Change Active Directory TombStone Behavior

Change Active Directory TombStone Behavior

Hello,

By default, without Windows Server 2008 R2 Active Directory Recycle Bin, when you delete an object, it goes to the tombstone. This is a special container with all deleted objects from the current domain.

When an object is tombstoned, only a very small subset of attributes are preserved. First, let’s create a user will a lot of attributes set :

Change Active Directory TombStone Behavior - Full Object

Change Active Directory TombStone Behavior – Full Object

Now, it’s time to delete it, and then check the deleted object. To explore the deleted object, you can use PowerShell, or you can use ADExplorer from SysInternals.

Get-ADObject -SearchBase "CN=Deleted Objects,$((Get-ADRootDSE).defaultNamingContext)" -Filter {ObjectClass -eq 'user'} -IncludeDeletedObjects -Properties *
Change Active Directory TombStone Behavior - Full Object Deleted

Change Active Directory TombStone Behavior – Full Object Deleted

As you can see, only a few attributes survived the deletion.

Change Active Directory TombStone Behavior

This is a behavior that you can change, you need to change the SearchFlags value in the schema for the attribute you want to survive, hereunder an example for JobTitle:

Set-ADObject -Identity 'CN=Title,CN=Schema,CN=Configuration,DC=D2K16,DC=itfordummies,DC=net' -Replace @{SearchFlags=8}

Now, let’s create a new object with a job title set:

Get-ADUser -Identity JobTitle.WillSurvive -Properties title | Select-Object -Property Name,Title
Change Active Directory TombStone Behavior - New Object with JobTitle

Change Active Directory TombStone Behavior – New Object with JobTitle

And delete it, then check which attributes are preserved in tombstone:

Get-ADObject -SearchBase "CN=Deleted Objects,$((Get-ADRootDSE).defaultNamingContext)" -Filter {ObjectClass -eq 'user' -and Name -like 'JobTitle WillSurvive*'} -IncludeDeletedObjects -Properties *
Change Active Directory TombStone Behavior - New Object with JobTitle Tombstoned

Change Active Directory TombStone Behavior – New Object with JobTitle Tombstoned

And there it is, you can see that the “title” attribute is preserved, so, if you reanimate this object, the job title will be restored as well.

Note: The SearchFlags attribute can serve other purposes, so, you may need to mix some of the values present at the end of this page. Example: 24 will copy the attribute when you use the “copy” feature in “Active Directory Users & Computers” and the job title will be preserved when tombstoned.

Note: You can get all the attributes preserved on tombstone with this LDAP call:

Get-ADObject -LDAPFilter 'searchFlags:1.2.840.113556.1.4.803:=8' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Change Active Directory TombStone Behavior - Attribute List

Change Active Directory TombStone Behavior – Attribute List

Leave a Reply