In Active Directory objects are tomb stoned after a deletion occurs. This is allow replication to occur between domain controllers before an object is deleted from the Active Directory data store. The default value depends on the server when the forest was initially created, Microsoft recommends that this is set at 180 days.
The tombstone lifetime is set at the forest level and can be viewed by running the following code:
1 | ([adsi]"LDAP://CN=Directory Service,CN=Windows NT,CN=Services,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)").tombstoneLifetime |
Alternatively this can also be retrieved by using the Get-ADObject cmdlet:
1 2 3 4 5 6 | $HashSplat = @{ Identity = 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=jaapbrasser,DC=com' Partition = 'CN=Configuration,DC=jaapbrasser,DC=com' Properties = 'tombstoneLifetime' } Get-ADObject @HashSplat | Select-Object -Property tombstoneLifetime |
Hi,
Nice one
I had to add -properties * to make it work on WS2012
On WS2008R2, ipmo ActiveDirectory is required.
Thanks for catching that, I have updated the $Hashsplat variable accordingly. I’m glad hear you liked the post!