whenchanged & whencreated fields blank???

Discussion:

(too old to reply)

Hugh O'Donnell

2007-05-07 17:01:37 UTC

I've created a c# asp.net page that is basically a phone list for internal
use. I would like to indicate when someone is a new account or when they
have changed their contact information.

I am currently looking at the whenchanged & whencreated fields, but they
are only populated on Contact accounts and a few User accounts, but I can't
see a pattern.

Basically, can you please tell me if these are the correct fields to be
looking at? If so, why are they not correctly filled out? I've exhausted
my Google searches... so this is my last hope.

FYI: Server is SBS 2003 running Exchange 2003 SP 2.

Thanks,

Hugh O'Donnell

Paul Williams [MVP]

2007-05-08 08:52:10 UTC

Permalink

whenChanged isn't replicated. So that's why there'll be inconsistent
results on different objects. Although there should be a value there.
Basically, whenChanged is updated locally when you make the originating
write, and again on every DC when the replicated write occurs. So it should
be on each DC, but can be up to several hours out in a disparate
environment.

whenCreated is replicated, so that should be fine.

Note the type of the values. They're not the 100 nano-second intervals
since 1601 like lastLogon and the like, they're String (Generalised Time)
values:
-- http://msdn2.microsoft.com/en-us/library/ms684436.aspx

So they look like:

dn:CN=When-Changed,CN=Schema,CN=Configuration,DC=msresource,DC=net

whenCreated: 16301021162108.0Z
whenChanged: 20020211112005.0Z

They apply to all objects too, not just derivitives of person.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hugh O'Donnell

2007-05-08 13:24:52 UTC

Permalink

Paul,

Thank you for the response. However, this is not the results I am seeing.
I'm on the one-and-only DC, which is where all the changes are being made
using Active Directory Users and Computers.

I'm also looking at the value as its raw type - string.

I'm really confused. It just seems they aren't being written to when the
objects are created or changed.

Any more ideas?

Thanks,

Hugh

Doldrums

2007-05-08 14:11:58 UTC

Permalink

I have found out (after using ldifde) that the values are there. Then, I
did some more testing at it seems if I set my UserName & Password on my
ActiveDirectory connection, then the values are populated.

I guess some fields just aren't visible by all domain users. :(

Paul, thanks for the time spent trying to help me.

Hugh

Paul Williams [MVP]

2007-05-08 17:29:50 UTC

Permalink

Hi Hugh,

That's an interesting issue. Querying my company's AD, as a user as I work
in solutions not internal IT, I'm able to read the whenCreated and
whenChanged attributes of all objects.

There's too many objects to look at so I limited my query to any people
who's logon name is williams*, like so:

adfind -default -f samaccountname=williams* whenChanged whenCreated

If you use ADFIND are you still seeing spurious results? Let's try and rule
some layers out here. ADFIND is only using wldap32 so, is nice and low
level.

If you're having issues viewing these attributes, you have non standard
permissions in place. We can probably sort that, but it'll be involved...

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Joe Richards [MVP]

2007-05-08 20:17:09 UTC

Permalink

Probably means he isn't in the pre-W2K group and someone went through
and cleaned up the auth users read prop perms on some objects.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Post by Paul Williams [MVP]
Hi Hugh,
That's an interesting issue. Querying my company's AD, as a user as I work
in solutions not internal IT, I'm able to read the whenCreated and
whenChanged attributes of all objects.
There's too many objects to look at so I limited my query to any people
adfind -default -f samaccountname=williams* whenChanged whenCreated
If you use ADFIND are you still seeing spurious results? Let's try and rule
some layers out here. ADFIND is only using wldap32 so, is nice and low
level.
If you're having issues viewing these attributes, you have non standard
permissions in place. We can probably sort that, but it'll be involved...