Without the Recycle Bin function, when an object is deleted, it is not completely removed, but becomes a tombstone, and for the tombstone lifetime (default 180 days from Windows Server 2003 SP1), it can be restored using the tombstone reanimation method. The problem is that we lose some attributes, such as group memberships.
The Active Directory Recycle Bin function is disabled by default, but if we enable it, the deleted object is moved to the Deleted Objects container, and from there it can be restored to the same state as before deletion, for the deleted object lifetime (standard 180 days). After the expiration of this time, the deleted object becomes a recycled object (equivalent to a tombstone), and for a further period (also standard 180 days) it can be restored without some attributes. Then it is finally physically deleted.
Enabling the AD Recycle Bin
The prerequisite is to have a forest functional level of Windows Server 2008 R2. Once this feature is enabled, it cannot be disabled. Enabling must be done under an account with Enterprise Admins rights. The easiest way to enable this feature is using a cmdlet from the PowerShell ActiveDirectory module. First, the command format, and then an example of use for the company.local domain.
Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity> Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=company,DC=local" –Scope ForestOrConfigurationSet –Target "company.local"
Setting the Time Period for Object Restoration
If we want to change the default value of msDS-deletedObjectLifetime
, we can again use PowerShell (in the example, the company.local domain and a period of 60 days).
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=company,DC=local" –Partition "CN=Configuration,DC=company,DC=local" –Replace:@{"msDS-DeletedObjectLifetime" = 60}
Restoring a Deleted Object
Restoring a deleted object is not entirely simple, but it's certainly not difficult, and we have several options. We can use the ldp.exe
tool or we can use a cmdlet from PowerShell (ActiveDirectory module), or we can use a simple graphical application ADRecycleBin from Overall Solutions, which is provided for free.
Restoring Using PowerShell
The operations must be performed under an account with Domain Admins rights. First, we need to find the deleted object, which we can do using the Get-ADObject
command. For example, to display a list of all deleted users:
Get-ADObject -Filter {(deleted -eq $true) -and (ObjectClass -eq "user")} -Properties sAMAccountName -IncludeDeletedObjects | FT Name, sAMAccountName, Deleted -AutoSize
We can select a specific user, for example, by user name:
Get-ADObject -Filter {sAMAccountName -eq "novak"} –IncludeDeletedObjects
And for restoration, we use the Restore-ADObject
cmdlet:
Get-ADObject -Filter {sAMAccountName -eq "novak"} -IncludeDeletedObjects | Restore-ADObject
Similarly, we can restore a computer account:
Get-ADObject -Filter {sAMAccountName -eq "pcname$"} -IncludeDeletedObjects | Restore-ADObject
Restoring Using ADRecycleBin
The application can be downloaded from ADRecycleBin, where its description is also available. Its use is really simple and functional. We must run it under a domain admin account. We select what objects we want to display and click on Load Deleted Objects, now we see a list of objects. We check the ones we want to restore and click on Restore Checked Objects. In AD, we will see our objects again.
Finally, just a link to a detailed description from MS in the article Active Directory Recycle Bin Step-by-Step Guide.
diky za uzitecne info.