We need a simple LDAP query that will return all the samaccountnames of the user objects residing in the deleted objects folder.
Sounds easy?
I am aware of the (isDeleted=TRUE) attribute, but am also aware of the deleted object control (1.2.840.113556.1.4.417) -- I just can't seem to put them all together into a functioning query. I realize from from reading that deleted objects are invisible to normal LDAP searches without this control. I've looked all over for the proper syntax of linking these up, but can't. I have found evidence that says this is possible with LDAP queries, not just through GUI tools. We NEED a query to accomplish our task. (check the Active Directory cookbook on Google books)
If anyone can toss together a query that would output the samaccount names of the user objects in the deleted objects folder, you'd be awesome.
You can use the PowerShell AD cmdlet Get-ADObject for this. It supports both the LDAPfilter and IncludeDeletedObjects parameters. See this link (and examples 4 and 5):
https://technet.microsoft.com/en-us/library/ee617198.aspx
The LDAPFilter you want might be
(&(objectCategory=person)(objectClass=user)(isDeleted=TRUE))
combined with the -IncludeDeletedObjects parameter. The explanation for this parameter in the help I linked lists the LDAP controls that it uses, in case you cannot use PowerShell.
Hi Richard,
Thanks for you valuable input. This query works fine if the user is marked as going to be deleted by checking "isDeleted" attribute as true . This doesn't work when AD user has been deleted by selecting user and Clicking on Delete option .
In This case is there any way to get the user from some LDAP query.
Regards
Saroj Singh
Hi Saroj Singh,
To ensure you get better support , I suggest you turn to our Active Directory forum for dedicated support. Sorry for any inconvenience this caused. Thanks for your understanding.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Best regards,
The following worked for me:
Get-ADObject -LDAPFilter "(&(objectClass=user)(isDeleted=TRUE))" -Properties sAMAccountName -IncludeDeletedObjects
The sAMAccountName attribute must be specified with the -Properties parameter, because it is not a default property exposed by Get-ADObject. If you add the clause "(objectCategory=person)" you get nothing because deleted objects have no objectCategory (which I did not know until I experimented). Unfortunately, the command also retrieves computer objects, since they also have class "user". Finally, "TRUE" above is case sensitive, so you get nothing if you use "True". Boolean attributes, like isDeleted, are the only cases where the values are case sensitive in LDAP filters. Does this help?