Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.
So upgrade your forestlevel and run the following command within a poweshell console:
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=DirectoryService,CN=Windows NT,CN=Services,CN=Configuration,DC=rootdomain,dc=local'
-Scope Forest -Target 'rootdomain.local'
Note: Indeed the above command is a powershell command, also a new feature in Windows 2008 R2, Active Directory powershell.
So what does the above mentioned command do: If you delete an object from this point onwards the object does not get tombstoned and stripped from most attributes but it will be transformed to a recycled-object. Link valued attributes are maintained both from and to the deleted object. This was not possible in the previous versions of the schema.
So we have a user with several attributes setup, called John Doe:
He has several options set, like streetaddress, loginscript etc. He is also a member of the group Group1. And now we delete the user from the ADUC command console.
If we want to look at the deleted object the old way of searching for it does not work anymore (http://support.microsoft.com/kb/258310) . Instead there is a hidden container called: CN=Deleted Objects, DC=<domain>.
We can retrieve this container using ldp.exe. Start LDP.exe and create a connection to the AD server. Bind using current credentials and select Options and select Controls. In the load predefined option select Return Recycled Objects. Then select view tree. Enter: CN=Deleted Objects,CN=<domain> and click OK.
Now we see the deleted John Doe object and on the right the attributes that are usually deleted.
There are multiple ways to restore the userobject. It is possible via the LDP console by removing the TRUE value of the isDeleted attribute (click modify on the object and select edit, in the attribute field type isDeleted, leave the value option empty and select Delete under Operation and hit enter. In the attribute field type distinguishedName and type the DN in the value field, under operation select Replace).
However you might find it easier to use the new poweshell commandlets, first to find the deleted object(s).
Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects
To restore, simply pipe the above mentioned command to the restore command: Restore-ADObject
Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects | RestoreADObject
Off course it is also possible to restore entire OU’s and the objects beneath it..
[update]
So many wonder how the group membership of users are restored during the reanimation (or restoring) of a recycle bin object.. (aswell as other backlinks).. It seems the backlinks are not deleted as they normally would have been. Although the forward link (Group Member) is deleted, the memberOf attribute (back-ward link) is not. Or in Microsoft terms:
We simply added a taxonomy to the link table which gives us the ability to preserve the link data while deactivating the link when an object is deleted.
To view the MemberOf of a deleted object you can use a powershell commandlet that Ned Pyle gave to me:
PS C:\> get-adobject -filter {lastknownparent -eq "ou=recycletest,dc=adatum,dc=com"} -searchbase "cn=deleted objects,dc
adatum,dc=com" -includedeletedobjects -properties *
userPrincipalName : whoops@adatum.com
CanonicalName : adatum.com/Deleted Objects/whoops
DEL:2563a106-b3ef-4338-b0ec-ead7cac88178
Created : 1/28/2009 8:57:58 AM
codePage : 0
modifyTimeStamp : 1/28/2009 10:27:59 AM
instanceType : 4
pwdLastSet : 128776246785482438
Description :
lastLogoff : 0
givenName : whoops
badPwdCount : 0
userAccountControl : 66048
whenCreated : 1/28/2009 8:57:58 AM
lastLogon : 0
Name : whoops
DEL:2563a106-b3ef-4338-b0ec-ead7cac88178
ObjectClass : user
accountExpires : 9223372036854775807
badPasswordTime : 0
isDeleted : True
sAMAccountName : whoops
DisplayName : whoops
DistinguishedName : CN=whoops\0ADEL:2563a106-b3ef-4338-b0ec-ead7cac88178,CN=Deleted Objects,DC=adatum,DC=
com
uSNCreated : 63465
ObjectCategory :
Modified : 1/28/2009 10:27:59 AM
adminCount : 1
sDRightsEffective : 15
dSCorePropagationData : {1/28/2009 9:51:53 AM, 1/28/2009 9:14:02 AM, 12/31/1600 7:00:00 PM}
objectSid : S-1-5-21-3745455507-831683003-5792042-1129
countryCode : 0
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectGUID : 2563a106-b3ef-4338-b0ec-ead7cac88178
Deleted : True
logonCount : 0
CN : whoops
DEL:2563a106-b3ef-4338-b0ec-ead7cac88178
LastKnownParent : OU=recycletest,DC=adatum,DC=com
ProtectedFromAccidentalDeletion : False
whenChanged : 1/28/2009 10:27:59 AM
createTimeStamp : 1/28/2009 8:57:58 AM
primaryGroupID : 513
msDS-LastKnownRDN : whoops
memberOf : {CN=Domain Admins,CN=Users,DC=adatum,DC=com}
uSNChanged : 63535
For more information on deleted objects and restoring them you can go see Jorge’s presentation: http://blogs.dirteam.com/blogs/jorge/archive/2009/01/20/speaker-at-techdays-2009.aspx