Syed Jahanzaib Personal Blog to Share Knowledge !

February 16, 2017

Modifying ‘tombstoneLifetime’ value in Active Directory

Filed under: Microsoft Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 9:40 AM

Default lifetime for tombstone.jpg


What is tombstone Lifetime?

The AD tombstone lifetime determines how long deleted items exist in AD before they are purged, for example users  or other objects. The default value in Windows 2008 is 180 Days.

Why I need to modify its default value,  ?

We want to increase it for some audit purpose, specially to track deleted objects (example how many Users were deleted in last 1 or 2 years)

Let’s Start …

METHOD # 1 – Using GUI Method

Execute ADSIEdit tool by

%SystemRoot%\system32\adsiedit.msc

  • Now using ADSIEdit tool, connect to your domain controller.
  • Navigate to CN=Directory Services , Right click and select Properties.
  • Find tombstoneLifetime and Click Edit,
  • Now define value in days for how long you want to increase the value. I wanted 2 years so I put 630 . This values must be in DAYS.

As showed in the image below …

tombstone.PNG

Note: By Some mistake, i typed 630, whereas the actual number for 2 years is 730, so change it accordingly


METHOD # 2 – Using PowerSHELL Command

Setting Two Years Tombstone Lifetime

Import-Module ActiveDirectory
$ConfNameContext = Get-ADRootDSE | Select-Object -Expandproperty configurationNamingContext
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$ConfNameContext" -Replace @{'tombstonelifetime'='730'}

Querying tombstoneLifetime value via command

 

# Using dsquery command

dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=agp1" -scope base -attr tombstonelifetime

[COMMAND RESULT OUTPUT]

tombstonelifetime
730

# Using POWERSHELL 

#1

(get-adobject “cn=Directory Service,cn=Windows NT,cn=Services,$(([adsi](“LDAP://RootDSE”)).configurationNamingContext)” -properties “tombstonelifetime”).tombstonelifetime

#2

Import-Module ActiveDirectory
$ConfNameContext = Get-ADRootDSE | Select-Object -Expandproperty configurationNamingContext
Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ConfNameContext” -properties tombstonelifetime |Format-List

Note / z@iB:

I found out that all commands doesn’t show default tombstoneLifetime. Once I modify the value, then I was able to see the value using above commands.

Regard’s
Syed Jahanzaib

%d bloggers like this: