A tombstone is a container object consisting of the deleted objects from AD. These objects have not been physically removed from the database. When an AD object, such as a user is deleted, the object technically remains in the directory for a given period of time; known as the Tombstone Lifetime.
Seeing with ldp.exe
Go to Options -> Controls
then View -> Tree
Lifetime
Existing user:
ldapsearch -H ldap://$ad_ip:389 -x -D $ad_user -w $ad_password -b "CN=Gazon Zaseyan,CN=Users,DC=other,DC=local"
# extended LDIF
#
# LDAPv3
# base <CN=Gazon Zaseyan,CN=Users,DC=other,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Gazon Zaseyan, Users, other.local
dn: CN=Gazon Zaseyan,CN=Users,DC=other,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Gazon Zaseyan
sn: Zaseyan
givenName: Gazon
distinguishedName: CN=Gazon Zaseyan,CN=Users,DC=other,DC=local
instanceType: 4
whenCreated: 20250814141946.0Z
whenChanged: 20250814141946.0Z
displayName: Gazon Zaseyan
uSNCreated: 16803
uSNChanged: 16810
name: Gazon Zaseyan
objectGUID:: 22LBYg4bdketn2v8C7mTEA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133996547861647410
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAATCVXwgK+gMKYJJQdVwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: gazon
sAMAccountType: 805306368
userPrincipalName: gazon@other.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=other,DC=local
dSCorePropagationData: 20250814141946.0Z
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Deleted user in ldp.exe:
Expanding base 'CN=Gazon Zaseyan\0ADEL:62c162db-1b0e-4776-ad9f-6bfc0bb99310,CN=Deleted Objects,DC=other,DC=local'...
Getting 1 entries:
Dn: CN=Gazon Zaseyan\0ADEL:62c162db-1b0e-4776-ad9f-6bfc0bb99310,CN=Deleted Objects,DC=other,DC=local
cn: Gazon Zaseyan
DEL:62c162db-1b0e-4776-ad9f-6bfc0bb99310;
distinguishedName: CN=Gazon Zaseyan\0ADEL:62c162db-1b0e-4776-ad9f-6bfc0bb99310,CN=Deleted Objects,DC=other,DC=local;
instanceType: 0x4 = ( WRITE );
isDeleted: TRUE;
isRecycled: TRUE;
lastKnownParent: CN=Users,DC=other,DC=local;
name: Gazon Zaseyan
DEL:62c162db-1b0e-4776-ad9f-6bfc0bb99310;
objectClass (4): top; person; organizationalPerson; user;
objectGUID: 62c162db-1b0e-4776-ad9f-6bfc0bb99310;
objectSid: S-1-5-21-3260491084-3263217154-496247960-1111;
sAMAccountName: gazon;
userAccountControl: 0x200 = ( NORMAL_ACCOUNT );
uSNChanged: 16813;
uSNCreated: 16803;
whenChanged: 8/14/2025 7:22:14 AM Pacific Daylight Time;
whenCreated: 8/14/2025 7:19:46 AM Pacific Daylight Time;
Understanding Active Directory Tombstone Objects
https://www.youtube.com/watch?v=O8n2Lxfj2Zo
TOMBSTONE LIFE TIME IN ACTIVE DIRECTORY.
https://www.youtube.com/watch?v=8Mrkj6SjxyI
What happens in the back end when you delete an object?
https://www.windows-active-directory.com/active-directory-tombstones.html