Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Microsoft Active directory additional features - AD Recycle Bin Powershell

I recently was involved and architected IT infrastructure for one of the small startup group, I deployed Windows Server 2016 server and architected Active Directory infrastructure, Startup staff's work was involved using heavy use of AD API in their own software, creation and deletion of AD accounts, I wanted all the recent new features on AD, specially Recycle Bin feature, Although it is introduced in Windows 2008 R2, I thought it is worth documenting the procedure here and create more awareness. Before deploying you should read the below statement if you have some other AD architecture in your mind.

"When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role."

To get know list of all optional additional features run below cmdlet. It lists two features Recycle Bin Feature and Privileged Access Management Feature. I am going to write about second feature in my next blog. For the Recycle bin feature requires forest mode to be at atleast Windows 2008 R2 level. Same can be changed using Set-AdForestMode cmdlet. As I deployed my first DC on windows server 2016, my forest and domain functional level are already Windows 2016

Get-ADOptionalFeature -Filter * 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes      : {CN=Partitions,CN=Configuration,DC=vcloud-lab,DC=com, CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcloud-lab,DC=com}
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Recycle Bin Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : b797addd-61c3-4f3e-8168-b2f4d0c77423
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest

DistinguishedName  : CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes      : {}
FeatureGUID        : ec43e873-cce8-4640-b4ab-07ffe4ab5bcd
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Privileged Access Management Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : 06037360-fbf9-4682-8fb9-07a428a21d11
RequiredDomainMode :
RequiredForestMode : Windows2016Forest

To enable the Recycle bin Feature you should know its complete identity name which you will find with above screenshot in DistinguishedName, For scope there are 2 options forest and domain. Target name is the domain name.
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature, CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=vcloud-lab,DC=com' -Scope ForestOrConfigurationSet -Target

Next all my accounts are kept in a single OU, which I can list using below command. Here I am gathering information because I need GUID and verify later if restored objects have same GUID number. 

Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}
DistinguishedName                                Name         ObjectClass ObjectGUID
-----------------                                ----         ----------- ----------
CN=DemoUser,OU=DeleteOu,DC=vcloud-lab,DC=com     DemoUser     user        24632275-ea54-408c-bc07-fa23f8305da1
CN=DemoGroup,OU=DeleteOu,DC=vcloud-lab,DC=com    DemoGroup    group       7a299a0e-2e4b-4ec1-b45b-cb4727a6f0cb
CN=DemoComputer,OU=DeleteOu,DC=vcloud-lab,DC=com DemoComputer computer    f04b216e-be48-4dc5-8ada-5c843d03cfbc

Here next I am removing (Deleting) ad accounts. They will be marked as deleted tag, and kept for next 180 days timespan. They are called tombstone objects.
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'} | Remove-ADObject -Confirm:$false

Once accounts are deleted I can verify and see there are no account objects in OU, I can confirm the same in gui dsa.msc, it is empty. 
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}

To view deleted account objects use parameter -IncludeDeletedObjects, I can use searchbase to get strict result from specific organization unit, Note down the the attribute name deleted marked as true.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects

Pipeline and use Restore-ADObject, to recover tombstone objects. This is very good option, and doesn't require any third party software to restore account (backup is always essential), Instantly you can restore account.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects | Restore-ADObject

List the object information to verify GUID information, I have already information fetched earlier, whether they have same account.
Get-ADObject -Filter {Name -Like 'Demo*'}

Useful blogs
Installing, importing and using any module in powershell

This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here

Share the post

Microsoft Active directory additional features - AD Recycle Bin Powershell


Subscribe to Tales From Real It System Administrators World And Non-production Environment

Get updates delivered right to your inbox!

Thank you for your subscription