get deleted AD users/groups by python-ldap -

if delete user or group in windows ad, in "delete objects". want use python ldap lib them. code:

<code> import ldap uri = "ldap://10.64.74.17" user = "xxxxxxxxxx" password = "xxxxxxxxxxxx" ldap.set_option(ldap.opt_referrals, 0) ldap.set_option(ldap.opt_network_timeout, 5) ldap.protocol_version = 3 ldapclient = ldap.initialize(uri) ldapclient.simple_bind_s(user, password) filter = "(&(objectclass=person)(isdeleted=true)(!(objectclass=computer)))" results = ldapclient.search_s("dc=xx,dc=com", ldap.scope_subtree,filter) result in results:   print result ldapclient.unbind_s() </code> 

it can't show deleted objects. what's wrong code?

you need add ldap control search. this. create request control particular operation (in case oid ad 1.2.840.113556.1.4.417). , pass collection of controls search request optional parameter.

tombstone_control = ('1.2.840.113556.1.4.417',criticality=1) results = ldapclient.search_s("dc=xx,dc=com", ldap.scope_subtree,filter, [tombstone_control]) 

i think work. can scope search base cn=deleted objects, dc=xx,dc=com deleted objects end up. should make sure deleted objects there first. can use ldp.exe check.