During a couple of days, I was searching a way for reanimating tombstone objects using only the Active Directory module for Windows PowerShell and, for some reasons, I did not want to use any additional Quest cmdlets or SDM Software cmdlets.
Retrieve tombstone objects with PowerShell
To get all tombstone objects within a domain, you just have to type the command: get-adobject -filter 'isDeleted -eq $true' –IncludeDeletedObjects
The option –IncludeDeletedObjects permits to explore the hidden container “cn=deleted objects” of the domain. The filter 'isDeleted -eq $true' will focus on tombstone objects.
As Reminder, the major difference between a tombstone object and a standard object is the attribute isDeleted (set to true for tombstone objects) and the parent container (a tombstone object is always placed into the container deleted objects).
Remark: the parent container of an object is partially defined by its distinguishedName.
Reanimate tombstone objects with PowerShell
Now we want to simply reanimate a specific tombstone object by changing its parent container and its isDeleted attribute but we are not able to manage them with the set-adobject cmdlet. There is no -IncludeDeletedObjects option for it and the tombstone object is just “not found”.
Finally, I have found a .Net function (Resurrecting tombstones in Active Directory or ADAM) that I have converted to PowerShell and it is working fine from my side.
To use this function, you just have to:
- Load the .Net assemblies and the Active Directory module for Windows Powershell.
- Retrieve the specified tombstone object.
- Defined the new distinguishedName attribute based on the actual CN and lastKnownParent attribute.
- Call the function with the correct parameters.
If you want to explore deeper S.DS.P you can check another example from Microsoft Script Center: Using System.DirectoryServices.Protocols from Powershell