Link to home
Start Free TrialLog in
Avatar of Ben Hart
Ben HartFlag for United States of America

asked on

AD, computer object tombstoning... not happening

Active Directory functional level 2008

I went looking for a computer object today and realized that I have multiple objects that have not been tombstoned but should have been.  One host in question here:

created: 3/39/2006
modified: 2/7/2013
dsCorePropagationData: 6/1/2015
lastlogon: 12/15/2012
lastLogonTimestamp: 2/7/2013

Am I correct here in thinking this object should have long been tombstoned and deleted?

Our tombstone lifetime is 50 days
Avatar of McKnife
Flag of Germany image


It seems you think that this account should be auto-deleted because it has not been in use for years?
Not using an account does not trigger anything, the tombstone lifetime has no connection to the time an account is not being used.

Did you read the MS documentation on the tombstone lifetime?
Avatar of Ben Hart


The way I understood it was exactly what I said: A computer object not talking to the domain in X amount of time get's tombstoned.  After the tombstone lifetime value it get's deleted totally.

If that is not the case, then I should be able to run a report to display all tombstoned accounts and trying to find a Powershell cmdlet syntax for that has proven damned near impossible this morning.
Or.. or maybe not deleted but the object should be hidden from ADUC and the isDeleted attribute set.  Which it is not happening.
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
*sigh* Looks as though I have confused stale with tombstoned. Sucks getting old.

Thanks for reminding me Knife.