Why? You can find out when an object’s attribute was changed and what domain controller made that change. Now if you audit the DC’s logs you could also track who made those changes.
Here is a very interesting case study from Microsoft documenting such an issue:
How? Repadmin command using the following syntax:
repadmin /showobjmeta DCname “Object’s DN”
repadmin /showobjmeta ContosoDC01 "CN=Doe, John,OU=User Accounts, DC=Contoso,DC=com"
Note: The command in the example runs only on one DC. If replication has not occurred yet the information might be outdated. If in doubt run the command against multiple DCs and check the attribute version.
Here is an action shot from my home lab:
We can see that the description attribute change for user2.test was replicated from the DC2-2008 controller on 2012-11-19 23:08.
(yes I know domain1.com is the most original domain name ever 🙂 )
p.s. A quick PowerShell script to make the command more user friendly (fills in the object’s DN):
$SAMAcc=Read-Host; $objDN=dsquery * -filter "(SAMAccountName=$SAMAcc)"; repadmin /showobjmeta ContosoDC01 $objDN;