imageWe have all been here before.  Maybe you have deleted a user either accidentally or on purpose.  Regardless you may need to get the user back with all of their properties, group memberships, security identifiers..etc.  In prior versions of Windows Server deleting a user could cause administrative overhead to recover the user.  Some of the methods might involve using backup and recovery, AD authoritative restore or even just recreating the user from scratch.  However all of those methods are labor intensive (especially recreating a new user) and may involve downtime of your infrastructure.  With Windows Server 2008 R2 we introduced the AD recycle bin.  With the recycle bin you can easily recover the user (or other AD objects like groups or OU’s).  This is a full recovery of the user and their properties.  Before you enable the recycle bin there are a few things you need to know:

  • All domain controllers within the Active Directory forest must be running Windows Server 2008 R2
  • The functional level of the Active Directory forest must be Windows Server 2008 R2.
  • Once you enable the recycle bin you cannot disable it, although you can reduce the amount of time an object is in the recycle bin).

imageWhat happens under the hood after you enable the recycle bin and delete a user.  By default the user is placed in a deleted objects container for 180 days (which you can configure) before it goes through the normal tombstone collection process.  During the first 180 days container you can recover the AD user with a simple PowerShell command from the deleted objects container.  In fact PowerShell is the preferred tool (and really the only tool) to access the recycle bin to see what is there and to recover your AD objects.

Before you can use the recycle bin and prior to deleting users you have to enable the recycle bin.  The following command will enable the recycle bin for the contoso domain on server 1:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'contoso.com' -server server1

After you have enabled the recycle bin you can then recover users, using the Restore-ADObject cmdlet.  To be able to recover the object you need to know the GUID for the user.  To see all of the deleted objects in the recycle bin you can run the following command.  this will show you not only the name of the objects but also the GUID for the deleted objects:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter "(objectClass=*)" –includeDeletedObjects

After you find the GUID for the object you then put it after the GUID parameter in the Restore-ADObject

Restore-ADObject –id <guid of object you want to recover>

You may thinking that is nice but what if I needed to recover 10 users or more, I would have to run the Restore-ADobject cmdlet multiple times.   The answer is no, you can use the pipe “|” operator (we talked about that in part 16) combining the Get-ADObject and Restore-ADObject to be able to restore multiple users at a time.  For example if you wanted to recover all the users in the marketing OU in the contoso domain your command would look similar to this:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=marketing,DC=contoso,DC=com"} –IncludeDeletedObjects | Restore-ADObject

If you want to see the Recycle Bin in action check out this screencast I did in March of last year

Get Microsoft Silverlight

 

Thanks for reading and if you missed any of the previous posts you can find a master list of series postings located here: PowerShell Not Your Father's Command Line: 31 Days of PowerShell or on Sarah’s blog here: PowerShell Not Your Father's Command Line: 31 Days of PowerShell. Lastly Sarah and I want to hear from you email either of us with your comments or suggestions for future postings let us know, we look forward to hearing from you. Have a great day!