In addition to what Tomasz said...
How objects are deleted / tombstoned (simplified!)
* The "isDeleted" attribute is set to TRUE (which marks the object as a
tombstone - an object that has been deleted but not fully removed from the
directory).
* The relative distinguished name (RDN) of the object is set to a value that
cannot be set by an LDAP application (a value that is impossible).
* Strips ALL attributes not needed by AD, except for the important attributes
like "objectGUID", "objectSid", "distinguishedName", "nTSecurityDescriptor" and
"uSNChanged" which are preserved on the tombstone.
* On W2K3 SP1 DCs, the "sIDHistory" attribute is also preserved
* Move the tombstone to the "Deleted Objects" container of the partition where
the object resides (If the object systemFlags property contains the 0x02000000
flag, the object is not moved to the Deleted Objects container) (e.g. NTDS
Settings object of a DC)
Config. which attr. are retained when object is tombstoned
* Besides the mandatory retained attributes, additional attributes can be
configured in the schema to be retained when an object is tombstoned
* Using ADSIEDIT.MSC and connecting to the schema partition
* Each attribute has a "searchFlags" property which consists of bits, each with
a certain meaning
* Enabling the FOURTH bit (bit 3) on the property preserves the attribute in
the tombstone of the deleted objects
1st bit (bit 0): 2^0=1, 2nd bit (bit 1): 2^1=2, 3rd bit (bit 2): 2^2=4, 4th bit
(bit 3): 2^3=8
More info
How the Data Store Works
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx
Creating and Deleting Active Directory Objects
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_and_deleting_active_directory_objects.asp
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>________________________________ From: [EMAIL PROTECTED] on behalf of Steele, Aaron [BSD] - ADM Sent: Tue 2006-04-18 23:05 To: [email protected] Subject: [ActiveDir] Tombstone attributes Hi there all, Does anyone here know why Microsoft chose not to include the attributes related to user password and sidHistory in the tombstone of an object upon deletion? Was it a security decision? I would like to get some input from people here before I go and update my schema to enable the restoration of these properties from the tombstone'd object. Thanks for your input. /aaron Aaron Steele University of Chicago Enterprise Systems Administrator P: 773.834.9099 E: [EMAIL PROTECTED] This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
