問題描述
什麼 ldap 查詢返回現在從活動目錄中刪除的用戶對象? (What ldap query returns the user objects now removed from active-directory?)
Is there a ldap query that will return or list user objects that have been removed from the active-directory system? Must you track all the user objects currently in the active-directory, and maintain a "last seen" stamp in order to tell when a user object has been removed from the active-directory?
參考解法
方法 1:
I really don't believe that this information is obtainable. In the next version of the OS (Windows 2008 R2), Microsoft is introducing the ability to do this by implementing a recycle bin like functionality for and Active Directory object. Please see these write ups for more info: http://blogs.technet.com/niraj_kumar/archive/2009/02/03/new-feature-active-directory-recycle-bin-in-windows-2008-r2.aspx http://technet.microsoft.com/en-us/library/dd392261.aspx
But you may see that this is in reference to the deletion of the object itself, and that it doesn't provide any information about when a property of the object changes. You can look at the last modified property but even then you have no way of knowing which property changed (more then likely it will be the last logon), so again your left with no help. If your trying to track a issue that is occurring which you can recreate, I recommend that create some sort of script/code which record the properties of a specific user at a given interval, and then just keep running it as you move from one step to the other i the recreation of the problem.
(by Jon Ediger、mrTomahawk)