Close

Not a member yet? Register now and get started.

lock and key

Sign in to your account.

Account Login

Forgot your password?

Search for deleted user objects in AD

Home » Search for deleted user objects in AD

17 Apr Posted by tim in Active Directory | Comments
Search for deleted user objects in AD

I am trying to browse for deleted sids. I am using ADFIND to do my search. here is the what i am using
adfind -b “cn=deleted objects,dc=domain,dc=com” -f “(& (objectclass=user)(objectcategory=person))” objectsid
So — looking at the command, it told me that the guy was querying the “Deleted Objects” container (that is the container all objects that are marked for deletion are moved into) for user objects. You need to query objectClass AND objectCategory in order to get users only — objectClass=user would also return computer objects as the object model of the AD Schema makes computers be a user and implement computer specific attributes (computers inherit from the user class, basically).

When firing the command at my box, I didn’t get any results either:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=net” -f”&(objectClass=user)(objectCategory=person)” objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389Directory: Windows Server 2003

0 Objects returned

Looking at the query, I remembered that deleted objects aren’t deleted right away but are moved to the “Deleted Objects” container, get a new name and are stripped from most of their attributes. Only a few of them are preserved. Knowing that objectClass is one of the attributes that is preserved, let’s see whether objectCategory is. For that, we need to get the “searchFlags” attribute of the schema object here. The searchFlags bitmask tells us, whether the attribute is preserved on deletion – bit #3 (decimal = 8) as described in

http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx and  http://www.frickelsoft.net/blog/?p=151

is the one we’re looking for:

C:\Windows\system32>adfind -sc s:objectCategory searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Category,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 1 [INDEX(1)]

We can see that searchFlags for “objectCategory” is 1 which resolves to “put attribute into index”.

Hmm..as we thought, not preserved — but let’s check objectClass, too:

C:\Windows\system32>adfind -sc s:objectClass searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Class,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)]

1 Objects returned

Okay, that’s a nine which resolves to “put into index” (=1) and “preserve on deletion” (=8, so 1+8 = 9). I must admit you could have looked that one up too on MSDN:

http://msdn.microsoft.com/en-us/library/ms679011(VS.85).aspx

- objectCategory has searchFlags “1″ everywhere — but hey, we wanted to use ADfind, right? It makes sense now that we don’t get any results. We could query now for “objectClass=user” only, but that’s probably not what we want, as computers are part of the “user” objectClass, too.

So the query won’t work as we’re filtering for an attribute that isn’t there any more. So — what can we do there?

Change our search to only display objectClass=user objects and NOT objectClass=computers Unfortunately, we don’t get any results for that, as seen in the above output. Hum… what did go wrong?

Looking at the ADfind help at

http://www.joeware.net/freetools/tools/adfind/usage.htm (or /?),

we can see that we need the “-showdel” switch to make ADFind issue the “Show deleted objects” LDAP control to the server. Our query looks like this now:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=ne

t” -f “&(objectClass=user)(!objectClass=computer)” -showdel objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

dn:CN=User, Created_0111200813120�ADEL:5d0f95e6-516a-474c-9a35-c479a8d80ff8,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1603

dn:CN=User, Created_0111200813140�ADEL:73ab9ee1-10c5-4d99-9abc-5d21ca274ef4,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1604

dn:CN=User, Created_0111200813150�ADEL:c7393437-7868-481e-9633-7cd49c62fb36,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1605

dn:CN=User, Created_0111200813160�ADEL:8f0fcce6-0f6e-4802-8faa-12e5ae2d48a3,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1606

4 Objects returned

If you don’t know what ADfind is or what ADMod does, you really should check joe’s repository of cool tools at

http://www.joeware.net

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Tags:
,

 


Leave a comment