190127103927p:plain

EID 4738 is also recorded in the event log, but I could not identify which attribute was changed.

f:id:hideakii:20190127162603p:plain

 

I will continue testing.

 

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

docs.microsoft.com

docs.microsoft.com

blogs.technet.microsoft.com

blogs.technet.microsoft.com

https://adsecurity.org/?p=1906

 

f:id:hideakii:20190127083722j:plain

 

*1:FLAG_ATTR_NOT_REPLICATED or FLAG_CR_NTDS_NC, 0x00000001