Restoring deleted objects from Active Directory using AD Recycle Bin

Windows Server 2008 R2 introduced a new way in which deleted objects can be recovered within an Active Directory infrastructure. This new feature added the so called AD Recycle Bin which enables Administrators to easily recover deleted objects. Before the Active Directory Recycle Bin was introduced, the restoration process of deleted objects was a painful and difficult process. There were two methods that could be used to recover objects, but each of them had a drawback:

· Using ntdsutil command line tool – the problem with this method was that you had to reboot the Domain Controller into DSRM (Directory Services Restore Mode) which made your server unavailable for a period of time. This process was tricky if the DC was running in a production environment so taking it down for a while had some consequences.

· Using tombstone reanimation – a difficult method that enabled you to recover deleted objects from CN=Deleted Objects. To find out more about this restoration method, check out this article. I’ve never actually used this process because I usually worked in environments hosting multiple DC for data redundancy and I’ve always preferred the first method.

In Windows Server 2008 R2 you would have been able to restore objects by using Windows PowerShell only. With the release of Windows Server 2012, this feature has been included into Active Directory Administrative Center and you can easily recover objects using this console.

Note that by default, Active Directory Recycle Bin is not enabled in Windows Server 2012. You can use Active Directory Administrative Center to restore objects that were deleted after this feature was enabled. For older objects you can still use the methods mentioned previously. This feature can be enabled if Domain Controllers run either Windows Server 2008 R2 or Windows Server 2012 and if the forest functional level is set to Windows Server 2008 R2 or higher.

To view your forest functional level use the Get-ADForest cmdlet, if you are running a lower version, use the Set-ADForestMode -Identity ppscu.com -ForestMode Windows2012Forest command to change it to a higher level:

get-adforest

There are two ways in which you can enable AD Recycle Bin:

· Using the Active Directory Administrative Center console: open the console, navigate to the domain’s name section, right click the domain and select Enable Recycle Bin:

active directory administrative center

· Using Windows PowerShell: use the Get-ADOptionalFeature -Filter * cmdlet to list AD Optional Features:

get-adoptionalfeature

Now use Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target ppscu.com -Server WinSrv1 to enable it on your DC. Note that this operation is irreversible and you will be prompted during the configuration process:

enable-adoptionalfeature

Once this feature has been enabled, create a test user account and then delete it. Now navigate to the Deleted Objects OU to view its content:

active directory deleted objects

Deleted objects will appear under this Organizational Unit, to restore an object from it, simply click on the Restore (to restore to the same OU) or Restore To (to specify the restoration location) buttons:

active directory deleted objects 2

You can perform a similar operation using Windows Powershell. Execute Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property * to view AD deleted objects:

get-adobject isdeleted

Once you’ve noted the display name of the deleted object, use Get-ADObject -Filter {DisplayName -like ‘dan popi’} -IncludeDeletedObjects | Restore-ADObject to restore the user account:

get-adobject includedeletedobjects

By default, if an object has been deleted, it can be recovered within a 180 days interval. This value is specified in the msDS-DeletedObjectLifetime attribute. However, if you want to change this value, you can use the following command:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ppscu,DC=com” –Partition “CN=Configuration,DC=ppscu,DC=com” –Replace:@{“msDS-DeletedObjectLifetime” = 200}

As you can see, the restoration process of deleted objects has been significantly simplified in Windows Server 2012. You can now use the Active Directory Administrative Center console to perform this operation really fast. I like the way Microsoft implemented Active Directory Recycle Bin feature in this Windows Server Edition because it makes System Administrators life much easier. I think that you should enable this feature whenever possible if your enterprise security policy allows you to do so because human error can occur and being able to restore deleted objects fast is crucial in a production environment. Hope this article will serve you will in better understanding the way Recycle Bin feature can be used in Windows Server 2012. For any questions fell free to use our comments section. Wish you all the best!

You can learn more about Dan Popescu by visiting him on Google+


Posted

in

, ,

by

Tags: