Yearly Archives: 2012

Restoring an Object from the AD Recycle Bin

Using the Active Directory Recycle Bin I will demonstrate the consequences of deleting and restoring an Domain Administrator user account and display which properties are affected or changed.

First off we create a new user which we then add to the Domain Admins group with the following PowerShell commands:

New-ADUser -Name Admin_Jaap -SamAccountName Admin_Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText 'Secret01' -Force)
Add-ADGroupMember -Identity 'Domain Admins' -Members Admin_Jaap

Then we capture output of Get-ADObject with all properties in a variable:

$BeforeDel = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

The next step is to delete the user using Remove-ADUser:

Remove-ADUser -Identity Admin_Jaap -Confirm:$false

Now the account can be restored:

Restore-ADObject -Identity $BeforeDel.ObjectGUID -Confirm:$false

Now that the object has been restored, the password that we originally set has been recovered as well. This can be verified by running the following PowerShell command:

Invoke-Command -ScriptBlock {whoami} -Credential admin_jaap -ComputerName dc1

We capture the information stored in AD to the $AfterRes variable:

$AfterRes = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

Now that we have captured both the account information when the account was just created and after the account was restored we can use this information to have a look at which attributes if any have changed. To make this comparison the Compare-Object Cmdlet can be used. To be able to compare these AD Object, the variable is first piped into Out-String and then split up into an array of strings.

Compare-Object -ReferenceObject (($BeforeDel|Out-String) -split '\n') `
-DifferenceObject (($AfterRes|Out-String) -split '\n') -IncludeEqual

The results show that most attributes are completely unchanged. Attributes containing information related to either replication, or when the object was last changed will be the only changed objects.

Continue reading


AD queries and the Active Directory Recycle Bin

Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a  useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:

  • AD Object restore from GUI
  • Password restore
  • Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
-Scope 'ForestOrConfigurationSet' -Target '' -Confirm:$false

Note that this feature can never be disabled after it has been enabled. To test its functionality we will create a user:

New-ADUser -SamAccountName Jaap -Name Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText '$ecret01' -Force)
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Remove-ADUser jaap
So now we can try the same query again:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used:
Get-ADobject -Filter 'samaccountname -eq "jaap"' -IncludeDeletedObjects
For [adsisearcher] a slightly different approach should be used, the following query will retrieve the deleted user account:
$Searcher = [adsisearcher]'(samaccountname=jaap)'
$Searcher.Tombstone = $true

And that how to query accounts have been deleted and stored in the AD Recycle Bin.


New article on PowerShell Magazine: Working with [DateTime] Class

My brief article on working with the [System.DateTime] .Net Class has been posted on PowerShell Magazine. It contains some quick tips on how to utilize this class to work with DateTime objects and how to convert strings to a DateTime object.

For example when converting the ‘accountexpires’ property of an AD account. This can be done as follows:

$Expires = ([adsisearcher]'(samaccountname=jaapbrasser)').FindOne().Properties['accountExpires']

For more tips regarding this topic, please refer to the article on PowerShell Magazine:


Gather VMHost information using vSphere PowerCLI

To gather some basic information the Get-VMHost Cmdlet offers a wealth of information. Most basic information is easily accessible using the following command:


For the purpose of this article, we are looking for some identifying information regarding our ESX hosts. The attributes that we are after are the following:

  • Hostname
  • ESX Version and Build number
  • vSphere Uid
  • Hardware Uuid
  • The parent folder/cluster or data center which contains the ESX hot

Since these fields are scattered around, the following piece of code can be used to gather this info:

Get-VMHost | ForEach-Object {

It does take a bit of effort to locate the data in this fashion, but once found it can make a considerable difference. For example if I wanted to gather the host name of the ESX host, the cluster in which it is located and the datacenter in which the cluster is stored, the following commands could be executed:

Get-VMHost Server01* | Select-Object -ExpandProperty Name | Tee-Object -Variable Server
Get-Cluster -VMHost $Server | Select-Object -ExpandProperty Name
Get-DataCenter -VMHost $Server | Select-Object -ExpandProperty Name

This can be shortened to a single command with a ForEach-Object statement:

Get-VMHost Server01* | ForEach-Object{

This has the advantage that only a single Cmdlet is used to retrieve the data from vCenter which makes the code easier to write and faster to execute, especially in large environments.


New article posted on PowerShell Magazine

PowerShell Magazine has posted another article of mine. The article explains how to use the System.Net.Dns .Net class to resolve host names and IP addresses.

Have a look at the article here:
PowerShell Magazine: #PSTip Resolve IP Address or a host name using .NET Framework