Viewing deleted objects in Active Directory

Article ID: 258310 - View products that this article applies to.
This article was previously published under Q258310
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)
is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
(http://support.microsoft.com/lifecycle/)
.
Expand all | Collapse all

SUMMARY

When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion. This period of time is referred to as the "tombstone lifetime" and is configurable. This article describes how to view the objects that have been deleted.

MORE INFORMATION

To view the deleted objects stored on an Active Directory domain controller:
  1. Start Ldp.exe, and then click Connect on the Connection menu. Type the server name of a domain controller in the enterprise, verify that the Port setting is set to 389, click to clear the Connectionless check box, and then click OK. After the connection is established, server-specific data is displayed in the right pane.
  2. On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to click to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:'YourUserID'" in the right pane.
  3. On the View menu, click Tree. Type the distinguished name (DN) of the domain in the Base DN box. The base DN is the starting point in the Active Directory hierarchy at which searches begin. In the Base DN box, type
    dc=<mydomain>,dc=<com>
    replacing <mydomain> and <com> with the appropriate domain name.

    This generates a tree view in the left pane beginning with the DN you typed. Double-click the root node of the tree view and in the right pane, locate the data associated with the "wellKnownObjects" attribute. Look for the line associated with the "Deleted Objects" data. For example, this may look like:
    B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
    Objects,DC=YOURDOMAIN,DC=COM
  4. Copy all the data following the second colon but before the third colon. For example:
    18E2EA80684F11D2B9AA00C04F79F805
  5. On the Browse menu, click Search. In the Base DN box, type
    <WKGUID=18E2EA80684F11D2B9AA00C04F79F805,DC=YOURDOMAIN,DC=COM>
    replacing "18E2EA80684F11D2B9AA00C04F79F805" with the value you copied in the previous step.

    NOTE: The starting and ending "<" and ">" characters are very important.

  6. In the Filter box, type:
    (objectClass=*)
  7. Click Options, and then click Controls. In the Object Identifier box, type:
    1.2.840.113556.1.4.417
  8. Clear the Value box, set the Control Type to Server, click to clear the Critical check box, and then click Check in >>. Click OK.
  9. In the Search Call Type section of the dialog box, click Extended and check the state of the following check boxes:
    Attributes Only - cleared
    Chase referrals - cleared
    Display Results - selected
    Set "Size Limit:" to a sufficiently large value such that all the deleted objects in the directory can be returned by the query. LDP will return up to the number of objects specified in "Size Limit:", and if there are more objects that cannot be returned, it will log an error. The error returned in the right-hand pane is:
    Error: Search: Size Limit Exceeded. <4>
    If you experience this error, set the "Size Limit:" higher and execute the Search again.

    If necessary, modify the timeout value from zero to 60000 milliseconds.
  10. Click OK to close the Search Options dialog box, click Subtree in the Scope box, and then click Run.
The deleted object(s) should be displayed in Ldp in the right pane. For example, the following sample text would be output if the administrator had deleted the "TestUserAccount" user account: 
***Searching...
ldap_search_ext_s(ld, "<WKGUID=18E2EA80684F11D2B9AA00C04F79F805,dc=MyDomain,dc=com>", 2, "(objectclass=*)", attrList,  0, svrCtrls, ClntCtrls, 0, 0 ,&msg)
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: CN=TestUserAccount\
DEL:58db189b-1eda-4b1a-b66c-cd9ddce1b3eb,CN=Deleted Objects,DC=MyDomain,DC=com
	1> canonicalName: MyDomain.com/Deleted Objects/TestUserAccount
DEL:58db189b-1eda-4b1a-b66c-cd9ddce1b3eb; 
	1> cn: TestUserAccount
DEL:58db189b-1eda-4b1a-b66c-cd9ddce1b3eb; 
	1> distinguishedName: CN=TestUserAccount\
DEL:58db189b-1eda-4b1a-b66c-cd9ddce1b3eb,CN=Deleted Objects,DC=MyDomain,DC=com; 
	4> objectClass: top; person; organizationalPerson; user; 
	1> name: TestUserAccount
DEL:58db189b-1eda-4b1a-b66c-cd9ddce1b3eb;
NOTE: You can use the same process for looking for deleted objects in the schema and/or the Active Directory configuration partition.

Properties

Article ID: 258310 - Last Review: March 1, 2007 - Revision: 3.5
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbenv kbinfo KB258310
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top