How to Determine which Attribute will be Saved for a Deleted Active Directory Object

Overview

As you probably know by now, each Active Directory object (or “Object Class”) contains a lot of additional information that is related to the object and provides additional information about it, whether it’s a user account or computer account, or any other object. These fields are also known as “attributes.”

These attributes are defined in the Active Directory Schema, which configures the attribute properties, such as its name, the type of information it contains, and a few other parameters. Some of these attributes are mandatory (for example, for a user object – the logon name or sAMAccountName), others are optional (again, for a user object, an example would be the zip code or postalAddress). When you create an object, some of these attributes are automatically populated (for example, the object’s distinguished name, its SID or objectSid, if it has one, and so on), and others are left blank until you enter information into them.

When we delete an object, by default, not all the attributes are saved with the object and if we look for this object (after the deletion), we will be able to see only those specific attributes that were not removed when the object was deleted.

This is a list of attributes that are retained by default after the object deletion:

  • attributeID
  • attributeSyntax
  • dnReferenceUpdate
  • dNSHostName
  • flatName
  • governsID
  • groupType
  • instanceType
  • lDAPDisplayName
  • legacyExchangeDN
  • mS-DS-CreatorSID
  • mSMQOwnerID
  • nCName
  • objectClass
  • objectGUID
  • objectSid
  • oMSyntax
  • proxiedObejctName
  • replPropertyMetaData
  • sAMAccountName
  • securityIdentifier
  • sIDHistory
  • subClassOf
  • systemFlags
  • trustPartner
  • trustDirection
  • trustType
  • trustAttributes
  • userAccountControl
  • uSNChanged
  • uSNCreated
  • whenCreated
  • Saved Due to searchFlags Setting
  • msDS-AdditionalSam¬AccountName
  • msDS-Auxiliary-Classes
  • msDS-Entry-Time-To-Die
  • msDS-IntId
  • msSFU30NisDomain
  • nTSecurityDescriptor
  • uid

But guess what? You can change this behavior. You have the ability to determine which attributes will be saved for a deleted object. Well… how do we do it? Let’s start!

Determining which Attributes are Saved for a Deleted AD Object

Warning: This article includes instructions for editing the Active Directory Schema. If you make any error while editing the Schema, you can potentially cause issues with the entire Active Directory forest, requiring you to rebuild it, including all domains in the forest. Edit the Schema at your own risk. Always back up the Schema before making any changes. If you do not feel comfortable editing the Schema, do not attempt these instructions. Instead, seek the help of a trained computer specialist. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest – just in case.

To perform the following steps, you must be a member of the Schema Admins group and have network connectivity with the DC that holds the Schema Master FSMO role.

Just to look at things from a wide perspective, the schema attributes can be viewed and edited by using two tools: Active Directory Schema snap-in and ADSI Edit. I will show you a few attributes and will compare what they look like in each tool.

For the purpose of this article, let’s say we want to maintain these three attributes when a user account is been deleted:

  • Mobile phone number
  • Last name
  • First name

If we look for the mobile phone number of a user in the Schema snap-in, we see that it is called “mobile:”

Schema snap-in

Now let’s have a look at ADSI Edit; here it is called “CN=Phone-Mobile-Primary:”

CN=Phone-Mobile-Primary

By using ADSI Edit, right click “CN=Phone-Mobile-Primary” and choose properties. The attribute that we are going to work on is searchFlags, and among other things, this attribute determines whether or not the attribute will be saved after deletion.

searchFlags

Select searchFlags and click on Edit; you will see that the value of this flag is 0. If we convert the decimal number 0 into a binary value, it is 00000000 (You can use windows calculator to do the conversion). We need to change bit 3 (the 4th position when counting from right to left) from 0 to 1, in this case from “00000000” to “00001000.” Now we convert the binary number we get back to a decimal number, and we get 8. Change the value from 0 to 8 and click OK twice to save.

If you take a look at searchFlags, you can now see that the values description is changed to “Preserve on delete:”

Preserve on delete

That’s all! From now on, the mobile phone number of a user will be saved after deletion, isn’t it great?

Now we are going to handle the second attribute we want to save: The user’s last name.

If we look for the last name of a user in the Schema snap-in, we see that it called “sn:”

Schema snap-in last name

Now let’s have a look at ADSI Edit; here it is called “CN=Surname;” right-click and choose properties:

CN=Surname

Select searchFlags and click on Edit; you will see that the value of this flag is 5:

searchFlags value

If we convert the decimal number 5 into a binary value, we get 00000101. Again, we need to change bit 3 from 0 to 1, in this case from “00000101” to “00001101.” Now we convert the number we get in binary back to a decimal number, and we get 13. Change the value from 5 to 13 and click OK twice to save.

If you take a look now on the flag, you can see that the original value description was changed, and it now also contains “Preserve on delete:”

value description

Finally, it’s time for our last attribute: The user’s first name.

If we look for the first name of a user in the Schema snap-in, we see that it is called “givenName:”

givenName

Now let’s have a look at ADSI Edit; here it is called “CN=Given-Name.” Right click and choose properties:

CN=Given-Name

Select searchFlags and click on Edit; you will see that the value of this flag is 5:

searchFlags value 5

Again, if we convert the decimal number 5 into a binary value we get 00000101. Like in the previous examples, we need to change bit 3 from 0 to 1, in this case from “00000101” to “00001101.” Now we convert the number we get to a decimal number and we get 13. Change the value from 5 to 13 and click OK twice to save.

If you take a look now on the flag and you can see that the original value description was changed, and it now also contains “Preserve on delete:”

CN=Given-Name Properties

I hope you got the idea. You can make this change on almost any attribute, but I strongly suggest you keep only those attributes that contain descriptive information, and not those that actually make configuration changes.

Conclusion

Just to show you how we have just done a great job, I created a user account for Andrew Smith. I deleted the user account, and when I search for it in by ldp.exe (don’t know how to do that? See related links for an article on how to search for deleted objects), I found his first name, last name, and his mobile phone:

Andrew Smith

Related Article: