Active Directory Friday: Determine tombstone lifetime

In Active Directory objects are tomb stoned after a deletion occurs. This is allow replication to occur between domain controllers before an object is deleted from the Active Directory data store. The default value depends on the server when the forest was initially created, Microsoft recommends that this is set at 180 days.

The tombstone lifetime is set at the forest level and can be viewed by running the following code:

([adsi]"LDAP://CN=Directory Service,CN=Windows NT,CN=Services,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)").tombstoneLifetime

Alternatively this can also be retrieved by using the Get-ADObject cmdlet:

$HashSplat = @{
    Identity = 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=jaapbrasser,DC=com'
    Partition = 'CN=Configuration,DC=jaapbrasser,DC=com'
    Properties = 'tombstoneLifetime'
Get-ADObject @HashSplat | Select-Object -Property tombstoneLifetime

Update to Get-RemoteProgram – Get list of installed programs on remote or local computer

Over the weekend I have taken a look at the request and current functionality of my Get-RemoteProgram script. A script that gathers the installed programs installed on the local or remote systems by querying the registry and displaying the results to the console as PowerShell objects.

Get-RemoteProgram – Get list of installed programs on remote or local computer

Three new improvements have been implemented to the script:

  • Correctly searches the Wow6432Node for 32 bit applications on 64 bit systems
  • Added a new parameter -Property to specify additional properties to be loaded from the registry
  • Added support for the pipeline to be used to supply the function with computer names

The new parameter -Property is the biggest change to this script, this for example allows direct un-installation based on the output of Get-RemoteProgram, for example:

Get-RemoteProgram -Property UninstallString |
Where-Object {$_.ProgramName -match 'java'} | ForEach-Object {
    cmd /c $_.uninstallstring

Here are some additional examples of how the script can be used:


Will generate a list of installed programs on local machine

Get-RemoteProgram -ComputerName server01,server02

Will generate a list of installed programs on server01 and server02

Get-RemoteProgram -ComputerName Server01 -Property DisplayVersion,VersionMajor

Will gather the list of programs from Server01 and attempts to retrieve the displayversion and versionmajor subkeys from the registry for each installed program

'server01','server02' | Get-RemoteProgram -Property Uninstallstring

Will retrieve the installed programs on server01/02 that are passed on to the function through the pipeline and also retrieves the uninstall string for each program

Active Directory Friday: Search for computers accounts

I have decided to reintroduce Active Directory Friday on my blog, so today is the start of the new series of articles on Friday. The format remains the same as the previous posts. Usually the examples will be written by using .Net objects or the [adsi] and [adsisearcher] accelerators, although occasionally examples using the Active Directory cmdlets will be posted. My preference for avoiding the cmdlets is mostly compatibility, usually there is only a select number of systems that has access to the Active Directory module, so it pays off to know the native method as well.

Today we will take a look at how to find computer objects in Active Directory using the DirectoryServices.DirectorySearcher object. In order to search for computer objects the following properties of this object will be set:

  • Filter – This contains the LDAP filter used to select only the computer objects by specifying the objectcategory
  • PageSize – This allows for paging to occur, by specifying the pagesize more than 1000 results can be returned
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = '(objectCategory=computer)'
    PageSize = 500

To search in a specific organizational unit the SearchRoot property can be used, only computer objects in the Servers OU will be returned by this search:

$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = '(objectCategory=computer)'
    PageSize = 500
    SearchRoot = 'LDAP://OU=Servers,DC=jaapbrasser,DC=com'
    SearchScope = 'Subtree'

The SearchScope property has been set to Subtree, which means that the OU will be recursively searched through and all child-ous will be included in the search. There are a total of three options available for the SearchRoot property:

  • Base – Only returns a single objects
  • OneLevel – Only searches the current container, will not recursively search
  • Subtree – Searches recursively through all child containers

QuickTip: Determine if current PowerShell session is 64bit

Occasionally it might be interesting to know whether your current PowerShell session is running in 64-bit. This tip describes how to determine this and how to start either a 32 or 64-bit session of PowerShell. To quickly determine if you current PowerShell session is 32 or 64-bit use the following code:


There are two possible results from this code:

  • 4 – x86
  • 8 – x64

Keep this in mind, especially if you intend to execute memory dependent tasks in Powershell, the testing if the script is executing in a 64 bit context is a good idea.

If a system is 64-bit the following two paths are available for the PowerShell executable:

  • C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (32-bit)
  • C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (64-bit)

New article on PowerShell Magazine: Show friendly GPO names with Get-ADOrganizationalUnit

Today’s tip is on how to use the Get-OUWithGPOLink funtion in combination with the Get-ADOrganizationalUnit cmdlet. The output of ADOrganizational unit is updated with a new property, FriendlyGPODisplayName. The article is available on PowerShell Magazine:

The full script is also available in the TechNet Script Gallery, Get-OUWithGPO.ps1, at the following link: