How to use Sort Keys in LDP

I knocked up an example PowerShell one liner for a colleague to get the oldest item in the Deleted Objects container because of a need to identify the default tombstone lifetime (i.e. when there’s no value on the nTDSService object’s tombstoneLifetime attribute) but the environment in question didn’t have Active Directory Web Services (ADWS) thus the PowerShell one liner (I’ve listed it at the end of this post for those who care) wouldn’t work.  In these cases (when ADFIND isn’t available) I fall back to LDP –you can probably tell from this blog that I use LDP a lot.  It took me a good ten minutes to work out how to use the LDAP_SERVER_SORT_OID control (1.2.840.113556.1.4.473) so I thought I’d post how to sort results here.

For the purpose of this example I’ll describe how to list the tombstoned objects in descending order.

  1. Open LDP(Start | Run | LDP), connect and bind to the directory.
  2. Click Options | Controls(Ctrl + L).
  3. Check in the LDAP_SERVER_SHOW_DELETED_OID control by simply selecting “Return deleted objects” from the “Load Predefined” list and click OK.
  4. Click View | Tree (Ctrl + T) and press enter(leaving the Base DN empty).
  5. Expand the domain NC and right-click on CN=Deleted Objects, <your DN goes here> and click Search.
  6. Set the Scope to One Level.  Change the attributes to objectClass;name;whenChanged and click Options.
  7. Select Extended for the Search Call Type and click Sort Keys.
  8. Enter whenChanged for the Attribute Type, leave Match Rule OID empty, click Reverse Order and then Check In >>
  9. Click OK to close the Search Options dialog and click Run to execute the search.

The number of results is based on the values in Search Options.  By default it’s pretty low so you just need to look at the top most result to see when that object was deleted and then gauge the tombstone lifetime.

It’s pretty simple really.  Server-side sorting is pretty limited as a whole – you can only sort ascending or descending on one attribute and only a subset of attribute types are allowed; and also expensive.  In almost all cases you’ll want to order the data at the client side (like I do in PowerShell below) but from time to time the server-side sorting feature comes in handy.

Anyway, here’s the PowerShell that uses the ActiveDirectory module:

[String]$aDPSModuleName = "ActiveDirectory";
if(@(Get-Module -Name $aDPSModuleName).Count -eq 0)
    if(@(Get-Module -ListAvailable | ? { $_.Name -eq $aDPSModuleName }).Count -eq 1)
        Import-Module -Name $aDPSModuleName;

[String]$delObjFilter = 'objectClass -like "*"';
[String]$delObjearchBase = "CN=Deleted Objects,DC=corp,DC=contoso,DC=com";
[String[]]$delObjPropertiesToFetch = @( "whenChanged", "lastKnownParent" );

Get-ADObject `
    -Filter $delObjFilter `
    -IncludedelObj `
    -SearchBase $delObjearchBase `
    -SearchScope OneLevel `
    -Properties $delObjPropertiesToFetch |
        Sort-Object -Property whenChanged |
            Select-Object -Last 3 | Format-Table whenChanged;

When I said one line I slightly exaggerated.  There’s an if statement to load the module if it isn’t already and is available and I make use of some attributes to make the command easier to read.  Smile


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in Active Directory, Scripting and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s