Searching for deleted objects

Searching for deleted objects

Post by Srinivasul » Wed, 18 Jun 2003 01:51:07

Hi All
 Thanks in advance for your valuable suggestions.

 I need to synchronise my database with Active Directory Data, to do this I
have to get all the
deleted objects from Active Directory and delete them from my database. As
per the example from
MSDN I am able to connect to Deleted Objects container using WKGUID but I am
not able to search
for the deleted objects. Is there a way to get the deleted objects list from
Preferrably using any .net languages?
Does anyone able to implement this search programmatically??
Or is it got to do with the user rights with which I am running the program?

I am able to see the deleted objects by searching them by using ldp.exe but
the same I am not able to do programmatically!!

I welcome all your valuable suggestions!



Searching for deleted objects

Post by Carlos Magalhae » Wed, 18 Jun 2003 20:49:34

By default, only admins can search for tombstones. The reason is that
the deleted objects container has very strict default security, which
only gives Admins the LIST_CONTENTS permission that is required on the
container to read any child.

It is possible to update these permissions, though it's quite
difficult. The DO container is owned by SYSTEM. You have to take
ownership of the container. This will give you an implicit WRITE_DAC
permission. Then you can update the DACL to give users LIST_CONTENTS.
Then give ownership back to SYSTEM.

Note that assigning inheritable permissions above would not work,
because DO container is protected from inheritance. Also, remember
that inheritable permissions don't propagate to tombstones. Basically,
a tombstone retains the security descriptor that was stamped on it
before deletion.

You have to enable "return deleted objects" option, because the DO
container is deleted itself.

Over ldap, you have to pass LDAP_SERVER_SHOW_DELETED_OID control with
your mod operation.

If you want to update the ntSecurityDescriptor with the new
ldap) for the DO , you have to update the SD on the DO container. Make
an SD value with owner field only. Pass sdflags control with the value
of 1 (OWNER_SECURITY_INFORMATION). Group does not really matter.

You need to pass the "sd flags" control, indicating you are only
updating owner/group. Otherwise, it thinks you are updating DACL and
SACL, and you don't have permission to do this. But if you only tell
it that you update owner only, then you will be allowed to do this
because you have SE_TAKE_OWNERSHIP privilege.

On Mon, 16 Jun 2003 18:51:07 +0200, "Srinivasulu"

>m able to see the deleted object


Searching for deleted objects

Post by Srinivasul » Fri, 20 Jun 2003 01:13:58

Hi Carlos
 By any chance have you tried searching this deleted objects container

 It is possible to search it using ldp.exe and I could not do the same
through program.



Searching for deleted objects

Post by Strohm Armstrong [MSFT » Sat, 21 Jun 2003 03:51:55

for an example of how to search the deleted objects container.

This posting is provided "AS IS" with no warranties, and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

Quote:> Hi Carlos
>  By any chance have you tried searching this deleted objects container
> programmatically??

>  It is possible to search it using ldp.exe and I could not do the same
> through program.

> Srinu!


1. Search object error

I have tried to search the user property by using IADsUser but I got
"Object variable or With block variable not set"

The code is

Dim iAdUser As IADsUser
sTarget = "LDAP://Server-001/CN=KUL+AA1,ou=user accounts,ou=user
directory,DC=Domain, DC=Name, DC=Com"
Set iAdUser = GetObject(sTarget)

I think the error is caused by the CN name(KUL+AA1) because it will
return the result without error if I replace other CN name without the
"+" sign.

Your advice is really appreciated.


2. new sharcpage webmaster wanted

3. Search filter for changed objects in ADS

4. 3D / Geometric Compression

5. Searching for Objects in AD

6. mysql

7. global catalog and searching for AD objects

8. AD and DNS?

9. Searching for hidden LDAP objects

10. Searching for hidden Objects in

11. Filter to search only objects with "user" in the AdsPath

12. rights/permission to search for tombstone objects via ADSI

13. Deleting objects