AD Recycle bin to restore deleted objects along with their attributes
Authoritative restore is a preferred method for administrators to restore accidentally deleted or corrupted AD objects like users, groups, computer accounts, OUs, etc. With Windows Server R2, however, administrators now have the power of the Recycle Bin. The active directory recycle bin can now be used to restore the deleted objects which will get stored in the hidden container called “deletedobjects”. Now you must be thinking, what is so different in this “deletedobjects” container that was also present in the previous versions of active directory.
Well here’s the catch!
In the previous versions of active directory, most of the deleted objects were devoid of their attributes and resided in the “deletedobjects” container in “isrecycled” state. Therefore, if the object was not restored back from the isdeleted state (logical deletion state), all its attributes are forever gone.
However, with Active Directory recycle bin (ADRB) in Windows R2 Server, the attributes of deleted objects are reinstated, making AD restoration process a much simpler and less time consuming. But before you enable AD recycle bin, some requirements must be satisfied.
Firstly, the functional level of your environment must be set to Windows Server 2008 R2. In order to raise the functional levels, two methods can be used, viz., Set-ADForestMode Active Directory module cmdlet and Ldp.exe. Apart from raising the functional levels of you environment, the active directory schema must also be updated suing the adprep.exe utility so that the pre-R2 domain controllers are not required before raising the functional levels.
Once the forest functional level of your environment is set to Windows Server 2008 R2, the Active Directory Recycle Bin can be enabled using the following two methods:
To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet:
- Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
- At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:
To enable Active Directory Recycle Bin using Ldp.exe:
- To open Ldp.exe, click Start, click Run, and then type ldp.exe.
- To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connection, click Connect, and then click Bind.
- Click View, click Tree, in BaseDN, select the configuration directory partition, and then click OK.
- In the console tree, double-click the distinguished name of the configuration directory partition, and then navigate to the CN=Partitions container.
- Right-click the CN=Partitions container’s distinguished name, and then click Modify.
- In the Modify dialog box, make sure that the DN box is empty.
- In the Modify dialog box, in Edit Entry Attribute, type enableOptionalFeature.
- In the Modify dialog box, in Values, type CN=Partitions,CN=Configuration,DC=mydomain,DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a. Replace mydomain and com with the appropriate forest root domain name of your AD DS environment.
Instead, have a look at these screenshots from LADMR…
All you need to do is right click on the DC and click on the option View Deleted Objects which provides you a list of all the Deleted Objects. Just right click the needed deletedobject and hit Restore and you are done.
However, if it is not possible to upgrade the functional level of your environment to R2 and you have to continue with your current Windows Server version, then LepideAuditor Suite’s restore AD objects feature is an option for you. This Active Directory audit tool lets you restore deleted objects from the local domain complete with their attributes and you don’t even have to use the different utilities to perform the restoration activity.