locked
Retrieving Deleted User from AD By Using LDAP query. RRS feed

  • Question

  • I've been grinding away on this one for at least 3 hours and need to make some progress. So maybe someone else can help me out. I've been all over google, MSDN, and internet forums, etc. Can't quite assemble the query that I need. I'm a newbie, but have some basic understanding.

    We need a simple LDAP query that will return all the samaccountnames of the user objects residing in the deleted objects folder.

    Sounds easy?

    I am aware of the (isDeleted=TRUE) attribute, but am also aware of the deleted object control (1.2.840.113556.1.4.417) -- I just can't seem to put them all together into a functioning query. I realize from from reading that deleted objects are invisible to normal LDAP searches without this control. I've looked all over for the proper syntax of linking these up, but can't. I have found evidence that says this is possible with LDAP queries, not just through GUI tools. We NEED a query to accomplish our task. (check the Active Directory cookbook on Google books)

    If anyone can toss together a query that would output the samaccount names of the user objects in the deleted objects folder, you'd be awesome.
    Monday, April 6, 2015 7:39 AM

Answers

  • I would agree with Richard. The command I shared will retrieve the computer accounts too. Unfortunately, I am not able to include a more precise filter because we cannot filter using objectCategory clause.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Here is two ways:

    You can still use objectClass=Person ?

    You can combine this with userAccountControls to only retrieve users:
    These are the default UserAccountControl values for the certain objects:

    Typical user : 0x200 (512)
    Domain controller : 0x82000 (532480)
    Workstation/server: 0x1000 (4096)


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Vivian_Wang Wednesday, April 15, 2015 7:42 AM
    • Marked as answer by Vivian_Wang Wednesday, April 22, 2015 7:14 AM
    Wednesday, April 8, 2015 1:54 AM
  • The filter clause (objectClass=person) will return user, computer, and contact objects. However, using userAccountControl is a good idea. Then you don't need any clause with objectClass. For example, you could use the LDAP filter:

    (&(isDeleted=TRUE)(userAccountControl:1.2.840.113556.1.4.803:=512))
    Unfortunately, the attribute sAMAccountType is not available with deleted objects.

    Richard Mueller - MVP Directory Services

    • Proposed as answer by Vivian_Wang Wednesday, April 15, 2015 7:41 AM
    • Marked as answer by Vivian_Wang Wednesday, April 22, 2015 7:14 AM
    Wednesday, April 8, 2015 6:03 PM

All replies

  • Hi,

    Go thorough the below listed article, you should able to retrieve the deleted objects. There are multiple ways to do it.

    Searching for Deleted Objects:

    https://technet.microsoft.com/en-us/library/cc978013.aspx?f=255&MSPPError=-2147217396

    http://www.petri.com/deleted-objects-in-active-directory.htm

    LDAP : http://support.microsoft.com/en-us/kb/258310

    Powershll Scripts and commands to display Deleted objects:

    https://gallery.technet.microsoft.com/scriptcenter/Script-to-display-the-c995a5f6#content

    https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

    PS Command :

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" -IncludeDeletedObjects


    Devaraj G | Technical solution architect

    Monday, April 6, 2015 12:40 PM
  • Hi Saroj,

    There is KB which shows all deleted Object with CN path and Yes this required  Deleted object control

    (1.2.840.113556.1.4.417) below steps shows the list of deleted object with there DN path and how can you restore back if you wish too.

            • Click Start, click Run, and then type ldp.exe.

              Note If the Ldp utility is not installed, install the support tools from the Windows Server 2003 installation CD.
            • Use the Connection menu in Ldp to perform the connect operations and the bind operations to a Windows Server 2003 domain controller.

              Specify domain administrator credentials during the bind operation.
            • On the Options menu, click Controls.
            • In the Load Predefined list, click Return Deleted Objects.

              Note The 1.2.840.113556.1.4.417 control moves to the Active Controls window.
            • Under Control Type, click Server, and the click OK.
            • On the View menu, click Tree, type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.

              Note The distinguished name path is also known as the DN path. For example, if the deletion occurred in the contoso.com domain, the DN path would be the following path:
              cn=deleted Objects,dc=contoso,dc=com
            • In the left pane of the window, double click the Deleted Object Container.

              Note As a search result of Idap query, only 1000 objects are returned by default.  Fot example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container.  If your target object does not appear, use <var>ntdsutil</var>,  and then set the maximum number by using <var>maxpagesize</var> to get the search results .
            • Double-click the object that you want to undelete or to reanimate.
            • Right-click the object that you want to reanimate, and then click Modify.

              Change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps:
              1. In the Edit Entry Attribute box, type   isDeleted.

                Leave the Value box blank.
              2. Click the Delete option button, and then click Enter to make the first of two entries in the   Entry List dialog.

                Important Do not click Run.
              3. In the Attribute box, type   distinguishedName.
              4. In the Values box, type the new DN path of the reanimated object.

                For example, to reanimate the JohnDoe user account to the Mayberry OU, use the following DN path:
                cn=<var>JohnDoe</var>,ou=<var>Mayberry</var>,dc=<var>contoso</var>,dc=<var>com</var>
                Note If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN path in the   Values box.
              5. In the Operation box, click   REPLACE.
          • Click ENTER.
        • Click to select the Synchronous check box.
      • Click to select the Extended check box.
    • Click RUN.
    • After you reanimate the objects, click Controls on  the Options menu, click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
    • Reset user account passwords, profiles, home directories and group memberships for the deleted users.

      When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
    • Enable the reanimated account in Active Directory Users and Computers.

      Note The reanimated object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The first release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups. Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
    • Remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.

      Note The reanimation of deleted objects is supported when the deletion occurs on a Windows Server 2003 domain controller. The reanimation of deleted objects is not supported when the deletion occurs on a Windows 2000 domain controller that is subsequently upgraded to Windows Server 2003.

      Note If the deletion occurs on a Windows 2000 domain controller in the domain, the lastParentOf attribute is not populated on Windows Server 2003 domain controllers.

    http://support.microsoft.com/en-us/kb/840001

    Regards,

    Purvesh


    Monday, April 6, 2015 12:45 PM
  • Here you go:

    $objects = Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapfilter "(objectClass=user)" -IncludeDeletedObjects -properties *
    foreach ($object in $objects)
    {
    	$object.samaccountname
    }

    Just replace DC=contoso,DC=Com by your domain DN. You can tweak the command to apply more filters if you wish.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, April 6, 2015 5:32 PM
  • This works for me:

    Get-ADObject -LDAPFilter "(&(objectClass=user)(isDeleted=TRUE))" -Properties sAMAccountName -IncludeDeletedObjects
    The clause "(isDeleted=TRUE)" is needed or you will retrieve objects whether they are deleted or not. The string "TRUE" is case sensitive. You cannot include the clause "(objectCategory=person)" because deleted objects have no value assigned to objectCategory. So, you will get both user and computer objects. You must request sAMAccountName with the -Properties parameter because it is not a default property exposed by Get-ADObject.

    Richard Mueller - MVP Directory Services

    • Proposed as answer by Mahdi Tehrani Tuesday, April 7, 2015 4:46 AM
    Monday, April 6, 2015 7:09 PM
  • I would agree with Richard. The command I shared will retrieve the computer accounts too. Unfortunately, I am not able to include a more precise filter because we cannot filter using objectCategory clause.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, April 6, 2015 8:08 PM
  • This works for me:

    Get-ADObject -LDAPFilter "(&(objectClass=user)(isDeleted=TRUE))" -Properties sAMAccountName -IncludeDeletedObjects
    The clause "(isDeleted=TRUE)" is needed or you will retrieve objects whether they are deleted or not. The string "TRUE" is case sensitive. You cannot include the clause "(objectCategory=person)" because deleted objects have no value assigned to objectCategory. So, you will get both user and computer objects. You must request sAMAccountName with the -Properties parameter because it is not a default property exposed by Get-ADObject.

    Richard Mueller - MVP Directory Services

    You can still use objectClass=Person ?

    You can combine this with userAccountControls to only retrieve users:
    These are the default UserAccountControl values for the certain objects:

    Typical user : 0x200 (512)
    Domain controller : 0x82000 (532480)
    Workstation/server: 0x1000 (4096)


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Wednesday, April 8, 2015 1:51 AM
  • I would agree with Richard. The command I shared will retrieve the computer accounts too. Unfortunately, I am not able to include a more precise filter because we cannot filter using objectCategory clause.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Here is two ways:

    You can still use objectClass=Person ?

    You can combine this with userAccountControls to only retrieve users:
    These are the default UserAccountControl values for the certain objects:

    Typical user : 0x200 (512)
    Domain controller : 0x82000 (532480)
    Workstation/server: 0x1000 (4096)


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Vivian_Wang Wednesday, April 15, 2015 7:42 AM
    • Marked as answer by Vivian_Wang Wednesday, April 22, 2015 7:14 AM
    Wednesday, April 8, 2015 1:54 AM
  • The filter clause (objectClass=person) will return user, computer, and contact objects. However, using userAccountControl is a good idea. Then you don't need any clause with objectClass. For example, you could use the LDAP filter:

    (&(isDeleted=TRUE)(userAccountControl:1.2.840.113556.1.4.803:=512))
    Unfortunately, the attribute sAMAccountType is not available with deleted objects.

    Richard Mueller - MVP Directory Services

    • Proposed as answer by Vivian_Wang Wednesday, April 15, 2015 7:41 AM
    • Marked as answer by Vivian_Wang Wednesday, April 22, 2015 7:14 AM
    Wednesday, April 8, 2015 6:03 PM