AD, computer object tombstoning... not happening
Active Directory functional level 2008
I went looking for a computer object today and realized that I have multiple objects that have not been tombstoned but should have been. One host in question here:
JKFINAJWXP
created: 3/39/2006
modified: 2/7/2013
dsCorePropagationData: 6/1/2015
lastlogon: 12/15/2012
lastLogonTimestamp: 2/7/2013
Am I correct here in thinking this object should have long been tombstoned and deleted?
Our tombstone lifetime is 50 days
I went looking for a computer object today and realized that I have multiple objects that have not been tombstoned but should have been. One host in question here:
JKFINAJWXP
created: 3/39/2006
modified: 2/7/2013
dsCorePropagationData: 6/1/2015
lastlogon: 12/15/2012
lastLogonTimestamp: 2/7/2013
Am I correct here in thinking this object should have long been tombstoned and deleted?
Our tombstone lifetime is 50 days
ASKER
The way I understood it was exactly what I said: A computer object not talking to the domain in X amount of time get's tombstoned. After the tombstone lifetime value it get's deleted totally.
If that is not the case, then I should be able to run a report to display all tombstoned accounts and trying to find a Powershell cmdlet syntax for that has proven damned near impossible this morning.
If that is not the case, then I should be able to run a report to display all tombstoned accounts and trying to find a Powershell cmdlet syntax for that has proven damned near impossible this morning.
ASKER
Or.. or maybe not deleted but the object should be hidden from ADUC and the isDeleted attribute set. Which it is not happening.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
*sigh* Looks as though I have confused stale with tombstoned. Sucks getting old.
Thanks for reminding me Knife.
Thanks for reminding me Knife.
It seems you think that this account should be auto-deleted because it has not been in use for years?
Not using an account does not trigger anything, the tombstone lifetime has no connection to the time an account is not being used.
Did you read the MS documentation on the tombstone lifetime?