Wednesday, 3 August 2011

Restore AD objects using Recycle Bin Feature of Server 2008 R2

How to restore the Object using Recycle Bin Feature of Windows Server 2008 R2

To Import the Active directory commands in the powershell we need to run the 
following command in powershell

PS> Import-Module activedirectory

Once all the Active directory cmdlets are imported after that you need to get the
functional level of the forest up to the level of Windows Server 2008 R2.  
As the Active directory Recycle Bin features only come under this functional level.
You can do this from Active Directory Domains and Trusts that is very easy way 
to do this. As you can see below that the current functional level is Windows Server
2003 and we need to raise it to Windows Server 2008 R2.

We can also raise the functional level from the powershell. The Get-ADForest 
cmdlet will return information about your forest and the Set-ADForestMode  
cmdlet will enable you to raise the current functional level.You will be prompted
to confirm that you wish to go ahead.

PS> Get-ADForest | Set-ADForestMode –ForestMode Windows2008R2Forest

Now our functional level is set to Server 2008 and now we can enable the Recycle Bin.
Now that our forest is at the correct functional level we can enable the Recycle Bin,
To enable this feature you can run the following command. It will also ask you about 
the confirmation. 

PS> Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet 
-target 'test.local'

Now that we have the Recycle Bin enabled and now we can check by deleting some
object from our AD structure.

There is a new feature included in Windows 2008 Server that is ‘Protect object from
accidental deletion’. So it may happen that you going to delete  OU but got a  
Access is denied response and the administrator will actually have to remove the
tick from that checkbox before the OU can be deleted.Below is the error that you 
will get if the ‘Protect object from accidental deletion’ is checked.

To do this you need to select the Advance Features, you can get this by following way.

Then you can go to the properties the OU and go to the Object tab and uncheck the
”Protect object from accidental deletion”

So now we have removed the checkbox and now we can remove the OU from the AD.
We have removed the Team OU and now you can see below that there is no 
Team OU in the structure.

To see all the deleted objects, we can run the below Powershell command
PS> Get-ADObject –SearchBase “CN=Deleted Objects,DC=test,DC=local” 
–ldapFilter “(objectClass=*)” -includeDeletedObjects | Format-List Name,ObjectClass,ObjectGuid

We can see from the resultant output that we have both the Users OU in there 
and the two user accounts. So now we will restore the objects
Note:- To restore the Users ,you first need to restore the Parent OU otherwise is will give you error.

PS> Restore-ADObject -identity 280befcd-6937-4030-a33c-1ba0a9d40c24 

The above command will restore the OU Team but that will be empty as we need to 
restore the User objects as well.

Now we need to restore the objects in Team OU. We can do this by the above 
method we used to restore the OU.But the problem is that if we will have 1000 users
in that OU that will be so tough to use this command to restore every single object
related to that OU Team.So to fix this we will make a search for all the deleted users 
that are related to that OU Team and then will restore them.
To do that we can run the following command.

PS> Get-ADObject -ldapFilter "(lastKnownParent=OU=Team,DC=test,DC=local)" 
-includeDeletedObjects | Restore-ADObject

After this command will finish you will see that all the users that will be related to this 
Team OU will be restored.Check the below screen shot.

The user accounts are back in the Users OU.

This is very Nice and easy feature of Windows Server 2008 R2 to restore the deleted Objects.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.