3

I have a need to find a username that was deleted from the AD using only the SID. I understand that Windows AD leaves being a Tombstone file that might contain this information. Can someone give me the syntax of a command or post a document that might point me in the right direction?

CLJ
  • 333
  • 2
  • 4
  • 15

3 Answers3

6

Viewing deleted objects in Active Directory - http://support.microsoft.com/kb/258310

Unless the user has been deleted for longer than the tombstone lifetime of your AD, it will be in there.

Edit: And here's a better article, with pictures! - http://www.petri.co.il/deleted-objects-in-active-directory.htm

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
1

I also googled around and indeed, do as mentioned on the site http://www.petri.co.il/deleted-objects-in-active-directory.htm.

Only, in the search box you choose as filter (&(isDeleted=*)(objectSid=yourobjectSID))

Example:
Filter: (&(isDeleted=*)(objectSid=S-1-5-21-1601936709-1892662786-3840804712-315762))

voretaq7
  • 79,879
  • 17
  • 130
  • 214
TDB
  • 11
  • 1
1

I found this post helped easily find the deleted user (in my case group) name from a SID. It seemed much easier than the previous solutions posted.

Import-Module ActiveDirectory

get-adobject -Filter 'isdeleted -eq $true -and name -ne "Deleted Objects" -and objectSID -like "Enter SID here"' -IncludeDeletedObjects -Properties samaccountname,displayname,objectsid

Notes:

  • Run in the domain where the deleted account resides
  • Works on Windows 2008 R2 and above, I didn't try lower versions
  • If you run 'Active Directory Module for Windows Powershell', you won't have to import any module
Sandra
  • 261
  • 1
  • 9