04 January 2013

How to enable Active Directory Recycle Bin and restore deleted objects (users, groups etc)

In Windows Server 2003 and Windows Server 2008 the best option to restore a deleted user account was the command line utility adrestore.exe from http://live.sysinternals.com/ website. The restore option worked fairly well. It will keep the same security ID (SID) and logon name so user can log on to same profile on Windows. Side-effect is lost password, phone number, group membership etc. And the account is in disabled state, so you need to enable the acoount and assign a new password.

Since Windows Server 2008 R2 you have the option to enable the Active Directory Recycle Bin. For that you need:

  1. All domain controllers must be Windows Server 2008 R2 (or later). So remove older ones by running dcpromo wizard on them. And if you don’t have W2008R2 domain controller, install one first.
  2. Forest and domain functional levels must be Windows Server 2008 R2. To change it, use domain.msc (Active Directory Domains and Trusts). Remember, that this change is irreversible. And be sure that you don’t have older domain controllers.
    imageimage
  3. AD Recycle Bin must be activated by using the following PowerShell command:
    Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target 'contoso.com'
    You must type your domain name instead of contoso.com.
  4. Delete a sample user account using your favorite tool. For example “net user test /delete /domain
  5. Restore can be easily done using PowerShell commands.
    1. First you need to find the affected object:
      Get-ADObject -Filter {name -like "*PhraseFromUsername*" -and deleted -eq $true} -IncludeDeletedObjects
    2. Make sure your result includes only the deleted account and use the same command and pipe it to Restore-ADObject cmdlet:
      Get-ADObject -Filter {name -like "*PhraseFromUsername*" -and deleted -eq $true} –IncludeDeletedObjects | Restore-ADObject

And now you can use this user account (password is kept, username, group membership etc. will be retained).

For more information please visit http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx

Posted by at

1 comment:

  1. Unknown16 September, 2013 13:24

    This comment has been removed by a blog administrator.

    ReplyDelete

Subscribe to: Post Comments (Atom)