Category Archives: Windows Server 2012

Restoring an Object from the AD Recycle Bin

2 Replies

Using the Active Directory Recycle Bin I will demonstrate the consequences of deleting and restoring an Domain Administrator user account and display which properties are affected or changed.

First off we create a new user which we then add to the Domain Admins group with the following PowerShell commands:

New-ADUser -Name Admin_Jaap -SamAccountName Admin_Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText 'Secret01' -Force)
Add-ADGroupMember -Identity 'Domain Admins' -Members Admin_Jaap

Then we capture output of Get-ADObject with all properties in a variable:

$BeforeDel = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

The next step is to delete the user using Remove-ADUser:

Remove-ADUser -Identity Admin_Jaap -Confirm:$false

Now the account can be restored:

Restore-ADObject -Identity $BeforeDel.ObjectGUID -Confirm:$false

Now that the object has been restored, the password that we originally set has been recovered as well. This can be verified by running the following PowerShell command:

Invoke-Command -ScriptBlock {whoami} -Credential admin_jaap -ComputerName dc1

We capture the information stored in AD to the $AfterRes variable:

$AfterRes = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

Now that we have captured both the account information when the account was just created and after the account was restored we can use this information to have a look at which attributes if any have changed. To make this comparison the Compare-Object Cmdlet can be used. To be able to compare these AD Object, the variable is first piped into Out-String and then split up into an array of strings.

Compare-Object -ReferenceObject (($BeforeDel|Out-String) -split '\n') `
-DifferenceObject (($AfterRes|Out-String) -split '\n') -IncludeEqual

The results show that most attributes are completely unchanged. Attributes containing information related to either replication, or when the object was last changed will be the only changed objects.

Continue reading

AD queries and the Active Directory Recycle Bin

2 Replies

Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a  useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:

  • AD Object restore from GUI
  • Password restore
  • Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
-Scope 'ForestOrConfigurationSet' -Target 'dmn.com' -Confirm:$false

Note that this feature can never be disabled after it has been enabled. To test its functionality we will create a user:

New-ADUser -SamAccountName Jaap -Name Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText '$ecret01' -Force)
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
([adsisearcher]'(samaccountname=jaap)').findone()
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Remove-ADUser jaap
So now we can try the same query again:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
([adsisearcher]'(samaccountname=jaap)').findone()
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used:
Get-ADobject -Filter 'samaccountname -eq "jaap"' -IncludeDeletedObjects
For [adsisearcher] a slightly different approach should be used, the following query will retrieve the deleted user account:
$Searcher = [adsisearcher]'(samaccountname=jaap)'
$Searcher.Tombstone = $true
$Searcher.FindOne()

And that how to query accounts have been deleted and stored in the AD Recycle Bin.

Two new MCSE certifications available in beta

Leave a reply

Today Microsoft has released four new IT Pro exams leading up to two new MCSE certifications. As both Windows Server 2012 and Windows 8 have been released to manufacturing (Source: Windows Server Blog) the accompanying certifications have been released as well. The exams will be available as Beta exams from the 6th of August until the 20th of August with registration commencing at the 1st of August. For more information regarding Beta exams please have a look at the official FAQ by Microsoft here.

In case you have not received an invitation from Microsoft make sure you read up in my previous post on how to setup your Microsoft SME profile here:
New beta exams released for Windows Server 2012

The exams that and certifications that have been released are as follows:

MCSE: Server Infrastructure

So if you are interested head out to the Prometric Registration Website to sign up for any of the exams. Good luck!

Windows 8 Release date announced

Leave a reply

It is official, Microsoft has announced the release date for Windows 8. After some speculation earlier this month, it has been confirmed on the Windows Server Team blog. After the earlier announcement that Windows Server 2012 would be available in September, a release date for Windows 8 was expected to be announced as well. Windows 8 is set to be released on the 26th of October.

The official announcements are available on the Windows Server Team Blog:

Windows 8 will be available on…
Windows Server 2012 final release timing