Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Contact
  • Reviews
  • Toggle search form

How to determine Tombstone Lifetime in Active Directory

Posted on 02/08/202430/06/2026 Temitope Odemo By Temitope Odemo No Comments on How to determine Tombstone Lifetime in Active Directory
  1. Home
  2. Windows Server
  3. How to determine Tombstone Lifetime in Active Directory
Banner

In this guide, I will show you How to determine Tombstone Lifetime in Active Directory. A Tombstone Lifetime will help determine how long a deleted object can be stored within an active directory. This deleted object is not fully removed from the Active Directory but is marked as a Tombstone Lifetime object. We cannot access Tombstone Lifetime by using MMC Console or the Windows directory but it exists in the Active Directory replication which makes the Tombstone Lifetime in one DC to be replicated to other DC in an AD forest. Please see how to enable and configure WinRM via GPO, and Active Directory: How to Setup a Domain Controller,

Note: Once an object is deleted, it will be deleted from all the computers throughout the Active Directory. Active Directory sets the ‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container called Tombstone, which is formerly called CN=Deleted Objects.

Please take a look at the YouTube video below for more information on how to determine or change the default tombstone value.

Play

Also, read more about how to Remove Microsoft Exchange Server: Using ADSIEdit Tool, Create New Users and Join Synology NAS to Active Directory, Service and Network Port requirements for Active Directory, Setup a Domain Controller as Recommended by Microsoft, and How to Use Active Directory Explorer from Sysinternals.

Check tombstone lifetime of Active Directory using ADSI Edit on Windows Server

Checking and changing Tombstone Lifetime is possible with ADSI Edit. ADSI Edit is an LDAP editor that manages objects in the Active Directory.

This utility tool will allow you to view objects and attributes that are not displayed in the Active Directory Management Console.

1: Open the Windows Server and click Start > Windows Administrative Tools.

How to determine Tombstone Lifetime in Active Directory - Windows Admin

2. Click on ADSI Edit.

How to determine Tombstone Lifetime in Active Directory - Adsi Edit

3. Right-click the ADSI Edit node and select Connect To.

How to determine Tombstone Lifetime in Active Directory - Connect to

4. In the Connection Settings dialog, On the Connection Point check “Select a well known Naming Context:” and select Configuration from the drop-down list.

Configuration

5. Expand Configuration <Your_Root_Domain_Name>

Configuration2

6. Expand Configuration CN=Configuration,DC=<Your_Root_Domain_Name> DC=Local

CN Configuration

7. Expand Services CN=Services 

CN Services

8. Expand Windows NT CN=Windows NT

Windows NT

9. Right-click CN=Directory Service and select Properties from the context menu.

CN Directory

10. In the CN=Directory Service Properties dialog box, navigate to the tombstoneLifetime attribute in the Attribute Editor tab

tombstone

11. The default tombstoneLifetime value here is 180. Select it and edit it to your desired figure and click OK.

The Tombstone Lifetime VALUE will be successfully changed.

Attribute value

Please see How to Back Up and Restore the Windows Registry, learn the Concept of Active Directory Computer Account, and How to add a second Domain Controller.

2. Checking and changing Tombstone Lifetime using PowerShell

Open the PowerShell terminal to change the value of your DC Tombstone Lifetime. Let’s assume that you want to change the value to 365 use the below command.

Import-Module ActiveDirectory
$ADForestconfigurationNamingContext =(GetADRootDSE).configurationNamingContext
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}
Powershell

You can use the following command to view the current value of your DC Tombstone Lifetime.

(get-adobject "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=<Your_Root_Domain_Name>,dc=local" -properties "tombstonelifetime").tombstonelifetime
Powershell2

I hope you found this blog post on how to determine Tombstone Lifetime in Active Directory Interesting and helpful. If you have any questions do not hesitate to ask in the comment section.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Windows Server Tags:Active Directory, Active Directory deletion retention period, Active Directory Domain Services, Active Directory tombstone lifetime check, AD recycle bin vs tombstone lifetime, ADSI Edit tombstone lifetime location, check directory services tombstoneLifetime attribute, determine AD tombstone lifetime PowerShell, get tombstone lifetime domain controller, how long deleted objects kept AD, Windows Server 2016, Windows Server AD object retention settings

Post navigation

Previous Post: Enabling and Configuring WinRM via GPO
Next Post: Windows PE working for Windows 11 and Windows Server 2022

Related Posts

  • Extend C drive with additional Software
    Aomei Free Partition Manager: Fix unable to Extend Volume on Windows protected by BitLocker Windows
  • Featured image new
    How to find out who restarted Windows Server Windows
  • screenshot 2020 04 07 at 01.42.57
    How to enable Telnet in Windows 10 and Windows Server Windows Server
  • MSIEXEC returned 1602
    Fix MSIEXEC returned 1602: Trellix Setup cannot use this account Windows Server
  • How to Find Out Which Users Are Logged on Windows Server
    How to Find Out Which Users Are Logged on Windows Server Windows
  • Netstat
    Network statistics: How to save netstat command output to a text Web Server

More Related Articles

Extend C drive with additional Software Aomei Free Partition Manager: Fix unable to Extend Volume on Windows protected by BitLocker Windows
Featured image new How to find out who restarted Windows Server Windows
screenshot 2020 04 07 at 01.42.57 How to enable Telnet in Windows 10 and Windows Server Windows Server
MSIEXEC returned 1602 Fix MSIEXEC returned 1602: Trellix Setup cannot use this account Windows Server
How to Find Out Which Users Are Logged on Windows Server How to Find Out Which Users Are Logged on Windows Server Windows
Netstat Network statistics: How to save netstat command output to a text Web Server

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • image 24
    How to Resolve Microsoft RDP Connection Black Screen Windows
  • xxxxxx 1
    Have the taskbar appear on one or both displays in Windows Windows
  • Shrink and Compact Virtual Hard Disks
    How to Shrink and Compact Virtual Hard Disks in Hyper-V Virtualization
  • Windows server 2025 set up
    Install Windows Server 2025 via iDRAC Virtual Media or PXE Windows Server
  • How to Upgrade Windows 10 with an Unsupported CPU TPM 1.0 to Windows 11
    Upgrading from Windows 10 with Unsupported CPU and TPM 1.0 Windows
  • Configure Data Deduplication on Windows Server
    Video on how to Configure Data Deduplication on Windows Server Windows Server
  • How to Disable UAC with Group Policy and enable PIN in Windows Hello
    How to Disable UAC with Group Policy and enable PIN in Windows Hello Windows
  • Screenshot 4
    Veeam Agent for AIX: Initial Deploy/UUID Error Network | Monitoring

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,784 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.