Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Microsoft Active directory additional features - AD Recycle Bin Powershell

October 11, 2017 01:00PM

I recently was involved and architected IT infrastructure for one of the small startup group, I deployed Windows Server 2016 server and architected Active Directory infrastructure, Startup staff's work was involved using heavy use of AD API in their own software, creation and deletion of AD accounts, I wanted all the recent new features on AD, specially recycle bin feature, Although it is introduced in Windows 2008 R2, I thought it is worth documenting the procedure here and create more awareness. Before deploying you should read the below statement if you have some other AD architecture in your mind.

"When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role."

Powershell: Temporary group membership on Windows 2016 Active Directory PAM (Privileged Access Management Feature)

To get know list of all optional additional features run below cmdlet. It lists two features Recycle Bin Feature and Privileged Access Management Feature. I am going to write about second feature in my next blog. For the Recycle bin feature requires forest mode to be at atleast Windows 2008 R2 level. Same can be changed using Set-AdForestMode cmdlet. As I deployed my first DC on windows server 2016, my forest and domain functional level are already Windows 2016, Verify it running command Get-ADDomain | select Domainmode and Get-ADForest | Select Forestmode

Check on Installing, importing and using any module in powershell

Active directory Powershell, Get-ADDomain Domain mode, Get-Adforest Forestmode forest, functional level command let set-addomain and forest

Get-ADOptionalFeature -Filter * 
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes      : {CN=Partitions,CN=Configuration,DC=vcloud-lab,DC=com, CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcloud-lab,DC=com}
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Recycle Bin Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : b797addd-61c3-4f3e-8168-b2f4d0c77423
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest

DistinguishedName  : CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes      : {}
FeatureGUID        : ec43e873-cce8-4640-b4ab-07ffe4ab5bcd
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Privileged Access Management Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : 06037360-fbf9-4682-8fb9-07a428a21d11
RequiredDomainMode :
RequiredForestMode : Windows2016Forest

Windows Powershell Get-AdOptionalFeature option active directory option features filter, Privileged Access Management Feature

To enable the Recycle bin Feature you should know its complete identity name which you will find with above screenshot in DistinguishedName, For scope there are 2 options forest and domain. Target name is the domain name. This action is irreversible and you will not be able to disable it. this information is stored in AD configuration partition.
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature, CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=vcloud-lab,DC=com' -Scope ForestOrConfigurationSet -Target vcloud-lab.com

Enable-ADOptionalFeature recycle bin feature forest or configuration set target Powershell Active Directory run as administrator

Next all my accounts are kept in a single OU, which I can list using below command. Here I am gathering information because I need GUID and verify later if restored objects have same GUID number. 

Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}
DistinguishedName                                Name         ObjectClass ObjectGUID
-----------------                                ----         ----------- ----------
CN=DemoUser,OU=DeleteOu,DC=vcloud-lab,DC=com     DemoUser     user        24632275-ea54-408c-bc07-fa23f8305da1
CN=DemoGroup,OU=DeleteOu,DC=vcloud-lab,DC=com    DemoGroup    group       7a299a0e-2e4b-4ec1-b45b-cb4727a6f0cb
CN=DemoComputer,OU=DeleteOu,DC=vcloud-lab,DC=com DemoComputer computer    f04b216e-be48-4dc5-8ada-5c843d03cfbc

Powershell Active Directory Get-AdObject -searchbase ou Filter like, Distinguishedname, objectclass, objectguid, guid, Recycle Bin

Here next I am removing (Deleting) ad accounts. They will be marked as deleted tag, and kept for next 180 days timespan. They are called tombstone objects.
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'} | Remove-ADObject -Confirm:$false

Once accounts are deleted I can verify and see there are no account objects in OU, I can confirm the same in gui dsa.msc, it is empty. 
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}

Get-AdObject -SearchBase -Filter, Remove-Object delete user account powershell active Driectory recycle bin feature

To view deleted account objects use parameter -IncludeDeletedObjects, I can use searchbase to get strict result from specific organization unit, Note down the the attribute name deleted marked as true.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects

Pipeline and use Restore-ADObject, to recover tombstone objects. This is very good option, and doesn't require any third party software to restore account (backup is always essential), Instantly you can restore account.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects | Restore-ADObject

List the object information to verify GUID information, I have already information fetched earlier, whether they have same account.
Get-ADObject -Filter {Name -Like 'Demo*'}

Active directory Powershell, Get-Adobject includeDeletedObjects, deleted true, Restore-AdObject restore recover ad users computers and groups

Useful blogs
Installing, importing and using any module in powershell
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY 

Go Back

Comment