Searching for Tombstones

Searching for Tombstones
Searching for tombstone objects in Windows Server 2003 or Windows 2000 is similar to searching for any other type of object but with a couple of important differences. First, you must enable the Return Deleted Objects Lightweight Directory Access Protocol (LDAP) control as part of the search operation. Second, if you want to limit your results to tombstones, you need either to set the search base to the target partition's Deleted Objects container or use (isDeleted=TRUE) as part of your search filter.

Let's walk through a sample search operation by using the Ldp tool, which is available in either the Windows 2003 or Win2K Support Tools, to search for all tombstone objects in a domain. (The Windows 2003 version of Ldp offers some expanded capabilities.) Open Ldp and connect to the target domain controller (DC) by selecting Connection, Connect from the tool's menu bar. After you've established a connection, select Connection, Bind from the tool's menu bar. Only members of the Domain Admins group can search for tombstone objects, so you'll need to use a Domain Admins username and password to authenticate.

Next, select Options, Controls from the menu bar. The resulting window varies a little depending on whether you're using the Windows 2003 or Win2K version of Ldp; Web Figure A (http://www.winnetmag.com/windowssecurity, InstantDoc ID 41578) shows the Windows 2003 version, and Web Figure B shows the Win2K version. In Windows 2003, simply select Return deleted objects from the drop-down list under the Load Predefined heading. In Win2K, enter 1.2.840.113556.1.4.417 in the Object Identifier field; this string is the Object Identifier (OID) representation of the Return deleted objects control. In both Ldp versions, make sure that the Server option (under Control Type) and the Critical check box are selected. Click Check in, then click OK.

Click Browse and select Search. In the Base Dn field, enter the distinguished name (DN) of the domain's Deleted Objects container (e.g., cn=Deleted Objects,dc=rallencorp,dc=com). In the Filter field, enter

(isDeleted=TRUE)

This filter searches for all tombstone objects. To view all deleted user objects, enter

(&(isDeleted=TRUE)(objectClass=user))

Under Scope, select the One Level option, then click Options. Under Search Call Type, select the Extended option, then click OK. Click Run to execute the search.

The Ldp results pane will show output similar to the output that Figure A shows. The sample output shows that only one tombstone object exists in the Deleted Objects container.