{"id":4600,"date":"2025-09-19T20:03:00","date_gmt":"2025-09-20T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4600"},"modified":"2025-09-12T18:29:45","modified_gmt":"2025-09-12T22:29:45","slug":"active-directory-security-tip-7-the-tombstone-lifetime","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4600","title":{"rendered":"Active Directory Security Tip #7: The Tombstone Lifetime"},"content":{"rendered":"\n

The Tombstone lifetime (TSL) in Active Directory is the limit as to how long a deleted object can remain in AD. The original value was 60 (days). Windows versions since Windows 2003 SP2 have this set to 180 (days). Note that this also affects backups, how long a backup is valid and replication – if a DC doesn’t replicate with its partner(s) within the TSL, the other DCs will ignore it. https:\/\/adsecurity.org\/?p=81<\/a>

If you have an environment with it still set to 60, I recommend you update it to 180 days. This may slightly bloat AD since deleted objects will linger longer, but it does provide a fail-safe of sorts if you need to recover going back >60 days.
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


PowerShell code using the AD PowerShell module to determine the Tombstone lifetime: <\/strong><\/p>\n\n\n\n

$ADRootDSE = Get-ADRootDSE\n$ADConfigurationNamingContext = $ADRootDSE.configurationNamingContext\n    \n$TombstoneObjectInfo = Get-ADObject -Identity \"CN=Directory Service,CN=Windows NT,CN=Services,$ADConfigurationNamingContext\" -Partition \"$ADConfigurationNamingContext\" -Properties * \n[int]$TombstoneLifetime = $TombstoneObjectInfo.tombstoneLifetime\n\nIF ($TombstoneLifetime -eq 0) \n { $TombstoneLifetime = 60 }\n\nWrite-Host \"The AD Forest Tombstone lifetime is set to $TombstoneLifetime days.\"<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
The Tombstone lifetime (TSL) in Active Directory is the limit as to how long a deleted object can remain in AD. The original value was 60 (days). Windows versions since Windows 2003 SP2 have this set to 180 (days). Note that this also affects backups, how long a backup is valid and replication – if … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1469,1477],"class_list":["post-4600","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorysecuritytip","tag-tombstonelifetime","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4600"}],"version-history":[{"count":4,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4600\/revisions"}],"predecessor-version":[{"id":4635,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4600\/revisions\/4635"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}