Restoring an Object from the AD Recycle Bin

Using the Active Directory Recycle Bin I will demonstrate the consequences of deleting and restoring an Domain Administrator user account and display which properties are affected or changed.

First off we create a new user which we then add to the Domain Admins group with the following PowerShell commands:

New-ADUser -Name Admin_Jaap -SamAccountName Admin_Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText 'Secret01' -Force)
Add-ADGroupMember -Identity 'Domain Admins' -Members Admin_Jaap

Then we capture output of Get-ADObject with all properties in a variable:

$BeforeDel = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

The next step is to delete the user using Remove-ADUser:

Remove-ADUser -Identity Admin_Jaap -Confirm:$false

Now the account can be restored:

Restore-ADObject -Identity $BeforeDel.ObjectGUID -Confirm:$false

Now that the object has been restored, the password that we originally set has been recovered as well. This can be verified by running the following PowerShell command:

Invoke-Command -ScriptBlock {whoami} -Credential admin_jaap -ComputerName dc1

We capture the information stored in AD to the $AfterRes variable:

$AfterRes = Get-ADObject -LDAPFilter "(samaccountname=Admin_Jaap)" -Properties *

Now that we have captured both the account information when the account was just created and after the account was restored we can use this information to have a look at which attributes if any have changed. To make this comparison the Compare-Object Cmdlet can be used. To be able to compare these AD Object, the variable is first piped into Out-String and then split up into an array of strings.

Compare-Object -ReferenceObject (($BeforeDel|Out-String) -split '\n') `
-DifferenceObject (($AfterRes|Out-String) -split '\n') -IncludeEqual

The results show that most attributes are completely unchanged. Attributes containing information related to either replication, or when the object was last changed will be the only changed objects.

InputObject                                      SideIndicator
-----------                                      -------------
...                                                         ==
...                                                         ==
accountExpires                  : 9223372036854775807...    ==
badPasswordTime                 : 0...                      ==
badPwdCount                     : 0...                      ==
CanonicalName                   : contoso.com/Users/Admi... ==
CN                              : Admin_Jaap...             ==
codePage                        : 0...                      ==
countryCode                     : 0...                      ==
Created                         : 10/20/2012 6:10:30 PM...  ==
createTimeStamp                 : 10/20/2012 6:10:30 PM...  ==
Deleted                         : ...                       ==
Description                     : ...                       ==
DisplayName                     : ...                       ==
DistinguishedName               : CN=Admin_Jaap,CN=Users... ==
instanceType                    : 4...                      ==
isDeleted                       : ...                       ==
lastLogoff                      : 0...                      ==
lastLogon                       : 0...                      ==
logonCount                      : 0...                      ==
memberOf                        : {CN=Domain Admins,CN=U... ==
Name                            : Admin_Jaap...             ==
nTSecurityDescriptor            : System.DirectoryServic... ==
ObjectCategory                  : CN=Person,CN=Schema,CN... ==
ObjectClass                     : user...                   ==
ObjectGUID                      : c3a166bb-d6ef-4570-b3c... ==
objectSid                       : S-1-5-21-2571374773-32... ==
primaryGroupID                  : 513...                    ==
ProtectedFromAccidentalDeletion : False...                  ==
pwdLastSet                      : 129952554305891307...     ==
sAMAccountName                  : Admin_Jaap...             ==
sAMAccountType                  : 805306368...              ==
sDRightsEffective               : 15...                     ==
userAccountControl              : 512...                    ==
uSNCreated                      : 20547...                  ==
whenCreated                     : 10/20/2012 6:10:30 PM...  ==
WriteDebugStream                : {}...                     ==
WriteErrorStream                : {}...                     ==
WriteVerboseStream              : {}...                     ==
WriteWarningStream              : {}...                     ==
...                                                         ==
...                                                         ==
...                                                         ==
==
dSCorePropagationData           : {10/25/2689 8:46:08 PM... =>
LastKnownParent                 : CN=Users,DC=contoso,DC... =>
msDS-LastKnownRDN               : Admin_Jaap...             =>
uSNChanged                      : 20558...                  =>
dSCorePropagationData           : {12/31/1600 4:00:00 PM... <=
LastKnownParent                 : ...                       <=
uSNChanged                      : 20551...                  <=

 

Share

2 thoughts on “Restoring an Object from the AD Recycle Bin

Leave a Reply