This snippet showcases how to recover metadata about changed attributes and trace the changes back to the domain controller that initiated the changes.
# import PowerViewImport-Module ..\PowerView.ps1# find any users who were added and then deleted from any "privileged" groupsGet-DomainGroupMemberDeleted-LDAPFilter '(admincount=1)'# find any user in the forest that may have been a subject to "targeted kerberoasting"Get-DomainObjectAttributeHistory-LDAPFilter '(&(samAccountType=805306368)(!(serviceprincipalname=*)))'-Properties servicePrincipalName -SearchBase "GC://$($ENV:USERDNSDOMAIN)"# find the last time the ACLs on the testObject object were modified in the domain$testObject =Get-DomainObjectAttributeHistory'CN=testObject,CN=System,DC=domain,DC=com'|? {$_.AttributeName-eq'ntsecuritydescriptor'}$testObject# map the LastOriginatingDsaDN to a domain controllerGet-DomainObject-LDAPFilter "(serverreference=$($testObject.LastOriginatingDsaDN))"|%{ Get-DomainObject$_."msdfsr-computerreference" } | Select -Expand dnshostname