When our users are changing their password in AD LDS, via a custom C# app, we also allow them to update their email address. Is there a way to detect the date/time of when the email address was updated? Or will we just have to use the LastPasswordSet value? We need to compare it with the email in our AS/400 and sync them based on which address is most recent.
Asked
Active
Viewed 396 times
0
-
There is also an attribute `whenChanged` have you looked into that? – Mayur Oct 05 '18 at 20:09
-
you can also use the event log https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=642 – Mayur Oct 05 '18 at 20:12
2 Answers
0
The attribute metadata will tell you when the attribute was changed (https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.attributemetadata?redirectedfrom=MSDN&view=netframework-4.7.2).
I don't know of any way to filter on metadata, but I routinely filter on the whenChanged timestamp (or password updated timestamp in your case) to get a set of potential changes and filter out irrelevant objects using metadata for the attribute I'm tracking.
// Grab all accounts updated since last batch cycle
// For each user, check LastOriginatingChangeTime of interesting attribute
// If LastOriginatingChangeTime >= last cycle, check value in target system
// If value in target system != value in AD, update target system with value from AD
LisaJ
- 1,666
- 1
- 12
- 18