AD Recycle Bin
Theory
its members have permissions to read deleted AD object. Juicy information can be found in there.
Practice
ldapsearch can be use to enumerate deleted AD objects
ldapsearch -x -H ldap://$IP -D "Ad_Recyle_Bin_User@contoso.local" -w 'Password!' -b "CN=Deleted Objects,DC=contoso,DC=local" -E '!1.2.840.113556.1.4.417' '(&(objectClass=*)(isDeleted=TRUE))'Last updated
Was this helpful?