Last Update: Sep 04, 2024 | Published: Apr 16, 2012
As you probably know by now, each Active Directory object (or “Object Class”) contains a lot of additional information that is related to the object and provides additional information about it, whether it’s a user account or computer account, or any other object. These fields are also known as “attributes.”
These attributes are defined in the Active Directory Schema, which configures the attribute properties, such as its name, the type of information it contains, and a few other parameters. Some of these attributes are mandatory (for example, for a user object – the logon name or sAMAccountName), others are optional (again, for a user object, an example would be the zip code or postalAddress). When you create an object, some of these attributes are automatically populated (for example, the object’s distinguished name, its SID or objectSid, if it has one, and so on), and others are left blank until you enter information into them.
When we delete an object, by default, not all the attributes are saved with the object and if we look for this object (after the deletion), we will be able to see only those specific attributes that were not removed when the object was deleted.
This is a list of attributes that are retained by default after the object deletion:
But guess what? You can change this behavior. You have the ability to determine which attributes will be saved for a deleted object. Well… how do we do it? Let’s start!
Warning: This article includes instructions for editing the Active Directory Schema. If you make any error while editing the Schema, you can potentially cause issues with the entire Active Directory forest, requiring you to rebuild it, including all domains in the forest. Edit the Schema at your own risk. Always back up the Schema before making any changes. If you do not feel comfortable editing the Schema, do not attempt these instructions. Instead, seek the help of a trained computer specialist. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest – just in case.
To perform the following steps, you must be a member of the Schema Admins group and have network connectivity with the DC that holds the Schema Master FSMO role.
Just to look at things from a wide perspective, the schema attributes can be viewed and edited by using two tools: Active Directory Schema snap-in and ADSI Edit. I will show you a few attributes and will compare what they look like in each tool.
For the purpose of this article, let’s say we want to maintain these three attributes when a user account is been deleted:
If we look for the mobile phone number of a user in the Schema snap-in, we see that it is called “mobile:”
Now let’s have a look at ADSI Edit; here it is called “CN=Phone-Mobile-Primary:”
By using ADSI Edit, right click “CN=Phone-Mobile-Primary” and choose properties. The attribute that we are going to work on is searchFlags, and among other things, this attribute determines whether or not the attribute will be saved after deletion.
Select searchFlags and click on Edit; you will see that the value of this flag is 0. If we convert the decimal number 0 into a binary value, it is 00000000 (You can use windows calculator to do the conversion). We need to change bit 3 (the 4th position when counting from right to left) from 0 to 1, in this case from “00000000” to “00001000.” Now we convert the binary number we get back to a decimal number, and we get 8. Change the value from 0 to 8 and click OK twice to save.
If you take a look at searchFlags, you can now see that the values description is changed to “Preserve on delete:”
That’s all! From now on, the mobile phone number of a user will be saved after deletion, isn’t it great?
Now we are going to handle the second attribute we want to save: The user’s last name.
If we look for the last name of a user in the Schema snap-in, we see that it called “sn:”
Now let’s have a look at ADSI Edit; here it is called “CN=Surname;” right-click and choose properties:
Select searchFlags and click on Edit; you will see that the value of this flag is 5:
If we convert the decimal number 5 into a binary value, we get 00000101. Again, we need to change bit 3 from 0 to 1, in this case from “00000101” to “00001101.” Now we convert the number we get in binary back to a decimal number, and we get 13. Change the value from 5 to 13 and click OK twice to save.
If you take a look now on the flag, you can see that the original value description was changed, and it now also contains “Preserve on delete:”
Finally, it’s time for our last attribute: The user’s first name.
If we look for the first name of a user in the Schema snap-in, we see that it is called “givenName:”
Now let’s have a look at ADSI Edit; here it is called “CN=Given-Name.” Right click and choose properties:
Select searchFlags and click on Edit; you will see that the value of this flag is 5:
Again, if we convert the decimal number 5 into a binary value we get 00000101. Like in the previous examples, we need to change bit 3 from 0 to 1, in this case from “00000101” to “00001101.” Now we convert the number we get to a decimal number and we get 13. Change the value from 5 to 13 and click OK twice to save.
If you take a look now on the flag and you can see that the original value description was changed, and it now also contains “Preserve on delete:”
I hope you got the idea. You can make this change on almost any attribute, but I strongly suggest you keep only those attributes that contain descriptive information, and not those that actually make configuration changes.
Just to show you how we have just done a great job, I created a user account for Andrew Smith. I deleted the user account, and when I search for it in by ldp.exe (don’t know how to do that? See related links for an article on how to search for deleted objects), I found his first name, last name, and his mobile phone:
Related Article: