[ActiveDir] Finding out when an object was deleted
Is there a way to find out exactly when an object was deleted based on its tombstone ? For example, if a user object was deleted can I find it's tombstone somehow and retrieve a timestamp of when it was deleted ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding out when an object was deleted
Well the whenChanged attribute of the tombstone should be the date and time the object was deleted. joe [Thu 12/09/2004 13:06:47.35] F:\DEV\cpp\AdFindadfind -showdel -default -f (objectclass=user)(name=bob*)(isdeleted=TRUE) whenchanged AdFind V01.25.00cpp ALPHA Joe Richards ([EMAIL PROTECTED]) December 2004 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=bobuserdeny\0ADEL:4d51d923-3267-434d-a0f9-57020ff59767,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202144652.0Z dn:CN=bobuserDENY\0ADEL:9c7756a5-73b1-4f7b-91ea-5804ce94798e,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202143731.0Z 2 Objects returned The command completed successfully. [Thu 12/09/2004 13:07:09.50] F:\DEV\cpp\AdFind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, December 09, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding out when an object was deleted Is there a way to find out exactly when an object was deleted based on its tombstone ? For example, if a user object was deleted can I find it's tombstone somehow and retrieve a timestamp of when it was deleted ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding out when an object was deleted
One could also look at the metadata and probably determine it that way too. And of course, auditing works too if you are trying to set something up rather than figure it out post-mortem. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 09, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Finding out when an object was deleted Well the whenChanged attribute of the tombstone should be the date and time the object was deleted. joe [Thu 12/09/2004 13:06:47.35] F:\DEV\cpp\AdFindadfind -showdel -default -f (objectclass=user)(name=bob*)(isdeleted=TRUE) whenchanged AdFind V01.25.00cpp ALPHA Joe Richards ([EMAIL PROTECTED]) December 2004 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=bobuserdeny\0ADEL:4d51d923-3267-434d-a0f9-57020ff59767,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202144652.0Z dn:CN=bobuserDENY\0ADEL:9c7756a5-73b1-4f7b-91ea-5804ce94798e,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202143731.0Z 2 Objects returned The command completed successfully. [Thu 12/09/2004 13:07:09.50] F:\DEV\cpp\AdFind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, December 09, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding out when an object was deleted Is there a way to find out exactly when an object was deleted based on its tombstone ? For example, if a user object was deleted can I find it's tombstone somehow and retrieve a timestamp of when it was deleted ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding out when an object was deleted
You're the man, Joe. Thanks. Oh, and Eric - yes, auditing is definitely the first choice, but when the audit logs are no longer available but you're still inside the tombstone lifetime.(don't ask!) Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 09, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Finding out when an object was deleted Well the whenChanged attribute of the tombstone should be the date and time the object was deleted. joe [Thu 12/09/2004 13:06:47.35] F:\DEV\cpp\AdFindadfind -showdel -default -f (objectclass=user)(name=bob*)(isdeleted=TRUE) whenchanged AdFind V01.25.00cpp ALPHA Joe Richards ([EMAIL PROTECTED]) December 2004 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=bobuserdeny\0ADEL:4d51d923-3267-434d-a0f9-57020ff59767,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202144652.0Z dn:CN=bobuserDENY\0ADEL:9c7756a5-73b1-4f7b-91ea-5804ce94798e,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202143731.0Z 2 Objects returned The command completed successfully. [Thu 12/09/2004 13:07:09.50] F:\DEV\cpp\AdFind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, December 09, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding out when an object was deleted Is there a way to find out exactly when an object was deleted based on its tombstone ? For example, if a user object was deleted can I find it's tombstone somehow and retrieve a timestamp of when it was deleted ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Finding out when an object was deleted
No problem, glad to help. One thing, note how sucky the filter I used is I use objectclass=user. Unfortunately objectcategory and samaccounttype are not kept through a delete in a default forest. This could be a little better though if I focused the base on the deleted objects container and/or I used objectsid or samaccountname in the filters. Another possibility would be to enable more items to be retained through a delete or even index the isdeleted attribute if you will be looking up deleted items a lot. Personally I am all for turning on things to kept through a delete as it may save your butt later when you want to undelete. Unless you do a lot of bulk adds/deletes and are tight on space you should be ok. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, December 09, 2004 2:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Finding out when an object was deleted You're the man, Joe. Thanks. Oh, and Eric - yes, auditing is definitely the first choice, but when the audit logs are no longer available but you're still inside the tombstone lifetime.(don't ask!) Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 09, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Finding out when an object was deleted Well the whenChanged attribute of the tombstone should be the date and time the object was deleted. joe [Thu 12/09/2004 13:06:47.35] F:\DEV\cpp\AdFindadfind -showdel -default -f (objectclass=user)(name=bob*)(isdeleted=TRUE) whenchanged AdFind V01.25.00cpp ALPHA Joe Richards ([EMAIL PROTECTED]) December 2004 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=bobuserdeny\0ADEL:4d51d923-3267-434d-a0f9-57020ff59767,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202144652.0Z dn:CN=bobuserDENY\0ADEL:9c7756a5-73b1-4f7b-91ea-5804ce94798e,CN=Deleted Objects,DC=joe,DC=com whenChanged: 20041202143731.0Z 2 Objects returned The command completed successfully. [Thu 12/09/2004 13:07:09.50] F:\DEV\cpp\AdFind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, December 09, 2004 12:37 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Finding out when an object was deleted Is there a way to find out exactly when an object was deleted based on its tombstone ? For example, if a user object was deleted can I find it's tombstone somehow and retrieve a timestamp of when it was deleted ? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
