Printout Header

LEX Online Manual Content

AD Tombstone Reanimation

If you are in a Active Directory environment with Windows 2003 (or newer) domain controllers, then you can recover deleted objects. This is called Tombstone Reanimation, because they are stored as tombstones in the Deleted Objects container, which is a container in the root hierarchy of each domain. The limitation of this approach: Not all attributes can be restored, the references to other objects are lost. This is important because you loose all group memberships for undeleted users and groups!

You cannot see the Deleted Objects container with the normal AD admin tools because it's a special hidden container which is only visible in LDAP requests with the Extended LDAP control 1.2.840.113556.1.4.417 (Show Deleted) - fortunately LEX can use this control in it's request to the regarding server:

The Deleted Objects container


When an object is deleted, it is stored only a certain timespan in the Deleted Objects container, after this you cannot see or restore such objects. The default tombstone lifetime was 60 days in Windows 2003 and 180 days in Windows 2008, you can set this value in the configuration partition in the object

 CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

with the attribute


If there is no tombstoneLifetime attribute, then the default tombstone lifetime is in effect, you can add this attribute with you own setting if you want to change the tombstone lifetime. Please note that large lifetime values causes big AD databases on the file system on all domain controllers in the entire forest!


How to undelete Objects with LEX

If you want to reanimate the tombstone of a recently deleted object, you have to select the Deleted Objects container in the regarding domain. In the object list panel, you see all the deleted objects in this container on the same level (there are never subcontainer structures in the deleted objects container).


All deleted objects become a tombstone where the relative distinguished name (RDN) is the old object name, together with a line feed (strange but not illegal in a directory name) and the GUID string of this object. There are several interesting attributes for the tombstones:

  • whenCanged: Normally the date and time when the object was deleted.
  • lastknownParent: The parent container where the object originally was stored. Can be deleted also, you should find the appropriate tombstone then.
  • isDeleted: Always true for deleted object's tombstones. For normal objects, this parameter doesn't exist.

Select all the objects you want to recover and use the menu option Edit - Undelete (also available in the context menu). The Object Undelete dialog appears:

The Object Undelete dialog

In this dialog, you can choose if you want to restore the deleted objects in their original or another container. If you choose to restore the object in their original container, LEX can restore these containers to if this should be necessary. After the undelete operation you see the results in a separated window:

The object recovery result dialog

The option Copy to Clipboard enables you to get a semicolon-separated result summary into the clipboard so that you can use this for documentation of the recovery operation.