Windows Server 2008 R2 has a solution for this, namely the Active Directory Recycle Bin. In this blogpost I will explain how you setup the AD Recycle bin and how you can retrieve items afterwards. One drawback though: There is no nice interface available from Microsoft yet.
First off, it's necessary that the Forest Functional Level is at the level of Windows Server 2008 R2. This can be done using Active Directory Domains and Trusts, but can easily be done using Powershell.
Through Active Directory Domains and Trusts:
Through Powershell:
Set-ADForestMode -Identity domain.test -ForestMode Windows2008R2ForestNow that the Forest is at the right level we'll start by configuring the AD Recycle Bin. First off we load the optional module in Powershell by using the following command.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=test’ –Scope ForestOrConfigurationSet –Target ‘domain.test’When this is done we need to make the forest aware the optional feature is installed. This can be done using LDP. Fire up LDP using Run and type: ldp.exe. Open LDP and connect to the domain controller that hosts the root domain (so the firest domain). This can be done by clicking Connection then choosing Connect and typing in the hostname of the DC you want to connect to, after which you choose Bind. In the menu bar open the menu View and choose Tree. In the popupbox choose Configuration BaseDN
Navigate to the CN=Partitions container, rightclick this and choose Modify
Make sure the field DN is empty and fill in the following in the other two fields:
Edit Entry Attribute
enableOptionalFeatureValues
CN=Partitions,CN=Configuration,DC=domain,DC=test:766ddcd8-acd0-445e-f3b9-a7f9b6744f2aIn the field Operation choose Add and click Enter. The extension will now appear in the field Entry List. At the bottom of the popup box choose Run and then choose Close. When you doubleclick on CN=Partitions at the left side the following appears in the details field at the right side.
msDS-Behavior-Version: 4 = ( WIN2008R2 );If this is the case the Recycle Bin is installed correctly and we can start using it.
msDS-EnabledFeature: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=test;
name: Partitions;
ATTENTION! From this moment on the Recycle Bin feature is activated. Any user deleted before this action cannot be retrieved using the AD Recycle Bin.Through LDP:
Open up LDP again and connect and bind to the DC hosting the root domain. Click Options and choose Controls in the menubar.
Afterwards choose Run and the object will be retrieved from the Recycle Bin, after which you can see this in Active Directory Users and Computers again.
Through Powershell:
I know what you're thinking. We have an awesome tool called Powershell, why won't we use that? Well, that's what we're going to look at now. Because we enabled the optional feature using Enable-ADOptionalFeature we have access to the Restore-ADObject CMDLet. What if, you know the username of the user you want to recover. You can see this by running the following CMDLet:
Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjectsWhen this is executed the output will be as following:
If this is the account you want to recover run the following CMDLet:
Get-ADObject -Filter {sAMAccountname -eq "test"} -IncludeDeletedObjects | Restore-ADObjectThat's it, the filter can be adapted to about anything you're comfortable with using Powershell. In a later blog post I'll post more information about retrieving objects or OU's.
For more information about retrieving objects from the Recycle Bin please look at the following link:
http://technet.microsoft.com/en-us/library/dd379509(WS.10).aspx
Geen opmerkingen:
Een reactie posten