This snippet showcases how to recover metadata about changed attributes and trace the changes back to the domain controller that initiated the changes.
# import PowerView
Import-Module ..\PowerView.ps1
# find any users who were added and then deleted from any "privileged" groups
Get-DomainGroupMemberDeleted -LDAPFilter '(admincount=1)'
# find any user in the forest that may have been a subject to "targeted kerberoasting"
Get-DomainObjectAttributeHistory -LDAPFilter '(&(samAccountType=805306368)(!(serviceprincipalname=*)))' -Properties servicePrincipalName -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
# find the last time the ACLs on the testObject object were modified in the domain
$testObject = Get-DomainObjectAttributeHistory 'CN=testObject,CN=System,DC=domain,DC=com' | ? {$_.AttributeName -eq 'ntsecuritydescriptor'}
$testObject
# map the LastOriginatingDsaDN to a domain controller
Get-DomainObject -LDAPFilter "(serverreference=$($testObject.LastOriginatingDsaDN))" | %{ Get-DomainObject $_."msdfsr-computerreference" } | Select -Expand dnshostname