Finding and modifying Active Directory TombStone lifetime

Posted on by

Hello,

When an Active Directory object is deleted, by default, the object goes in “TombStone” for 180 days. That delay is configurable using ADSIEdit :

TombStoneLifeTime

You can modify that value by clicking on “Edit”.

You’ll find that object in :
“CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,<Forest DN>”

You can also do that with PowerShell:

$dse = [adsi]“LDAP://RootDSE”
$ConfPart=$dse.configurationNamingContext
([ADSI]"LDAP://cn=directory service,cn=windows nt,cn=services,$ConfPart").tombstoneLifetime

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.