He should be able to return at least the Deleted Objects container as a normal user. He will at best, by default[1], only see the DN of the container though. I agree that the WKGUID= will work, it is an MS LDAP thing, it hits the LDAP Server and it knows how to handle it, sort of like being able to use various forms of auth creds such as domain\user, etc. Anyway, I can use it from ADFIND if I want just like GUID= and SID= and I can vouche that there is absolutely no ADSI interaction in ADFIND, I wouldn't hear of it and I certainly wouldn't code it.
Anyway, versus trying to work out what may be wrong here, I would suggest to Tom to pull out ADFIND and do the query from ADFIND with the -showdel switch. I think you will find it is much more friendly to use that than ldp anyway. You should be able to do the query either this way adfind -b "<WKGUID=18E2EA80684F11D2B9AA00C04F79F805,dc=<domain>,dc=com>" -showdel -f * or adfind -b "cn=deleted objects,dc=<domain>,dc=com" -showdel -f * Please note that not all objects that are deleted end up in the deleted objects bin. There are objects such as dynamic objects that don't tombstone, this is pretty well known and documented. There are also some objects (for reasons I have no clear understanding of why) stay in their original location when they are deleted[2] - such as sites and their subobjects. This is based on the systemflags setting when the objects are created (not what is on the object class definition in the schema). When you create a site the systemflags attribute will normally be set to 1107296256 which is 0x42000000 which is o The object cannot be moved. o The object is not moved to the Deleted Objects container when it is deleted. It will be deleted immediately. (From - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/a_systemflags.asp) Now that part about being deleted immediately is kind of funny because the object is tombstoned just like anything else moved to deleted objects. It simply isn't moved there. You can create the objects so that isn't set by specifying an actual systemflags value[3] so a site will be moved to the DO container like a normal object. Again, no clue why MS did it this way. joe [1] I am actually in possession of a tool I wrote that allows you to arbitrarily set anyone you want to be able to read the DO containers. I am thinking about releasing it but will probably charge some small amount for it. [2] I was talking to Dean one time and he dropped this little piece of info on me and I played around with it a little. It is actually fun having random talks with Dean because of this, he just has so much information milling about in his noggin you never know what will drop out. Plus he has a funny accent. ;o) [3] You can't do that in sites and services though, the training wheels get in the way. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 08, 2005 10:29 PM To: [email protected] Subject: RE: [ActiveDir] More LDP issues On the WKGUID thing, that binding syntax is definitely not an ADSI thing. It is supported by AD directly and works in other APIs as well. That said, I'm not sure why there would have been a problem searching the deleted objects container by the WKGUID. Perhaps the bind wasn't done with a Domain Admin account? Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, April 08, 2005 2:00 PM To: [email protected] Subject: RE: [ActiveDir] More LDP issues I believe the WKGUID= format is only decoded by ADSI, not LDAP. You need to specify the correct DN of the deleted object. Items in the deleted objects container have DNs of the form CN=<original cn>\0ADEL:f3c336a8-0652-47c9-8965-aa3ec83a998e,CN=Deleted Objects,DC=<yourdomain>,DC=com. The guid segment of the DN is the objectGuid of the deleted object, in string form, not escaped binary. If you don't know the guid, you might start by doing a one level search on the deleted items container and locating the correct object in the results that way. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, April 08, 2005 10:09 AM To: ActiveDir (E-mail) Subject: [ActiveDir] More LDP issues I'm trying to look in the deleted objects container in my domain using ldp. I've entered the OID control of 1.2.840.113556.1.4.417 and i think i've set everything up correctly. But i keep getting this error- ldap_search_ext_s(ld, "<WKGUID=18E2EA80684F11D2B9AA00C04F79F805,DC=CHARMERNYDOM,DC=CSG-IT,DC=N ET>", 2, "(objectclass=*)", NULL, 0, svrCtrls, ClntCtrls, 600000000, 1200 ,&msg) Error: Search: No Such Object. <32> Result <32>: 0000208D: NameErr: DSID-03100198, problem 2001 (NO_OBJECT), data 0, best match of: '' Matched DNs: Getting 0 entries: any help? thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
