A close look at Active Directory objects deletion and restoration(part -I)

by TechiBee on October 27, 2009

Object deletion will be successful only when the following conditions are satisfied.

Has appropriates rights for deleting objects in active directory
The “DisAllow Delete” bit is not set in systemflags attribute of object
The “IsCriticalSystemObject” attribute is not set to TRUE

After meeting above conditions, active directory starts the deletion operation by doing the following..

Sets the “IsDelete” attribute of the object to TRUE
Wipes out all attributes of object except below attributes. Refer to msdn for more details about attributes retained.

attributeID

attributeSyntax

distinguishedName

dNReferenceUpdate

flatName

governsID

groupType

instanceType

lDAPDisplayName

legacyExchangeDN

mS-DS-CreatorSID

mSMQOwnerID

name

nCName

objectClass

objectGUID

objectSid

oMSyntax

proxiedObjectName

replPropertyMetaData

sAMAccountName

securityIdentifier

subClassOf

systemFlags

trustAttributes

trustDirection

trustPartner

trustType

userAccountControl

uSNChanged

uSNCreated

whenCreated

Moves the object to “Deleted Objects” container by renaming it.

Renaming is necessary here as the “deleted objects” container is flat. Object will be renamed to a format similar to “[OldRDN]ADEL:[GUID]” where GUID is the Global Unique Identifier of object being deleted.

This completes the deletion process.

Note that deleted objects will still remain in active directory for some days. This time is called tombstone life time. This time is 60 days for forest that are built initially with windows 2000 or 2003 OS and for forests that are built with windows 2003 SP1 or above the tombstone lifetime is 180 days. If you want you can increase them to the value you want by modifying tombstoneLifetime attribute of CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC=yourdomain, DC=COM object from adsiedit.msc.

After the tombstone period the object will be marked for permanent deletion. There is a process called “garbage collection” which runs every 12 hours in domain controllers and the job of this process is to collect objects which has exceeded tombstone lifetime and deleting them. So a deleted object in active directory will still stay in database for days mentioned in tombstone life time plus the no. of hours left for the garbage process to trigger after tombstone expiry.

Objects CAN NOT be retrieved using any mechanism after the deletion by garbage collection process.

In my next post I will take you through the different options available in active directory restoration.

Comments on this entry are closed.

one way backlink October 2, 2011, 11:10 am

Fantastic site. Lots of useful information here. I?m sending it to some friends ans also sharing in delicious. And certainly, thanks to your sweat!

Link

Next post: Easy power management for windows 7 laptops

Previous post: A security heads-up to bloggers