When our users are changing their password in AD LDS, via a custom C# app, we also allow them to update their email address. Is there a way to detect the date/time of when the email address was updated? Or will we just have to use the LastPasswordSet value? We need to compare it with the email in our AS/400 and sync them based on which address is most recent.
Find date/time of last update to email address in Active Directory
431 views Asked by Connie DeCinko At
2
There are 2 answers
0
On
The attribute metadata will tell you when the attribute was changed (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.attributemetadata?redirectedfrom=MSDN&view=netframework-4.7.2).
I don't know of any way to filter on metadata, but I routinely filter on the whenChanged timestamp (or password updated timestamp in your case) to get a set of potential changes and filter out irrelevant objects using metadata for the attribute I'm tracking.
// Grab all accounts updated since last batch cycle
// For each user, check LastOriginatingChangeTime of interesting attribute
// If LastOriginatingChangeTime >= last cycle, check value in target system
// If value in target system != value in AD, update target system with value from AD
You can get all history about account changes by watching
Windows Security Log Event ID 642from active directory windows server.(ref)