Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This question popped in my mailbox – how can you use a script to search for deleted objects in the Active Directory, just as described here - http://support.microsoft.com/kb/258310.
Well, obviously you can’t script ldp.exe, so the second option was to use ADSI objects. The problem with those is that I couldn’t find anyway of using server controls which are required in our case (OID
1.2.840.113556.1.4.417 is required to return deleted objects).
So I ended up using the System.DirectoryServices.Protocols namespace in Powershell in order to get the job done. So here it is:
[Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
$rootDSE = [adsi]"LDAP://RootDSE"
$LDAPConnection = New-Object System.DirectoryServices.Protocols.LDAPConnection($rootDSE.dnsHostName)
$request = New-Object System.directoryServices.Protocols.SearchRequest($rootDSE.Properties["defaultNamingContext"].Value.ToString(), "(isDeleted=TRUE)", "Subtree")
$control = New-Object System.DirectoryServices.Protocols.ShowDeletedControl
$request.Controls.Add($control)
$response = $LDAPConnection.SendRequest($request)
$response.Entries | %{
$_.distinguishedName;
if($_.attributes.samaccountname -ne $null)
{
write-host "SamAccountName:" $_.attributes.samaccountname[0]}
}
-Michael
Comments
- Anonymous
December 23, 2010
Or the following :) $searcher = New-Object System.DirectoryServices.DirectorySearcher -Property @{ Filter = '(&(isDeleted=TRUE))'; Tombstone = $true} $searcher.Findall() | Foreach-Object {$_.properties['samaccountname']} -Shay http://PowerShay.com