Saturday, February 20, 2010

Windows Server 2008 R2 2

In 2008 R2, you have an Active Directory Recycling Bin. The ADRB is a PowerShell solution which saves you time and effort in bringing back deleted objects. To do this, you need to raise the functional level of the domain to 2008 R2.
The R2 functional level is the same as the 2008 functional level, with the addition of the recycling bin. You cannot have any 2008 (non-R2) systems as the domain controller to use the recycling bin.

Windows now has an Integrated Script Editor (Windows PowerShell ISE) which allows creation of libraries. PowerShell is a scripting language. Windows PowerShell ISE is added from features.

ISE allows a batch-style execution of PowerShell commands. Before we can use anything in PowerShell, we need to import the AD modules:
import-module activedirectory

After importing the AD modules, we should enable the Recycling Bin:
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=google,DC=com' –Scope ForestOrConfigurationSet –Target 'google.com'

Modify the underlined parts to suit your server.

To get a deleted account back:
Get-ADObject -Filter {displayName -eq "Kelvin Ang"} -IncludeDeletedObjects | Restore-ADObject

Modify the underlined parts to search for different users. Note that the input must be the full display name. You can also modify the search string to search based on different criteria.

What the above script does is to run the Get-ADObject command, which is to find an object in the active directory. We then filter the object by whatever criteria we feed it. We then tell it to include deleted objects as well. That command will return the DNs of all the matched object, which is then piped into the Restore-ADObject command.

You can also find deleted objects (groups, etc) through:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=google,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Kelvin Ang)" –IncludeDeletedObjects –Properties lastKnownParent

This will show us an object and the containers it belongs to (which is the last known parent). You can also pipe the output to Restore-ADObject. We cannot restore a user account if the OU of the user has also been deleted.

Use this to get an OU back:
Get-ADObject -ldapFilter:"(msDs-lastKnownRDN=Engineers)" –IncludeDeletedObjects | Restore-ADObject

No comments :

Post a Comment