Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2015-01-25) Finding Attributes Marked To Be Preserved On Deletion Or Recycling

Posted by Jorge on 2015-01-25

When an attribute is defined with the bit 2^3 (=8) in the searchFlags property, the attribute is marked to be preserved when the object is deleted (Recycle Bin is OFF) or when the object is manually or automatically recycled (Recycle Bin is ON). Attributes that are good candidates to be preserved on deletion of the object are for example the password attributes. That helps you to get back up-and-running without setting new passwords and the communication around that when someone makes a mistake and deletes an OU with a large number of user objects. While the Recycle Bin optional feature IS NOT enabled, preserving additional attribute values on the tombstone object (the deleted object) is good if it fits a specific/required purpose. For example, by preserving the data, the impact on the user community is lowered as much as possible. HOWEVER, while the Recycle Bin optional feature IS enabled, all data on an AD object is already preserved by default on a deleted object, whether this flag is enabled or not. Enabling this flag then preserves the data when the deleted object transforms into a recycled object manually or automatically. However recycled objects cannot be undeleted, therefore there is no value in preserving this data on recycled objects. A word of advise: if you have configured additional attributes to be preserved on tombstoned objects, while the Recycle Bin optional feature IS NOT enabled, do not forget to reconfigure those attributes is you are going to enable the Recycle Bin optional feature.


ADFIND -h R1FSRWDC1.IAMTEC.NET -schema -f "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=8))" -dn


ADFIND -h R1FSRWDC1.IAMTEC.NET -bit -schema -f "(&(objectClass=attributeSchema)(searchFlags:AND:=8))" -dn


ADFIND -sc TOMBSTONE -dn (sorted output: ADFIND -sc TOMBSTONEL -dn)


Figure 1: Example Output

AD PoSH Module

Get-ADObject -Server R1FSRWDC1.IAMTEC.NET -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=8))" | %{$_.DistinguishedName}

ADSI Through PoSH

$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=8))"
$search.FindAll() | %{$_.Properties.distinguishedname}

PS: replace the FQDN of the DC with your info

PS: the opposite of this query can be found by replacing (searchFlags:1.2.840.113556.1.4.803:=8) with (!(searchFlags:1.2.840.113556.1.4.803:=8))

More information:

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: