I recently needed to determine when an attribute was updated by MIM in Active Directory for a particular user object. MIM itself provides details within Metaverse search to determine when the attribute was updated in MIM but doesn’t confirm when the change was made in AD.
repadmin command
Using repadmin its possible to determine when an attribute was changed, and on what domain controller the change occurred on. I was able to run the command on the MIM Sync server using a standard admin account, so it appears it can be run on any member server (and doesn’t require access to a domain controller).
Note: in the example below you need to replace mydcname with the name of a domain controller in your environment and substitute the distinguished name with the object you are interested in.
repadmin /showobjmeta mydcname "CN=John Citizen,OU=Users,DC=MyOrg,DC=local"
The output sample above, shows the attributes that have been modified on the account and when the change occurred. (I’ve obscured the full domain controller name for obvious reasons).
Troubleshooting PCNS issues
This command can also be very useful for troubleshooting Password Synchronization issues with PCNS. Running the same command as above, and checking the domain controller the unicodePwd attribute was changed on can assist with confirming if a password change occurred on a DC where PCNS is installed.