Recently, I wanted to know what the tombstone lifetime was in my environment and decided to find this using PowerShell. Given, I could have done something with dsquery or dug in using the ADSI type accelerator to connect to my domain controller and dig through to find it.

For those of you unfamiliar with this attribute, a good explanation of this is

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object.

Basically, I wanted to know how long I had to recover  if (in my case) one of my domain controllers were down for an extended period of time. For more information on the fun that can occur if this happens and it is down beyond the tombstone lifetime, check out this article: http://technet.microsoft.com/en-us/library/cc786630(v=ws.10).aspx

But back to my question, I already know a number of ways to get this information, but wanted to see if this can be done using the ActiveDirectory module. And the answer is a resounding Duh! This is PowerShell and the ActiveDirectory team has done a fine job with their module which make accessing this attribute an easy issue using the Get-ADObject cmdlet.

In fact, it is so simple it can be done with one line!

(get-adobject "cn=Directory Service,cn=Windows`
 NT,cn=Services,cn=Configuration,dc=rivendell,dc=com" `
-properties "tombstonelifetime").tombstonelifetime

Yes, I am using backticks in my code listing (bad practice!) but I wanted this to fit in the window with no scrolling required. But, as you can see here, the result is exactly what I was looking for! Of course, you will want to change it where I have dc=rivendell,dc=com to whatever matches your environment.

There you have it! A nice way to determine your tombstone lifetime using PowerShell and the ActiveDirectory module!