LDAP filter : getting only users updated since given date

I have trouble setting up an Active Directory filter to synchronize a MySQL database containing all my users. And I can not create a filter that only retrieves users with an update date greater than a given date.

I tried using uSNChanged attribute on my filter but it returns me 0 result.

Any suggestion is welcome thanks to all

Answer

You would search by the whenChanged attribute. Something like this:

(&(whenChanged>=20180425150000.0-0400)(objectClass=user)(objectCategory=person))

The format is pretty straight forward:

{year}{month}{date}{hour}{minute}{seconds}.{milliseconds}-{timezone}

For example, in my example above I used today’s date at 3:00pm eastern.

There are a couple caveats to keep in mind:

  1. The whenChanged attribute is not exactly the same on every domain controller, but they will be close (within a half hour). The reason is because of replication – the time is set to the time each DC received the change.
  2. When a user logs in, the lastLogon time is updated, and that triggers the whenChanged attribute to be updated. So just because whenChanged changes, it doesn’t mean someone modified the account. This also means that this search will return more accounts than you may expect.