Random questions on how to search for deleted objects in the Active Directory
This is by no means a complete guide to the viewing and deletion of objects in the "CN=Deleted Objects,DC=domain,DC=com" container, but I have answered a few questions and provided some guidance here. I will update it if I have time. In answering these questions, I set up a repro in which I programmatically created 10000 dummy users in an OU, and then deleted the users thereafter to generate a ton of deleted objects.
The customer has questions related to the section "How to manually undelete objects in a deleted object's container" from:
840001 How to restore deleted user accounts and their group memberships in
https://support.microsoft.com/?id=840001
Customer's main questions (and answers inline):
=====================================
1. "If the object I want to undelete is displayed in the left pane, the process does work. HOWEVER, if the object I want to undelete is not displayed, how do I scroll the left pane down to reach my object?"
Modifying the MaxPageSize value with ntdsutil will allow you to increase the number of objects displayed in a tree view in LDP. I repro'ed this, and found that once the value is elevated, more results are displayed. In my case, I set MaxPageSize to 10000. The "cost" of the LDAP query (returning more objects) will simply result in a slower response, but a complete response.
2. "Can I filter the output in the left pane to say only deleted "computer" objects, or "user" objects?"
3. "Why does the Browse > Search > Page option only seem to work on the right pane, not the left pane?"
Answering these both together: There is no way to filter the results of the tree view pane on the left. This is essentially due to the way ldp.exe was designed. You can, though, perform filtered searches which output in the right column (which I think you have been trying). In a case where you specifically want to query for only user or computer objects, the "or" filter for this would be:
(|(objectclass=user)(objectclass=computer))
Use the following doc as a reference on building search filters:
255602 XADM: Browsing and Querying Using the LDP Utility
https://support.microsoft.com/?id=255602
NOTE: unless you set the page value in the search options high, you would need to continually hit run to see more results. Probably not what you want to do. Plus, if you set the page value too high, like I did in setting it to 10000, it may cause ldp to seem to hang indefinitely while search results are generated. It will eventually return results, though.
ALTERNATE SEARCH METHOD:
Ldifde is a command line tool to modify the AD. It will export objects and import objects, and is a default tool in the OS. I constructed the following command below to query for user objects in the deleted users container. By using the -l switch, I limited the amount of information per object that is returned; specifically just the DN, like the tree view in ldp. This would at least generate a quick list of all user objects in the deleted objects container in the form of a text file. As of now, I cannot seem to get and'ing or or'ing to work with the filter switch, but you could do a separate ldifde search for computers.
ldiifde -f output.txt -s <dc name> -d "cn=deleted objects,dc=domain,dc=com" -r (objectclass=user) -p subtree -x -l DN
4. What is the lifespan of objects in the Deleted Objects container? How long are they kept for? 120 days?
When we delete an object from the AD, it is moved to the deleted objects container and stays there for the default tombstone lifetime of 60 days. At the 60 day mark, it is garbage collected and permanently deleted out of the directory. The Tombstone lifetime can be increased manually by editing the tombstoneLifetime attribute for the enterprise-wide DS config object. The path for this attribute is:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
Use Adsiedit or LDP to set the tombstoneLifetime attribute to a specific number of days.
Reference:
216993 Useful shelf life of a system-state backup of Active Directory
https://support.microsoft.com/?id=216993
5. Can I search by a date range to show me deleted objects for the past 7 days?
To be able to do this, we'd need an attribute on the deleted object to essentially tell us when it was deleted, and the best option is whenChanged. It should be timestamped as of the time the object was deleted. How to utilize it in a productive manner, though?
- We can't neccesarily search exactly on "anything less than 7 days". We could, though, search for items that have a whenChanged attribute value of a certain date or higher.
- A standard whenchanged value looks like this : 20051201001517.0Z (the .0Z is irrelavant in our work here, remove it when searching)
- It is kept in GMT
- Broken down, 20051201001517 equals 2005(year) 12(month) 01(day) 00(hour) 15(minutes) 17(seconds)
So if I wanted to find any objects that were deleted in the last 7 days as of 6PM PST today (Nov 30, 2005), I would use a whenChanged value for Nov 23rd, 6PM PST (20051124020000) in a search filter in ldp like this:
(&(|(objectclass=user)(objectclass=computer))(whenchanged>=20051124020000))
I used greater-than-or-equal-to Nov 23rd at 6PM, which will give me all objects deleted between that date and the present time.
NOTE: This search works in LDP to output data in the right pane. BUT, I cannot seem to get ldifde to recognize the filter yet using and/or. I will research this further.