Deleted user accounts

User accounts get deleted – sometimes on purpose and sometimes its more of a…  oops

You can find accounts that have been deleted like this

            
"`nMicrosoft"            
Get-ADObject -Filter {isDeleted -eq $true -and name -ne "Deleted Objects" } -IncludeDeletedObjects |             
Format-List Name, Distinguishedname             
             
"`nQuest"            
Get-QADUser -Tombstone -SizeLimit 3000 |            
Format-Table Name, DN -AutoSize            
            
"`nScript"            
$data = @()            
[ADSISEARCHER]$search = "(&(isDeleted=TRUE)(objectclass=user))"            
$search.tombstone = $true            
$results = $search.Findall()            
            
foreach ($result in $results){            
   $data += $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}             
$data | Format-List


The provider doesn’t seem to supply this functionality – I can’t find a way to tell it to include deleted items. The cmdlets have parameters for this and the script allows us to use $search.tombstone = $true



We can then display the Name and Distinguishedname which look like this



Name              : LASTNAME,Firstname
                    DEL:02f81cc2-0cea-418b-8bb7-2b15f33a69c2
DistinguishedName : CN=LASTNAME\,FirstnameADEL:02f81cc2-0cea-418b-8bb7-2b15f33a69c2,CN=Deleted Obj
                    ects,DC=Manticore,DC=org



 



Now we know whats been deleted what can we do with it

Leave a Reply