Active Directory Object Removal and Protection Deep Understanding

Everyone knows that in the 2000 and 2003 eras, when we removed an object from AD, AD did not delete the object directly, but instead marked the object as a tombstone object. Moreover, the tombstone object will be stored in the active directory for another 180 days (60 days in 2000 and 2003, and 180 days after SP1 in 2003). This time is the tombstone survival time. This tombstone survival time can be modified by the administrator using Adsiedit.msc. We only need to find the tombstoneLifetime attribute under Configuration\\Services\\Windows NT\\Directory Service to change it.

Note: Tombstone lifetime (tombstoneLifetime) refers to the time interval from the start of deleting an object in AD to the time when the object is actually deleted. The default value is 180 days. : This deletion is copied to other DCs in the domain. Restoring DC's "System Status Data" backup is time-limited and cannot be restored from a backup of system state data older than the tombstone's default 180-day lifetime. If the Active Directory object is deleted, it does not disappear directly. Instead, it is placed in an invisible CN named deleted object, which is stored for 180 days (default). In this 180 days, it can be restored. On the domain controller, The process called “Garbage Collection” is executed every 24 hours, and the deleted records of more than 180 days are actually deleted. That can only be restored by backup. Discussed here is within 180 days.

Now, let's take a look at using Microsoft's Active Directory LDP tool.

Select connection and enter the domain controller to connect to. We can find that the port used by the LDAP protocol is port 389.

bind in the menu, the selection input connected to the operator's identity credentials. After inputting, we can see that authendicated user=“administrator”

select options in the menu, select the menu item controls, and select return deleted object

In the Active Control window, the ID is displayed. This number is an ID recognized by the management information base. It represents the deleted object.

View menu, select tree, enter the domain DN

In the subdirectory, select the cn=deleted object container, find the deleted object in it

Enter the attribute value isdeleted, select delete in the operation, click Enter to add it to the entry list

Enter another attribute distinguishedName in the attribute. In Values, enter the location DN where the recovery object is to be stored. In the operation, select replace, click enter, and add it to the entry list.

select check Synchronous and Extended, then click on the Run button. The deleted object is restored. Active Directory Object Protection in Windows Server 2008 era

In addition to the above 03, ADDS in Windows Server 2008. When we create an object, we can directly check whether to enable anti-missing protection.

Check this, conan.han feels good, at least in some cases to prevent the blood engineers from deleting resources (including myself, haha), protecting the OU, the importance of resources Needless to say sex, delete an OU by mistake, then the information of this department... If you want to delete, at this time, windows will remind you to keep the knife!

Ok, the customer problem has just come out, how can I solve it?