Tag Archives: Tombstone

AD queries and the Active Directory Recycle Bin

Lately I have been playing around with the AD Recycle Bin on Windows Server 2012. It is a  useful feature that was introduced in Server 2008 R2 and has been improved in Server 2012. New features include:

  • AD Object restore from GUI
  • Password restore
  • Restore of a entire OU
To enable this feature using PowerShell the following line of code should be executed:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
-Scope 'ForestOrConfigurationSet' -Target 'dmn.com' -Confirm:$false

Note that this feature can never be disabled after it has been enabled. To test its functionality we will create a user:

New-ADUser -SamAccountName Jaap -Name Jaap -Enabled:$true `
-AccountPassword (ConvertTo-SecureString -AsPlainText '$ecret01' -Force)
This command creates a new account named Jaap with $ecret01 as the password. To be able to set a password this string is first converted into a SecureString. To verify that this account was created we can query it using Get-ADobject:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
An alternative, and my personal preference is to utilize [adsisearcher] to query for AD object. It has the advantage that it is available natively in PowerShell, in any version. Here is the syntax to query for the account that was just created:
([adsisearcher]'(samaccountname=jaap)').findone()
We have now established that the account can be found and, so let’s remove the account so it moves to the Active Directory Recycle Bin:
Remove-ADUser jaap
So now we can try the same query again:
Get-ADobject -Filter 'samaccountname -eq "jaap"'
([adsisearcher]'(samaccountname=jaap)').findone()
Get-ADobject will return an error and [adsisearcher] will not return any results. This is because the user account is Tombstoned and placed in the Deleted objects container. To get the desired results, the -IncludeDeletedObjects switch should be used:
Get-ADobject -Filter 'samaccountname -eq "jaap"' -IncludeDeletedObjects
For [adsisearcher] a slightly different approach should be used, the following query will retrieve the deleted user account:
$Searcher = [adsisearcher]'(samaccountname=jaap)'
$Searcher.Tombstone = $true
$Searcher.FindOne()

And that how to query accounts have been deleted and stored in the AD Recycle Bin.

Share