Searching for Deleted Objects
Problem
You want to search
for deleted objects.
Solution
Using a graphical user interface
Open LDP from the Windows Support Tools. From the menu, select Connection  Connect. For Server, enter the name of a domain controller you want to target (or leave blank to do a serverless bind). From the menu, select Connection Connect. Enter credentials of a user that is an administrator for the domain. From the menu, select Options Controls. For Windows Server 2003, select the Return
Deleted Objects control under Load Predefined. For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button. From the menu, select Browse Search. For BaseDN, enter: cn=
Deleted Objects,<DomainDN>. For Scope, select One Level. For Filter, enter: (isDeleted=TRUE). Click the Options button. Under Search Call Type, select Extended.
Using a command-line interface
To view all of the deleted objects in the current domain, use the following syntax:
> adfind -default -rb "cn=Deleted Objects" -showdel
Using VBScript
It is currently not possible to search for deleted objects with ADSI or ADO.
Discussion
When an object is deleted in Active Directory, it is not completely deleted. The original object is renamed, most of its attributes are cleared, and it is moved to the Deleted Objects container within the naming context that it was deleted from. See the "Introduction" in this chapter for more on tombstone objects.
Both the Deleted Objects container and tombstone objects themselves are hidden by default in tools such as ADUC and ADSI Edit. To query tombstone objects, you need to enable the
Return Deleted Objects LDAP control, which has an OID of 1.2.840. 113556.1.4.417. When that control is enabled, you can perform searches for tombstone objects by specifying a search filter that contains (isDeleted=TRUE) in it. Only members of the administrator groups can perform searches for tombstone objects.
See Also
MSDN: Retrieving Deleted Objects
 |
