Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:
- AD Object restore from GUI
- Password restore
- Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' ` -Scope 'ForestOrConfigurationSet' -Target 'dmn.com' -Confirm:$false |
Note that this feature can never be disabled after it has been enabled. To test its functionality we will create a user:
New-ADUser -SamAccountName Jaap -Name Jaap -Enabled:$true ` -AccountPassword (ConvertTo-SecureString -AsPlainText '$ecret01' -Force) |
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter 'samaccountname -eq "jaap"' |
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
([adsisearcher]'(samaccountname=jaap)').findone() |
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Remove-ADUser jaap |
So now we can try the same query again:
Get-ADobject -Filter 'samaccountname -eq "jaap"' ([adsisearcher]'(samaccountname=jaap)').findone() |
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used:
Get-ADobject -Filter 'samaccountname -eq "jaap"' -IncludeDeletedObjects |
For [adsisearcher] a slightly different approach should be used, the following query will retrieve the deleted user account:
$Searcher = [adsisearcher]'(samaccountname=jaap)' $Searcher.Tombstone = $true $Searcher.FindOne() |
And that how to query accounts have been deleted and stored in the AD Recycle Bin.
I’m eager to learn more about the password restore feature, that is apparently part of the Active Directory Recycle Bin in Windows Server 2012.
I have posted a new article that provides details about which attributes are available after a restore. Have a look at:
http://www.jaapbrasser.com/restoring-an-object-from-the-ad-recycle-bin/
It is a great feature, I think this will save me some future headaches 🙂