Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.
The AD recycle bin feature has been released on Windows Server 2008 R2 without a graphical user interface, which made it's deployment and usability (I mean recovering deleted objects from AD) somewhat difficult for system admins.
In this post I will write about how to enable the ADRB feature on both WS2008 and WS2012.
This will provide you with the skills necessary to perform object recovery regardless of the operating system you are using currently.
Be amazed on how easy it is to recover deleted objects in WS2012.
This feature can be enabled if your forest is running at WIN2008R2 functional level.
If you already have all DCs in the forest running on Windows Server 2008R2 or higher you may use the following powershell command to raise the FFL:
Set-ADForestMode 4 -Identity <forestname>
which requires that all domains in the forest run at WIN2008R2 domain functional level, so if needed run:
Set-ADDomainMode 4 -Identity <domainname>
Before running the powershell commands above and if using WS2008R2 you have to import the Active Directory module for powershell (WS2012 does it automatically).
Important: Enabling Active Directory Recycle Bin is an irreversible procedure.
To enable the AD Recycle Bin feature using powershell run:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘<forestname>’
To check if recycle bin is enabled:
Get-ADOptionalFeature -filter *
To restore a deleted object do the following:
Get-ADObject -Filter {displayName -eq "name"} -IncludeDeletedObjects | Restore-ADObject
Watch the video - Enable AD Recycle Bin and restore a single object using powershell on WS2008R2
Although restoring a single object is fairly simple, the restoration procedures get more complex when restoring multiple nested objects.
For example when you need to restore an OU with hundreds or thousands of objects in it (like users, groups, computers or even sub OUs which in its turn may contain more objects).
You will have to investigate how deep OU nesting is by querying deleted users lastknownparent attribute in order to understand the deleted OU structure.
Then you must start restoring from top to bottom so one hierarchy level at a time.
The reason behind is that when an object is deleted and moves to the deleted objects container, the object distinguished name (DN) gets mangled and the deleted objects container doesn't contain/keep an hierarchy.
The only way to return the objects hierarchy is by searching for it's lastknownparent attribute.
For example consider the following scenario:
[picture 1]
In this scenario we need to start by searching for known objects that have been deleted, for example in this case by finding the lastknownparent of a user named Peter:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Peter)" – IncludeDeletedObjects –Properties lastKnownParent
Then by finding all objects that have HumanResources as lastknowparent (note: add another \ before 0ADEL:):
Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=HumanResources\ \0ADEL:c876daac-da9b-57ce-bded-978aed9c0e2b,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft
At this stage we must go through the output and look for other OUs contained within HumanResources OU, then we need to search for other deleted objects inside it in case we find extra OUs (in this case we explore the Users OU within HumanResources):
Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=Users\ \0ADEL:6b507c43-172b-8145-93bf-61e00302bb4a,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects - Properties lastKnownParent | ft
So far we found that HumanResources OU has been deleted (by noticing the mangled DN) and with the following command we may validate if there is any other OU above it and if it was also deleted (if so we have to perform the same steps as above to find other objects within it):
Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=HumanResources)" –IncludeDeletedObjects –Properties lastKnownParent
After investigation is complete, then we can start restoring the objects from top to bottom:
to restore the HumanResources OU:
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=HumanResources)" –IncludeDeletedObjects | Restore-ADObject
to restore all deleted objects under it (including the Users OU):
Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject
To restore all deleted objects under the Users OU:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Users,OU=HumanResources,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject
Note: Depending on your infrastructure you may have to go deeper into OU hierarchy, but then you just have to repeat the steps above accordingly.
Watch the video - Restore multiple objects using powershell on WS2008R2
Now that we covered how to restore deleted objects using the recycle bin attribute in WS2008R2 lets see how easy it is to do the same in WS2012 with the new recycle bin GUI:
You have to open the Deleted Objects container using ADAC and perform the same searches on it just by using the UI and by working out the hierarchy by looking at the Last Known Parent attribute.
If looking for specific objects we may click add criteria and in case we don't know exactly what to search for -this is one of the reasons why having AD proper documented is so important - an idea would be to add "and Last modified between these dates:")
Watch the video - Restore multiple objects using the NEW Recycle Bin GUI in WS2012
Hope it helps!
Enjoy!
PS: I will add the videos throughout the week.
In my next post I will share more information on how actually the AD recycle bin works.