<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Recycling Active Directory Trash with the AD Recycle Bin

Published on
8,440 Points
5,340 Views
1 Endorsement
Last Modified:
Hopefully some of you have been playing with Server 2008 R2 while it has been in Beta.  One of the features I'm looking forward to most is the AD Recycle Bin.  Yes you heard me correct.  We now have an easy method for restoring accidentallydeleted objects.  

In the past our only recovery method out of the box was to perform an authoritative restore of an object. That method had several issues that always rubbed me the wrong way.  First you had to be in Directory Services Restore Mode (DRSM).  And ever since Server 2003 we could use tombstone reanimation but that removed most of the non-link-valued attributes.  This lead to additional work after the restore. The default tombstone lifetime was 180 days with Server 2003 and 2008.

AD Recycle Bin DisabledYou are probably already familiar with tombstones and the garbage collection process.  If not read Gil's excellent article on that here http://technet.microsoft.com/en-us/magazine/cc137800.aspx.  With Server 2008 R2 you will need to now become aware of Deleted Object and Recycled Object.  The first thing to realize here is that the AD Recycle Bin is not enabled by default with Server 2008 R2.  The following steps/requirements must first be met:

Step 1 - Raise the Forest Functional Level to Server 2008 R2
Step 2 - Enable AD Recycle Bin (my example uses PowerShell&get use to it now)
Step 3 - Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=AdminPrep,DC=com" -Scope Forest -Target "AdminPrep.com"
Note - Just make sure to replace AdminPrep with your domain

Now when an object is deleted it is not marked for tombstone it is marked as deleted.  It places the object in the Deleted Objects container which is hidden but can be located here - CN=Deleted Objects.  When you want to restore an object there are two methods that I'm aware of, one using PowerShell and the other using LDP.

Using LDP:
Step 1 - Using elevated credentials, open LDP by typing ldp.exe from the Run Dialog box
Step 2 - Click Connections and select Connect and then go back and select Bind
Step 3 - Navigate to the CN=Deleted Objects
Step 4 - Find the object you wish to restore and right-click it and select Modify
In the Modify dialog box:
Step 5 - In Edit Entry Attribute, type isDeleted
Step 6 - Leave the Values box empty
Step 7 - Under Operation, click Delete, and then click Enter
Step 8 - In Edit Entry Attribute, type distinguishedName
Step 9 - In Values, type the original distinguished name (also known as DN) of this Active Directory object
Step 10 - Under Operation, click Replace
Step 11 - Make sure that the Extended check box is selected, click Enter, and then click Run

To restore an object using PowerShell you must use the Get-ADObject and Restore-ADObject cmdlets.  Using PowerShell:
Open the Active Directory PowerShell command Prompt and use the following syntax:
step 1 Get-ADObject-Filter {String} -IncludeDeletedObjects | Restore-ADObject
Here is an example of restoring a deleted user account named Brian:
step 1 Get-ADObject -Filter {displayName -eq "Brian"} -IncludeDeletedObjects | Restore-ADObject

When restoring multiple items that may be linked (OU or Group that contains Users) you will want to start at the highest level.

An object can only be restored using those methods if it is still within the Deleted Object Lifetime.  The attribute is msDS-deletedObjectLifetime and if you look it up it will have a null value which the default time is 180 days.  
AD Recycle Bin Enabled
1
Author:Brian
  • 3
4 Comments
 

Administrative Comment

by:WaterStreet
Hi mkbean,

I've been assigned the PE Article review for these zones (today), and you probably know more about the process than I do at this time.  I'm just getting familiar with the procedures, so please bear with me.

Meanwhile, I found the following:


1.  accidently s.b. accidentally

and

2.  some of the special characters are not displaying properly.

For example apostrophies and what I would think are intended to be some dashes.

See for yourself and let me know.

I'm still not sure how to properly communicate to the authors, and I can always delete this Admin Comment so as to make sure you have a clean Article without my remarks.  I can also do the same for your replies to me here.



0
 

Administrative Comment

by:WaterStreet
Hi mkbean

In the third paragraph I fixed the character problem with "Gil's" to what it now reads.  Is that correct?

Steps 8 and 9 one "distinguished name" has a space and the other has an uppercase "N."  Please fix or explain.

If you change to status to Editor Review when you are done, I will then be flagged on my Article list.

Yes, I'll delete (hide) your comment.
0
LVL 18

Expert Comment

by:WaterStreet
Nice layout and graphics.  What did you use to generate the graphics?
0
LVL 20

Author Comment

by:Brian
PowerPoint 2007 SmartArt.  It's on the Insert tab of the ribbon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month