Skip to main content

Enable the Windows Server 2008 R2 Active Directory Recycle Bin Graphically

By

Traditionally, the Active Directory Recycle Bin is enabled by typing in a command similar to the one below in PowerShell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

 

It is no secrete that I am a big PowerShell fan, but let’s not forget to work smarter, not harder.  If you have a Windows 8 client available to you, you can manage the AD Recycle Bin graphically even with only Windows Server 2008 R2 domain controllers.  This is because the Active Directory Administrative Center in Windows 8 gives us the ability to graphically manage the AD Recycle bin.

Once you install RSAT for Windows 8 on you client, open the Administrative Tools.

image

Next, open the Active Directory Administrative Center.

Select your Domain

image

The AD Recycle Bin requires that both your domain and forest functional levels are at least Windows Server 2008 R2.  In the Tasks pane of the AD Administrative Center, click Raise the domain functional level.

image

Take note of the warning and ensure Windows Server 2008 R2 is selected from the drop down box.  Click OK.

image

Click OK at the next warning.

image

If all went well, you will see this information message. Click OK

image

Allow replication to finish to all domain controllers.  If this is a multi domain environment, then you will need to raise the domain functional level of all of the domains in your forest before you can proceed onto the next step.

In the AD Administrative Center, click Raise the forest functional level.

The warnings are similar to when you raised the domain functional level.  Click OK 3 times. You are now able to enable the AD Recycle Bin.

Click the Refresh button in the AD Administrative Center.  This will change the Enable Recycle Bin link to allow you to click on it.

image

Click on Enable Recycle Bin

Click OK twice.

The AD Recycle Bin is now active on your network.  Remember, you cannot use it to recover objects that have been deleted prior to turning on the AD Recycle Bin. If you click Refresh once again, you will notice a new container, Deleted Objects.  You will like this container.

 

Recovering an Object from the Active Directory Recycle Bin

First let’s look at the old way of recovering objects from the AD Recycle Bin. While at work, you just realized that a user account that we deleted last week for a user named Zak Siblisk needs to be recovered.  To do this in Server 2008 R2 or Windows 7, we would have to open a PowerShell session that has access to the Active Directory module for PowerShell.

Next we would have to locate the user object:

Get-ADObject –Filter ‘Name –like “Zak*”’ –IncludeDeletedObjects

image

We can see that the object is in fact deleted.  Let’s recover it.

image

Oops.  Looks like the parent container that the object we stored in is also deleted.  We need to discover what this parent object is and recover it first.

image

By exposing the LastKnownParent property of Zak’s user object, we can see that we first need to recover an organizational unit called OU1.

image

No errors means that it is restored.  Now go ahead and restore Zak’s account.

image

Once again, no error means that Zak’s account is back.  Take a look at the AD Administrative Center to confirm.

image

This took a lot of effort and we also had to recover two objects.  now let’s do this graphically. In the AD Administrative Center, expand your domain and select Deleted Objects.

image

 

Notice that both objects are there. (I told you that you would like this container)  We can, however, skip restoring OU1.  Right click Zak’s account.

image

Notice that we have the option to Restore, or the option to Restore To…  Select Restore To… 

Browse to the OU that you want to restore the account to.

image

Click OK.

The account is now restored, but this time to a new location.

Even if you are not using any Windows Server 2012 Domain Controllers in your environment, you can still benefit from the Active Directory Administrative Center from the Windows 8 Remote Server Administration Tools.  Give it a try.

Labels:

Comments

Post a Comment

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

By
As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th
Post a Comment
Read more

Return duplicate values from a collection with PowerShell

By
If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe
Post a Comment
Read more

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more