Restoring object from the Active Directory Recycle Bin using AD Powershell

  • Article

As anyone who has managed the Active Directory knows, if you delete an Active Directory object, although it marked as tombstoned, all the linked and non-linked attribute values are cleared.   It is therefore difficult to reanimate the object because extra steps are required to recreate linked and non-linked attribute values.

 

In Windows Server 2008 R2, a new feature was introduced called the Active Directory Recycle Bin. If an object is placed in the AD Recycle Bin, reanimating this object is much simpler, because the linked and non-linked attribute values are retained.

 

You might be quick to say, "Hey, Let's active that feature right now". Well, there are two slight caveats.  In order to use this feature, the domain must be in Windows 2008 R2 domain mode.  Also, the forest must be in Windows 2008 R2 forest mode.  If you have domain controllers in the forest that are not Windows 2008 R2, it will not be possible to make this change.   As this feature can spare hours and hours of effort and downtime, you may want to start planning the migration of older servers.

 

 

The following steps outline bringing the domain and the forest to the Windows 2008 R2 native modes, and enabling the feature, using PowerShell.

 

 

Note: The next steps will cause irreversible changes to your forest and domain.  You should make sure that you have backups from which you can perform an authoritative restore. 

 

 

In order to raise the Forest and Domain Functional mode, we will need to start with installing the ActiveDirectory Module for Windows PowerShell.

 

  1. Windows PowerShell from a Windows 2008 R2 domain controller.

(By default, Windows Powershell should already be pinned on the taskbar. Click the icon to launch)

 

  1. Import the ActiveDirectory module in the Powershell Console by typing:
  1: Import-Module ActiveDirectory

 

  1. Check the Domain Functional mode. We will use the Get-ADDomain cmdlet to do this.
  1: (Get-ADDomain).DomainMode

 

  1. If the Domain Functional mode is not set to Windows2008R2Domain, we will raise the domain functionality by using the Set-ADDomainMode cmdlet. Make sure that you replace yourdomain.com with the FQDN of your domain.
  1: Set-ADDomainMode -Identity yourdomain.com -DomainMode Windows2008R2Domain -Confirm:$false

 

  1. Verify the Forest Functional mode. Similar to the Get-ADDomain cmdlet, we will use the Get-ADForest cmdlet to determine the Forest Functional mode.
  1: (Get-ADForest).ForestMode

 

  1. If the Forest Functional modeis not set to Windows2008R2Forest, we will raise the forest functional mode. Make sure that you replace yourdomain.com with the FQDN of your domain.
  1: Set-ADForestMode -Identity yourdomain.com -ForestMode Windows2008R2Forest -Confirm:$false

 

After setting the Forest and Domain Functional mode, we now need to enable to AD Recycle Bin feature.

 

  1. Retrieve the configuration naming context of your domain. To do this, we will use the Get-ADRootDSE cmdlet and use the ConfigurationNamingContext attribute value. We will need to store it to a variable so that we can programmatically construct the Recycle Bin's distinguished name later.
  1: $cfgNameCtx = (Get-ADRootDSE).ConfigurationNamingContext

 

  1. Append the configurationNamingContext value to construct the Recycle Bin's distinguished name. Because the path is very long, we will do this in multiple steps but you can type it one line if you wish.
  1: $recBin = "CN=Recycle Bin Feature,CN=Optional Features,"
  2: $recBin = $recBin + "CN=Directory Service,CN=Windows NT,CN=Services,"
  3: $recBin = $recBin + $cfgNameCtx

 

  1. Obtain the Forest name in order to supply it as a parameter to the Enable-ADOptionalFeature cmdlet. We will use the Get-ADDomain cmdlet to do this and store it to a variable.
  1: $target = (Get-ADDomain).Forest

 

  1. Use the Enable-ADOptionalFeature and pass the information we stored in the variables as parameters. Note that this is a single line but may wrap to the next line.
  1: Enable-ADOptionalFeature -Identity $recBin -Scope ForestOrConfigurationSet -Target $target -Confirm:$false

 

 

The following steps can be used to see how the new feature works with some test objects in an Organizational Unit.  We will create an organizational unit and then create a few users and a group and add the users into the newly created group.

 

  1. Create an organizational unit container. To do this, we will use the New-ADOrganizationalUnit cmdlet. We will create it in the defaultNamingContext of the domain.
  1: $defNameCtx = (Get-ADRootDSE).DefaultNamingContext
  2: Set-Location ("AD:\" + $defNameCtx)
  3: New-ADOrganizationalUnit -Name "Test Accounts"

 

  1. Provision 100 users. We will use the New-ADUser cmdlet to create the user accounts.
  1: Set-Location "ou=Test Accounts"
  2: ForEach ($i in 1..100) { New-ADUser -Name ("User" + $i) }

 

  1. Create a global security group that the users will be added to. We will use the New-ADGroup cmdlet to accomplish this.
  1: New-ADGroup -Name GlobalSecGrp -GroupCategory Security -GroupScope Global

 

  1. Use the Add-ADGroupMember cmdlet to add all the newly created users but we must first need to retrieve the newly created users into a variable.
  1: $users = Get-ADUser -Filter 'name -like "User*"'
  2: Add-ADGroupMember GlobalSecGrp -Member $users

 

At this point, the Active Directory Recycle Bin should be enabled. Any directory objects, when deleted, are stored in the Recycle Bin. We will go ahead and delete the Test Accounts OU and delete all its contents.

 

  1. Turn off the default setting of “Protected From Accidental Deletion”. We must first turn off this OU setting before we can successfully delete it. We will use the Get-ADOrganizationalUnit cmdlet and Set-ADOrganizationalUnit cmdlet to do this.
  1: Set-Location ("AD:\" + $defNameCtx)
  2: $testAcctOU = Get-ADOrganizationalUnit -Filter 'name -like "Test Accounts"'
  3: $testAcctOU | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

 

  1. Delete the OU and and its contents. We will use the Remove-ADOrganizationalUnit cmdlet to do this.
  1: $testAcctOU | Remove-ADOrganizationalUnit -Recursive -Confirm:$false

 

Now that we have deleted the object, we can now demostrate how to restore the object.

 

  1. Restore the deleted OU. We will use the Get-ADObject cmdlet to retrieve the deleted OU and the Restore-ADObject cmdlet to restore it.
  1: Set-Location ("AD:\" + $defNameCtx)
  2: $deletedOU = Get-ADObject -Filter 'name -like "Test Acc*"' -IncludeDeletedObjects
  3: $deletedOU | Restore-ADObject

 

  1. Restore the security group.
  1: $deletedGrp = Get-ADObject -Filter 'name -like "GlobalSecGrp*"' -IncludeDeletedObjects
  2: $deletedGrp | Restore-ADObject

 

  1. Restore the users
  1: $deletedUsers = Get-ADObject -Filter 'name -like "User*" -and isDeleted -eq $true' -IncludeDeletedObjects
  2: $deletedUsers | Restore-ADObject

 

 

Launch the Active Directory Users and Computers tool and you should now be able to see all the users that were deleted. Also, if you look at the GlobalSecGrp and inspect its members, you should see all the deleted users as well.