When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion. This period of time is referred to as the "tombstone lifetime" and is configurable. This article describes how to view the objects that have been deleted.
To view the deleted objects stored on an Active Directory domain controller:
- Start Ldp.exe, and then click Connect on the Connection menu. Type the server name of a domain controller in the enterprise, verify that the Port setting is set to 389, click to clear the Connectionless check box, and then click OK. After the connection is established, server-specific data is displayed in the right pane.
- On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to click to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:'YourUserID'" in the right pane.
- On the View menu, click Tree. Type the distinguished name (DN) of the domain in the Base DN box. The base DN is the starting point in the Active Directory hierarchy at which searches begin. In the Base DN box, type
replacing <mydomain> and <com> with the appropriate domain name.
This generates a tree view in the left pane beginning with the DN you typed. Double-click the root node of the tree view and in the right pane, locate the data associated with the "wellKnownObjects" attribute. Look for the line associated with the "Deleted Objects" data. For example, this may look like:
- Copy all the data following the second colon but before the third colon. For example:
- On the Browse menu, click Search. In the Base DN box, type
replacing "18E2EA80684F11D2B9AA00C04F79F805" with the value you copied in the previous step.
NOTE: The starting and ending "<" and ">" characters are very important.
- In the Filter box, type:
- Click Options, and then click Controls. In the Object Identifier box, type:
- Clear the Value box, set the Control Type to Server, click to clear the Critical check box, and then click Check in >>. Click OK.
- In the Search Call Type section of the dialog box, click Extended and check the state of the following check boxes:
Attributes Only - cleared
Set "Size Limit:" to a sufficiently large value such that all the deleted objects in the directory can be returned by the query. LDP will return up to the number of objects specified in "Size Limit:", and if there are more objects that cannot be returned, it will log an error. The error returned
in the right-hand pane is:
Chase referrals - cleared
Display Results - selected
Error: Search: Size Limit Exceeded. <4>
If you experience this error, set the "Size Limit:" higher and execute the Search again.
If necessary, modify the timeout value from zero to 60000 milliseconds.
- Click OK to close the Search Options dialog box, click Subtree in the Scope box, and then click Run.
The deleted object(s) should be displayed in Ldp in the right pane. For example, the following sample text would be output if the administrator had deleted the "TestUserAccount" user account:
ldap_search_ext_s(ld, "<WKGUID=18E2EA80684F11D2B9AA00C04F79F805,dc=MyDomain,dc=com>", 2, "(objectclass=*)", attrList, 0, svrCtrls, ClntCtrls, 0, 0 ,&msg)
Result <0>: (null)
Getting 1 entries:
>> Dn: CN=TestUserAccount\
1> canonicalName: MyDomain.com/Deleted Objects/TestUserAccount
1> cn: TestUserAccount
1> distinguishedName: CN=TestUserAccount\
4> objectClass: top; person; organizationalPerson; user;
1> name: TestUserAccount
: You can use the same process for looking for deleted objects in the schema and/or the Active Directory configuration partition.
Article ID: 258310 - Last Review: June 19, 2014 - Revision: 4.0
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server