email

Tuesday, October 27, 2009

A close look at Active Directory objects deletion and restoration(part -I)

Object deletion will be successful only when the following conditions are satisfied.

  • Has appropriates rights for deleting objects in active directory
  • The “DisAllow Delete” bit is not set in systemflags attribute of object
  • The “IsCriticalSystemObject” attribute is not set to TRUE

After meeting above conditions, active directory starts the deletion operation by doing the following..

  • Sets the “IsDelete” attribute of the object to TRUE
  • Wipes out all attributes of object except below attributes. Refer to msdn for more details about attributes retained.
attributeID
attributeSyntax
distinguishedName
dNReferenceUpdate
flatName
governsID
groupType
instanceType
lDAPDisplayName
legacyExchangeDN
mS-DS-CreatorSID
mSMQOwnerID
name
nCName
objectClass
objectGUID
objectSid
oMSyntax
proxiedObjectName
replPropertyMetaData
sAMAccountName
securityIdentifier
subClassOf
systemFlags
trustAttributes
trustDirection
trustPartner
trustType
userAccountControl
uSNChanged
uSNCreated
whenCreated
  • Moves the object to “Deleted Objects” container by renaming it.
Renaming is necessary here as the “deleted objects” container is flat. Object will be renamed to a format similar to “[OldRDN]\0ADEL:[GUID]” where GUID is the Global Unique Identifier of object being deleted.

This completes the deletion process.

Note that deleted objects will still remain in active directory for some days. This time is called tombstone life time. This time is 60 days for forest that are built initially with windows 2000 or 2003 OS and for forests that are built with windows 2003 SP1 or above the tombstone lifetime is 180 days. If you want you can increase them to the value you want by modifying tombstoneLifetime  attribute of CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC=yourdomain, DC=COM object from adsiedit.msc.

After the tombstone period the object will be marked for permanent deletion. There is a process called “garbage collection” which runs every 12 hours in domain controllers and the job of this process is to collect objects which has exceeded tombstone lifetime and deleting them. So a deleted object in active directory will still stay in database for days mentioned in tombstone life time plus the no. of hours left for the garbage process to trigger after tombstone expiry.

Objects CAN NOT be retrieved using any mechanism after the deletion by garbage collection process.


In my next post I will take you through the different options available in active directory restoration.




1 comment:

  1. Hi There,

    Thanks for sharing your thoughts - quite helpful and appreciated.

    On a related note, if you need to view a list of recently deleted objects (e.g. user accounts, groups etc.) in your Active Directory, there's a FREE tool called Gold Finger out there with which you can easily and instantly do so. (We came across it on WarePrise and have found it to be quite useful.)

    Gold Finger is developed by a Microsoft partner called Paramount Defenses, and has 300+ inbuilt Active Directory security reports covering 12 management categories, from account management to Trust management. Oh, and its backed by FREE US based technical support.

    You can get (download) your own free copy from - http://www.paramountdefenses.com/goldfinger.php.

    If you're into Active Directory, Gold Finger is a must have.

    Thanks,
    John

    ReplyDelete