User accounts get deleted – sometimes on purpose and sometimes its more of a… oops
You can find accounts that have been deleted like this
"`nMicrosoft" Get-ADObject -Filter {isDeleted -eq $true -and name -ne "Deleted Objects" } -IncludeDeletedObjects | Format-List Name, Distinguishedname "`nQuest" Get-QADUser -Tombstone -SizeLimit 3000 | Format-Table Name, DN -AutoSize "`nScript" $data = @() [ADSISEARCHER]$search = "(&(isDeleted=TRUE)(objectclass=user))" $search.tombstone = $true $results = $search.Findall() foreach ($result in $results){ $data += $result.Properties | select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}} } $data | Format-List
The provider doesn’t seem to supply this functionality – I can’t find a way to tell it to include deleted items. The cmdlets have parameters for this and the script allows us to use $search.tombstone = $true
We can then display the Name and Distinguishedname which look like this
Name : LASTNAME,Firstname
DEL:02f81cc2-0cea-418b-8bb7-2b15f33a69c2
DistinguishedName : CN=LASTNAME\,FirstnameADEL:02f81cc2-0cea-418b-8bb7-2b15f33a69c2,CN=Deleted Obj
ects,DC=Manticore,DC=org
Now we know whats been deleted what can we do with it
Advertisements
