none
Retrieving Deleted User from AD By Using LDAP query. RRS feed

  • Question

  • I've been grinding away on this one for at least 3 hours and need to make some progress. So maybe someone else can help me out. I've been all over google, MSDN, and internet forums, etc. Can't quite assemble the query that I need. I'm a newbie, but have some basic understanding.

    We need a simple LDAP query that will return all the samaccountnames of the user objects residing in the deleted objects folder.

    Sounds easy?

    I am aware of the (isDeleted=TRUE) attribute, but am also aware of the deleted object control (1.2.840.113556.1.4.417) -- I just can't seem to put them all together into a functioning query. I realize from from reading that deleted objects are invisible to normal LDAP searches without this control. I've looked all over for the proper syntax of linking these up, but can't. I have found evidence that says this is possible with LDAP queries, not just through GUI tools. We NEED a query to accomplish our task. (check the Active Directory cookbook on Google books)

    If anyone can toss together a query that would output the samaccount names of the user objects in the deleted objects folder, you'd be awesome.
    Saturday, April 4, 2015 5:23 PM

Answers

  • The following worked for me:

    Get-ADObject -LDAPFilter "(&(objectClass=user)(isDeleted=TRUE))" -Properties sAMAccountName -IncludeDeletedObjects

    The sAMAccountName attribute must be specified with the -Properties parameter, because it is not a default property exposed by Get-ADObject. If you add the clause "(objectCategory=person)" you get nothing because deleted objects have no objectCategory (which I did not know until I experimented). Unfortunately, the command also retrieves computer objects, since they also have class "user". Finally, "TRUE" above is case sensitive, so you get nothing if you use "True". Boolean attributes, like isDeleted, are the only cases where the values are case sensitive in LDAP filters. Does this help?

    Richard Mueller - MVP Directory Services

    Monday, April 6, 2015 4:44 PM

All replies

  • You can use the PowerShell AD cmdlet Get-ADObject for this. It supports both the LDAPfilter and IncludeDeletedObjects parameters. See this link (and examples 4 and 5):

    https://technet.microsoft.com/en-us/library/ee617198.aspx

    The LDAPFilter you want might be

    (&(objectCategory=person)(objectClass=user)(isDeleted=TRUE))

    combined with the -IncludeDeletedObjects parameter. The explanation for this parameter in the help I linked lists the LDAP controls that it uses, in case you cannot use PowerShell.


    Richard Mueller - MVP Directory Services

    Saturday, April 4, 2015 7:52 PM
  • Hi Richard,

    Thanks for you valuable input. This query works fine if the user is marked as going to be deleted by checking "isDeleted" attribute as true . This doesn't work when AD user has been deleted by selecting user and Clicking on Delete option .

    In This case is there any way to get the user from some LDAP query.

    Regards

    Saroj Singh

    Monday, April 6, 2015 6:08 AM
  • Hi Saroj Singh,

    To ensure you get better support , I suggest you turn to our Active Directory forum for dedicated support. Sorry for any inconvenience this caused. Thanks for your understanding.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS

    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Monday, April 6, 2015 7:06 AM
    Moderator
  • The following worked for me:

    Get-ADObject -LDAPFilter "(&(objectClass=user)(isDeleted=TRUE))" -Properties sAMAccountName -IncludeDeletedObjects

    The sAMAccountName attribute must be specified with the -Properties parameter, because it is not a default property exposed by Get-ADObject. If you add the clause "(objectCategory=person)" you get nothing because deleted objects have no objectCategory (which I did not know until I experimented). Unfortunately, the command also retrieves computer objects, since they also have class "user". Finally, "TRUE" above is case sensitive, so you get nothing if you use "True". Boolean attributes, like isDeleted, are the only cases where the values are case sensitive in LDAP filters. Does this help?

    Richard Mueller - MVP Directory Services

    Monday, April 6, 2015 4:44 PM