I recently was involved and architected IT infrastructure for one of the small startup group, I deployed Windows Server 2016 server and architected Active Directory infrastructure, Startup staff's work was involved using heavy use of AD API in their own software, creation and deletion of AD accounts, I wanted all the recent new features on AD, specially recycle bin feature, Although it is introduced in Windows 2008 R2, I thought it is worth documenting the procedure here and create more awareness. Before deploying you should read the below statement if you have some other AD architecture in your mind.
"When the Recycle Bin optional feature is enabled, every DC is responsible for updating its cross-domain object references in the event that the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role."
Powershell: Temporary group membership on Windows 2016 Active Directory PAM (Privileged Access Management Feature)
To get know list of all optional additional features run below cmdlet. It lists two features Recycle Bin Feature and Privileged Access Management Feature. I am going to write about second feature in my next blog. For the Recycle bin feature requires forest mode to be at atleast Windows 2008 R2 level. Same can be changed using Set-AdForestMode cmdlet. As I deployed my first DC on windows server 2016, my forest and domain functional level are already Windows 2016, Verify it running command Get-ADDomain | select Domainmode and Get-ADForest | Select Forestmode.
Check on Installing, importing and using any module in powershell
Get-ADOptionalFeature -Filter *
DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes : {CN=Partitions,CN=Configuration,DC=vcloud-lab,DC=com, CN=NTDS Settings,CN=SERVER01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcloud-lab,DC=com}
FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope : {ForestOrConfigurationSet}
IsDisableable : False
Name : Recycle Bin Feature
ObjectClass : msDS-OptionalFeature
ObjectGUID : b797addd-61c3-4f3e-8168-b2f4d0c77423
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest
DistinguishedName : CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=vcloud-lab,DC=com
EnabledScopes : {}
FeatureGUID : ec43e873-cce8-4640-b4ab-07ffe4ab5bcd
FeatureScope : {ForestOrConfigurationSet}
IsDisableable : False
Name : Privileged Access Management Feature
ObjectClass : msDS-OptionalFeature
ObjectGUID : 06037360-fbf9-4682-8fb9-07a428a21d11
RequiredDomainMode :
RequiredForestMode : Windows2016Forest
To enable the Recycle bin Feature you should know its complete identity name which you will find with above screenshot in DistinguishedName, For scope there are 2 options forest and domain. Target name is the domain name. This action is irreversible and you will not be able to disable it. this information is stored in AD configuration partition.
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature, CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=vcloud-lab,DC=com' -Scope ForestOrConfigurationSet -Target vcloud-lab.com
Next all my accounts are kept in a single OU, which I can list using below command. Here I am gathering information because I need GUID and verify later if restored objects have same GUID number.
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=DemoUser,OU=DeleteOu,DC=vcloud-lab,DC=com DemoUser user 24632275-ea54-408c-bc07-fa23f8305da1
CN=DemoGroup,OU=DeleteOu,DC=vcloud-lab,DC=com DemoGroup group 7a299a0e-2e4b-4ec1-b45b-cb4727a6f0cb
CN=DemoComputer,OU=DeleteOu,DC=vcloud-lab,DC=com DemoComputer computer f04b216e-be48-4dc5-8ada-5c843d03cfbc
Here next I am removing (Deleting) ad accounts. They will be marked as deleted tag, and kept for next 180 days timespan. They are called tombstone objects.
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'} | Remove-ADObject -Confirm:$false
Once accounts are deleted I can verify and see there are no account objects in OU, I can confirm the same in gui dsa.msc, it is empty.
Get-ADObject -SearchBase 'OU=DeleteOu, DC=vcloud-lab, dc=com' -Filter {Name -Like 'Demo*'}
To view deleted account objects use parameter -IncludeDeletedObjects, I can use searchbase to get strict result from specific organization unit, Note down the the attribute name deleted marked as true.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects
Pipeline and use Restore-ADObject, to recover tombstone objects. This is very good option, and doesn't require any third party software to restore account (backup is always essential), Instantly you can restore account.
Get-ADObject -Filter {Name -Like 'Demo*' -and Deleted -eq $True} -IncludeDeletedObjects | Restore-ADObject
List the object information to verify GUID information, I have already information fetched earlier, whether they have same account.
Get-ADObject -Filter {Name -Like 'Demo*'}
Useful blogs
Installing, importing and using any module in powershell
POWERSHELL: INSTALLING AND CONFIGURING ACTIVE DIRECTORY