Attributes for AD Users : uSNCreated
The Active Directory attribute uSNCreated stores the local update sequence number (USN) of the regarding domain controller at the time of the creation of that user object. Since each DC has its own USN values, the value of uSNChanged for a user differs on each domain controller - the attribute is not replicated between DCs!
uSNCreated
LDAP name | uSNCreated |
Data type | Integer8 (64 bit signed numeric) |
Multivalue (Array) | No |
System Flags | 0x13 |
Search Flags | 0x09 |
In Global Catalog? | Yes |
Attribute ID | 1.2.840.113556.1.2.120 |
AD DB attribute name | USN-Created |
ADSI datatype | 10 - LargeInteger |
LDAP syntax | 1.2.840.113556.1.4.906 - Microsoft Large Integer |
Used in ... | > W2K |
Schema Info | Microsoft - MSDN |
There is another values which is updated each time the object is changed: uSNChanged.
The value of uSNChanged can only be set by the system - but scripts can read it. Because it's a Large Integer value, we have to handle the uSNChanged attribute in a special way in scripts. These Large Integers are signed numeric values of 8 Byte (64 bit) - those are often called Integer8 values for this reason:
Minimum value: -9223372036854775808 (-2^63) or hex 0x8000000000000000 |
Maximum value: 9223372036854775807 (2^63 - 1) orhex 0x7FFFFFFFFFFFFFFF |
Integer8 values have to be handled as two parts in VB scripts (the HighPart and the LowPart). However, you can combine these parts into one single numeric value as shown in the example:
Set usnRaw = user.Get("uSNCreated")
usnHigh = usnRaw.HighPart
usnLow = usnRaw.LowPart
If (usnLow < 0) Then
usnHigh = usnHigh + 1
End If
usnValue = (usnHigh * (2 ^ 32)) + usnLow
WScript.Echo user.name
WScript.Echo "USN Created: " & usnValue
An LDAP filter which searches all objects which are changed after a certain Update Sequence Number could look like this:
(uSNChanged>=504031)
The uSNChanged attribute is required for the technical handling of the incremental Active Directory replication - the domain controller can determine here what changes he has to replicate to other DCs. The USN values are numbers which are incremented by each domain controllers on each change within the entire AD database. The importance of these values is explained in the following videos:
http://youtu.be/5548E15egWY?hd=1
It becomes obvious that each DC carries its own numbering of the vectors and, accordingly, own USN values for all objects and attributes in its database. Is not clear, however, how these values are used to identify those attributes that are actually need to be replicated. But let's look at the last replication operation of the video again in detail: DC2 has just changed the attributes for password and email address. DC1 will now trigger the replication:
http://youtu.be/milqj3_AQ-Y?hd=1
To illustrate the internal decision making process for incremental replication even more, we add another detail to this scenario: Replication has not occurred yet between DC1 and DC2, DC2 just made the changes to the the attributes for password and email address. In addition, now an attribute is changed to another DC. The change is known to both of our DCs. How does DC2 now understand that this change must NOT be sent to DC1 in the next replication? Let's look again at another video.
http://youtu.be/LNNQr2hFDaw?hd=1
The current global USN value for a domain controller can be examined in the RootDSE entry as an attribute called highestCommitedUSN (the
Screenshot was made with the commercial LDAP Browser LEX):