What is a one sentence summary of your feature request?
Add the ability to leverage Active Directory replication metadata as a supplementary method for tracking attribute changes, to complement the existing ADI Change Tracking
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
NAA currently tracks attribute changes between Active Directory inventory runs (see SA_ADInventory_AttributeChanges table), which works well under normal conditions. However, if the ADI job was never properly configured and/or change tracking was turned off/on, there is a risk of missing critical attribute changes that occurred those time periods. This gap can have serious implications for security investigations and compliance audits.
AD replication metadata (msDS-ReplAttributeMetaData) stores the LastOriginatingChangeTime, LastOriginatingServer, and version number for every attribute change, and this data replicates to all domain controllers. By incorporating this metadata into NAA’s ADI scan the product would have a reliable backup mechanism that can catch changes even when the existing change tracking has gaps.
How do you currently solve the challenges you have by not having this feature?
Custom PowerShell scripts leveraging Get-ADReplicationAttributeMetadata.