Directory Services

Creating and Deleting Active Directory Objects

The exact steps used to programatically create and delete Active Directory® objects depends upon the programming technology used. For more information about creating and deleting Active Directory objects with a specific programming technology, see the topics listed in the following table.

Programming technology For more information
Active Directory Service Interfaces Creating and Deleting Objects
Lightweight Directory Access Protocol Modifying a Directory Entry
System.DirectoryServices Create, Delete, Rename and Move Objects

Creating an Object

In general, the only attributes required for an object to be created are the cn and objectClass attributes. Just creating an object does not necessarily make it a functional object however. Certain types of objects, such as users and groups, have additional required attributes to make them functional. For more informaiton about creating specific types of objects, see:

Deleting an Object

Active Directory performs the following actions when an object is deleted:

The deleted object remains in the Deleted Objects container for a period of time known as the tombstone lifetime. By default, the tombstone lifetime is 60 days, but this value can be changed by the system administrator. After the tombstone lifetime expires, the object is permanently removed from Active Directory. To avoid missing deletions, an application must perform incremental synchronizations more frequently than the tombstone lifetime.

Windows Server 2003 adds the ability to restore deleted objects. For more information about deleted object restoration, see Restoring Deleted Objects.

When an item is deleted, none of the attributes of the object can be modified. In Windows Server 2003, it is possible to modify the security descriptor (the ntSecurityDescriptor attribute) on a deleted object. This is to allow restoration of objects when the person restoring the object does not have write permissions to mandatory attributes. To update the security descriptor on a deleted object, the caller must have the "Reanimate Tombstone" control access right on the naming context, in addition to regular WRITE_DAC and WRITE_OWNER access. Even if the security descriptor is restrictive, the administrator can first take ownership of the object, assuming the administrator has the SE_TAKE_OWNERSHIP_NAME priviledge, and then modify the security descriptor. To do this, use the ldap_modify_ext_s function with the LDAP_SERVER_SHOW_DELETED_OID control. The modification list must contain a single attribute replacement for the ntSecurityDescriptor attribute.