The Active Directory Recycle Bin in Windows Server 2008 R2

Since Active Directory was included as part of Window Server 2000, administrators have often asked for  a simple way to roll back mistakes, whether that is the incorrect deletion of the wrong user account to the accidental removal of thousands of objects by deleting an OU. Before the release of Windows Server 2008 R2 there were a number of ways using built-in or third-party methods to restore Active Directory objects, but typically they were not as quick or complete as say retrieving a deleted email or file.

Microsoft has included with their release of Windows Server 2008 R2 the facility, under the correct conditions, to enable a Recycle Bin for Active Directory and allow simple restoration of objects which have been erroneously removed. In this article we will briefly cover some of the options prior to 2008 R2 and then examine how to enable the new Recycle Bin and restore objects from it.

Pre-Windows Server 2008 R2

The 2008 R2 Recycle Bin for Active Directory is a great motivating point for upgrading your forest and domain(s) to the latest version, but this is not always a quick process in many enterprises so it is worth knowing what options are available prior to this version. Like many things it’s a lot better to examine and plan for possible resolutions before a significant mistake happens that you need to deal with. Retrieving Active Directory objects typically falls into two available categories, authoritative restore from a backup or tombstone reanimation.

Authoritative Restore

The Microsoft KB article 840001(http://support.microsoft.com/kb/840001) details how to perform the restoration of a user account using a system state backup of a domain controller. Typically, you would use a global catalog so that you can also restore all group membership information.

Tombstone Reanimation

The above article also details how to recover an account when you don’t have a system state backup by using tombstone reanimation which was introduced with Windows Server 2003 – you can retrieve objects from the Deleted Objects container where they are kept after deletion until their tombstone period expires. Obviously regular system state backups of Active Directory are critical for your full disaster recovery procedures, but taking advantage of tombstone reanimation means you can get objects back quicker than having to go through the full authoritative restore process.

You could use the procedure in the article which utilises the ldp.exe tool, but there are other methods around which you may find simpler.

The drawback with tombstone reanimation is that because most of the object’s attributes are removed at the time of the object’s deletion, a restored object using this method requires many properties of the account, such as address fields and group membership, to be manually repopulated. Whilst this is obviously preferable to re-creating an account from scratch it does not make for a quick overall process. However, you will at least get back the objectGUID and objectSid attributes which means there would be no need to re-configure a user’s workstation profile.

The original release of Windows Server 2008 introduced snapshot backups for Active Directory. You can take point-in-time snapshots of your Active Directory with the NTDSUTIL command line utility which utilizes Volume Shadow Copy to provide a snapshot. It is then possible to mount this snapshot using different ports on the same domain controller as the live Active Directory database and use standard tools to compare the two. This could really make the tombstone reanimation a lot simpler because after restoring the object you could view two versions of Active Directory Users and Computers side by side and view the properties of the restored object from a previous time, so making it simpler to repopulate properties.

The Directory Service Comparison Tool (http://lindstrom.nullsession.com/?page_id=11) takes advantage of these snapshots and makes the repopulation process more streamlined.

For those with Microsoft Exchange messaging environments, once you have the Active Directory account back, you can use the Reconnect Mailbox feature within Exchange to tie the restored account back up with the mailbox. This is of course providing you have a similar tombstone retention period for mailboxes that you do for AD accounts.

Active Directory Recycle Bin

The real reason you decided to read this article though was not so that we could spend time going over all the possible options for how you can piece together restored AD objects, but rather to find out how the Recycle Bin is going to make your life as an Active Directory administrator easier without necessarily the need for these different tools. The key differences from previous versions of Windows Server are that by default you get all of the attributes back and the tools to use are PowerShell cmdlets, which are quickly becoming a more essential part of every Windows administrator’s standard toolkit.

Firstly though the Active Directory Recycle Bin is not enabled by default and has certain domain and forest wide requirements before it can be enabled.

  • Firstly, all domain controllers within the Active Directory forest must be running Windows Server 2008 R2.
  • Secondly, the functional level of the Active Directory forest must be Windows Server 2008 R2.

Naturally organizations are typically cautious when upgrading Active Directory and these types of infrastructure projects don’t tend to happen quickly, but the Recycle Bin could be one of the features which gives you more weight behind a decision. You should also be aware though that enabling the Recycle Bin is a onetime only move, there’s no easy way to disable it again, so careful consideration of this decision must be taken.

It’s worth noting that if you are making a fresh forest install of Windows Server 2008 R2 the Active Directory schema will already include all of the necessary attributes for the Recycle Bin to function. If however you are upgrading your domain controllers from previous versions of Windows Server then you will need to run the well known procedure of  adprep /forestprep and adprep /domainprep (for each domain) and possibly adprep /domainprep /gpprep (for Group Policy preparation)

before you can introduce Windows Server 2008 R2 domain controllers into the environment.

So let’s go ahead and run through all the steps we need to get the Recycle Bin enabled. Firstly, ensure that all of your domain controllers are running Windows Server 2008 R2 and then we need to use PowerShell; the great news with Windows Server 2008 R2 is that version 2 of PowerShell is installed by default and is placed directly on your taskbar.

After you have installed Active Directory Domain Services the Active Directory specific cmdlets are available to use via a module; modules essentially are the evolution of snapins from version 1 of PowerShell. To access these cmdlets you can either open the Active Directory specific version of the PowerShell console from the Administrative Programs menu, or the method I would prefer, use the Import-Module cmdlet. (Tip: You could add the below expression to your PowerShell profile so that the cmdlets are available every time you open PowerShell)

PS> Import-Module activedirectory

Once complete all of the Active Directory cmdlets will be at your fingertips. As previously discussed we now need to get the functional level of the forest up to the level of Windows Server 2008 R2. The most common way to do this previously was through Active Directory Domains and Trusts.

Now though we can do this through PowerShell. The Get-ADForest cmdlet will return information about your forest and the Set-ADForestMode cmdlet will enable you to raise the current functional level – since it is such a significant change to your environment you will be prompted to confirm that you wish to go ahead.

PS> Get-ADForest | Set-ADForestMode –ForestMode Windows2008R2Forest

Now that our forest is at the correct functional level we can enable the Recycle Bin, to do so we use the Enable-ADOptionalFeature cmdlet. This must be either run on the DC with the Domain Naming Master FSMO role or directed at that server with the –server parameter. Again you will be prompted to confirm your command since the action is irreversible.

PS> Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -target ‘test.local’

Now that we have the Recycle Bin enabled it’s time to go check out how we recover some deleted objects. In this environment we have a very simple AD structure with a couple of test accounts to illustrate the example.

Let’s take the situation where an administrator accidently deletes the Users OU. One of the most common reasons this can happen is because it is actually possible to delete OU’s from the Group Policy Management tool, not just Active Directory Users and Computers – so an administrator might think they are removing a GPO and in a bad moment delete the wrong item and remove a whole OU. The administrator is prompted for what they are about to do, but I have seen it happen more than once!

The initial release of Windows 2008 Server actually included a new checkbox ‘Protect object from accidental deletion’. In the example of the OU below any attempt to delete the OU will be met with an Access is denied response and the administrator will actually have to remove the tick from that checkbox before the OU can be deleted.

However, what you would naturally expect to happen as a consequence of the Protect object from accidental deletion would be any user or computer account created in that protected OU would also be supported by the same mechanism. Unfortunately by default they are not, so as a good practise you would either need to build that into your account creation process or programmatically check and set that checkbox on all accounts in the OU on a regular basis.

Consequently, in the above example if we accept the warning to delete the OU we are greeted with an Access is denied message since the OU has protection set.

So we were saved from deleting the OU, but all of the unprotected child objects were deleted.

(For the purposes of this article I now remove the Users OU by first clearing the checkbox for protecting the object from accidental deletion.)

We can browse the current contents of the Active Directory Recycle Bin using the Get-ADObject cmdlet, directing it at the Deleted Objects container and using the –includeDeletedObjects parameter.

PS> Get-ADObject –SearchBase “CN=Deleted Objects,DC=test,DC=local” –ldapFilter “(objectClass=*)” -includeDeletedObjects | Format-List Name,ObjectClass,ObjectGuid

We can see from the resultant output that we have both the Users OU in there and the two user accounts. So let’s try restoring one of the user accounts back, to do so we need the Restore-ADObject cmdlet and supply the ObjectGuid property of the user account.

PS> Restore-ADObject –identity 2df74fba-7e86-4f75-b16d-5725ef45a45f

Oh dear, it failed to restore, but PowerShell tells us that it failed because the object’s parent no longer exists either, i.e. we need to first restore the Users OU. (Note: an alternative would be to use the  -targetpath parameter and re-direct the restore to a different OU)

To restore the Users OU we can use the same cmdlet (Restore-ADObject) as to restore users, just supply the ObjectGuid of the OU.

PS> Restore-ADObject –identity 20142376-8a48-4b56-9972-0e64eb9e9a0f

The Users OU returns.

Now we just need to get those user accounts back. Rather than have to type out the ObjectGuid for each account we wish to restore we can instead create a search which will match all of the accounts we wish to restore and then use the PowerShell pipeline to send those results to the Restore-ADObject cmdlet.

PS> Get-ADObject -ldapFilter “(lastKnownParent=OU=Users,OU=Resources,DC=test,DC=local)” -includeDeletedObjects | Restore-ADObject

The user accounts are back in the Users OU.

If we check the properties of the account we can confirm that different from tombstone re-animation we get all of the properties back.

Active Directory Recycle Bin PowerPack for PowerGUI

Although the Recycle Bin is a great new feature within Windows Server 2008 R2 Microsoft is already getting feedback that there is no GUI for managing it. Whilst a lot of administrators are comfortable with PowerShell, some may still prefer to use a GUI based management tool for these tasks. Fortunately a great tool to plug this gap has already been provided by the community; PowerShell MVP Kirk Munro has created the Active Directory Recycle Bin PowerPack for PowerGUI (http://www.powergui.org/entry.jspa?categoryID=21&externalID=2461). This free tool has bundled up scripts using the previously demonstrated Active Directory PowerShell cmdlets and provides a graphical front end for administration.

Simply download the PowerGUI tool plus the Active Directory Recycle Bin PowerPack and import it into PowerGUI. Open up the PowerPack and you will have a graphical view of the current contents of the Recycle Bin with the ability to drill down through Organisational Units. Options for restoring single items or recursively are provided in the Actions column as well as alternate restoration paths and emptying items from the Recycle Bin.

It is also possible to use the Configure recycle bin action to set the values for DeletedObjectLifetime, the amount of days objects reside in the Recycle Bin, and TombstoneLifetime, the amount of days objects can be restored using Tombstone Reanimation after they have left the Recycle Bin. In Windows Server 2008 R2 both of these values default to 180 days, in some earlier versions of Windows Server this value was 60 days and if you upgrade those domain controllers it will remain the same so you may wish to change the values – you can use the Modify action to do this.

For this example I have deleted from Active Directory the Resources and Users containers and the two user accounts which you can see nicely in the below screenshot using PowerGUI.

This time we will restore the account Joe Bloggs, but to an alternative location using the Restore to….  Action. (Remember: this is done in PowerShell using the –targetpath parameter of the Restore-ADObject cmdlet) Simply input the path to the Organisational Unit you wish to restore the object to. In this example we use the default Users container as the target location.

The user has been restored to the alternate location; this is particularly useful if we did not wish to bring back the entire OU(s) as we did previously.

If however, you do wish to bring back the contents of an entire OU and everything below it there is an action, Restore (recursive).

Using the Restore (recursive) action in this scenario brings back both the Resources and Users OU’s as well as the single account remaining in it, Jane Smith.

Hopefully in a future release of Windows Server this functionality will be provided out of the box, the most natural home would be a viewable container within Active Directory Users and Computers, until then the Recycle Bin PowerPack for PowerGUI will prove very useful.

Summary

One of the most requested features for a long time with Active Directory has been a Recycle Bin. Microsoft has finally delivered this with the release of Windows Server 2008 R2. It may not be a feature that enterprises get to use for a little while given the system requirements of all 2008 R2  Domain Controllers and your Active Directory Forest at 2008 R2 functional level, but it could be one of those compelling reasons that enables you to pursue an upgrade.

Administration is via the new Active Directory PowerShell cmdlets which Microsoft is using to provide a consistent command line interface across all of their products. Although currently there is no native GUI for these administration tasks, the Active Directory Recycle Bin PowerPack for PowerGUI enables administrators to leverage the underlying PowerShell functionality and provide a graphical interface for carrying out these tasks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s