Object deletion will be successful only when the following conditions are satisfied.
- Has appropriates rights for deleting objects in active directory
- The “DisAllow Delete” bit is not set in systemflags attribute of object
- The “IsCriticalSystemObject” attribute is not set to TRUE
After meeting above conditions, active directory starts the deletion operation by doing the following..
- Sets the “IsDelete” attribute of the object to TRUE
- Wipes out all attributes of object except below attributes. Refer to msdn for more details about attributes retained.
- Moves the object to “Deleted Objects” container by renaming it.
Renaming is necessary here as the “deleted objects” container is flat. Object will be renamed to a format similar to “
[OldRDN] ADEL:[GUID] ” where GUID is the Global Unique Identifier of object being deleted.
This completes the deletion process.
Note that deleted objects will still remain in active directory for some days. This time is called tombstone life time. This time is 60 days for forest that are built initially with windows 2000 or 2003 OS and for forests that are built with windows 2003 SP1 or above the tombstone lifetime is 180 days. If you want you can increase them to the value you want by modifying tombstoneLifetime attribute of CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC=yourdomain, DC=COM object from adsiedit.msc.
After the tombstone period the object will be marked for permanent deletion. There is a process called “garbage collection” which runs every 12 hours in domain controllers and the job of this process is to collect objects which has exceeded tombstone lifetime and deleting them. So a deleted object in active directory will still stay in database for days mentioned in tombstone life time plus the no. of hours left for the garbage process to trigger after tombstone expiry.
Objects CAN NOT be retrieved using any mechanism after the deletion by garbage collection process.