I need to query for incremental changes from an Active Directory forest using LDAP.
The easy part is to query for incremental updates of objects, and for creation of new objects. For this you can use the whenChanged property
Example:
(&(objectClass=user)(whenChanged>=20180501000000.0Z))
So far, so good.
But what about querying for deleted records. Is there some way to query LDAP for all items deleted since a given time?
I do know about the fact that Active Directory marks objects for deletion (doesn't actually delete stuff). And I know there is some way to get deleted objects: (See this msdn post)
But I haven't had much luck creating an LDAP query that, against a very vanilla active directory server, can get a list of deleted accounts.
Related: LDAP query for deleted users
I tried that suggestion too:
(&(isDeleted=TRUE)(userAccountControl:1.2.840.113556.1.4.803:=512))
Still Nothing.
How can I make this work?
What programming language are you using to make the query? It seems to be an LDAP Extended Control (specifically LDAP_SERVER_SHOW_DELETED_OID) that needs to be enabled as part of the search properties, and not in the LDAP query string itself. So it depends on the implementation of how you're searching.
For example, in .NET, the DirectorySearcher class has a Tombstone property that will enable this.
Or PowerShell's Get-ADObject command has -IncludeDeletedObjects.