Performing Active Directory Tombstone Reanimation

With the exception of dynamic objects, when an object is deleted in Active Directory it is not immediately removed from the database. Instead a “tombstone” of the object containing a subset if attributes, including the SID, is placed in a hidden container called “Deleted Objects”. This allows for the possibility of restoring the user account, although this method should only be used if an authoritative restore and recycle bin cannot be used.

The length of time tombstones are kept depends on the operating system which created the forest to begin with. For Windows Server 2000 and 2003 it is 60 days. Whereas for Windows Server 2003 SP1 and above were set to 180 days. By default every 12 hours the garbage collector service comes along on each DC to permanently remove tombstones which have exceeded this duration. These values can be altered in ADSI Edit.

Tombstones can be “reanimated” using LDP, which is able to access the Deleted Objects container. Be aware that this will only restore a disabled account which with missing attributes and can produce unexpected results. Once restored a new password needs to be set and the account enabled. The process of reanimation requires making the following attribute amendments:

AttributeActionValue
isDeletedDeleteN/A
distinguishedNameReplaceDN to the destination OU of the user e.g. CN=John Smith,OU=Accounts,DC=example,DC=com

Follow these steps to recover a deleted user account using LDP.exe:

  1. Run “ldp.exe” on a DC, click “Connection”, “Connect…”, for the server specify the server name to connect to and click “OK”.
  2. Click “Connection” and choose “Bind…”, use the default option to connect as the current user and click “OK”.
  3. Click “Options”, “Controls” and then under “Load Predefined” choose “Return deleted objects” and click “OK”.
  4. Click “View”, “Tree” and set the “BaseDN” to “CN=Deleted Objects,DC=Your Domain” and click “OK”
  5. Expand the tree view for deleted objects and look for the object to reanimate.
  6. Right click on the object and choose “Modify”.
  7. In the “Attribute” textbox type “is Deleted”, select the “Delete” radio button and then click “Enter”.
  8. Clear the Attribute text box and enter “distinguishedName”, in the “Values” textbox enter the new DN for the user, e.g. CN=John Smith,OU=Accounts,DC=example,DC=com if the user was John Smith from accounts, click Enter and then “Run”.
  9. In AD Users and Computers you can find the account in a disabled state ready to have the password reset and enabled again.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 − 10 =