This post describes a command-line method of checking the schema to see whether an attribute is replicated in Active Directory, useful for determining whether any DC is authoritative for a particular attribute, or if you'll get different results for each DC.
This queries the attribute definition in the schema of the root domain in a directory to check the System-Flags attribute and see whether the first bit is set. The first bit of the systemFlags attribute is set to 1 if the attribute is NOT replicated.
- dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain
- dsquery * cn=pwd-last-set,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.1135126.96.36.1993:=1))"
- dsquery * cn=last-logon,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.1135188.8.131.523:=1))"
- dsquery * cn=last-logon-timestamp,cn=schema,cn=configuration,DC=forestRootDomain -filter "!(&(systemFlags:1.2.840.1135184.108.40.2063:=1))"
- The first query returns the attributes of the schema entry for the password last set attribute. Note that systemFlags is 16.
- The second query performs a bitwise AND operation against the systemFlags attribute value and 1 and the result of a NOT operation. This returns a valid match because the pwd-last-set systemFlags value is 16 (10 in hex), so the first bit is not set, meaning the attribute is replicated.
- The third query returns nothing because the last-logon attribute is not replicated, the systemFlags value is 17, so the first bit is set and we're negating that result.
- The fourth query against a 2003 DC for the new replicated last logon timestamp is a new property to 2003 that allows easy tracking of when a user logged on, regardless of their authenticating DC.
To show all replicated attributes in the AD Schema (remove the '!' to show all attributes that aren't replicated):
dsquery * cn=schema,cn=configuration,DC=forestRootDomain -filter "(&(objectClass=attributeSchema)(objectCategory=attributeSchema)(!systemFlags:1.2.840.1135220.127.116.113:=1))" -limit 0
User Security Attributes:
How to query Active Directory by using a bitwise filter:
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.