Active Directory Recycle Bin - protege987/Active-Directory-Domain-Services GitHub Wiki

History

It was common to have accidental deletion by users in Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Prior to Windows Server 2008 R2 you could recover the objects but there were some caveats.

Caveats

In Server 2008 you could use Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data was replicated throughout the domain.

There was an issue with this method. The authoritative restore has to be done in Directory Services Restore Mode (DSRM) and during this process the DC has to be offline. Therefore, it was not able to service client requests.

Tombstone Reanimation

In server 2003/2008 AD DS you could recover AD object through tombstone reanimation. This was an issue as although the objects were recovered reanimated objects' link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes that were cleared are not recovered. The restored object is missing any attributes that were not saved in the tombstone.

Below are the attributes saved in tombstone

After reanimation, the object has the same objectGUID and objectSid attributes it originally had. This means that external references to the object, for instance in ACLs, don't have to be reset as they do if you recreate a deleted object.

For example user's first name (Paper) the attribute is givenName would not be recovered as it is not saved by default in tombstone

It is possible to add additional attributes to the Tombstone but this requires making changes to the Schema through adsi edit. Added a source about how to do this but would recommend backing up your AD database and only do this if you know what you're doing

lifetime

The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

On Server 2019 it is showing 180 days by default

adsiedit.msc > connect to > Select a well known Naming Context > Configuration > OK

CN=Configuration > CN=Services > CN=Windows NT > CN=Directory Service > right click > properties

tombstoneLifetime

AD Recycle bin

With basic understanding of tombstone reanimation we talk about AD recycle bin as this concept build on tombstone reanimation removing it's limitations. All link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion.

For example restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and AD LDS environments

Users can now visually locate a list of deleted objects and restore them to their original or desired locations.

Requirements

• AD DS/AD LDS forest functional level needs 2008 R2 or higher. This also requires all DC in forest or server with AD LDS to be at least 2008 R2 or higher.

• The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

• GUI needs 2012 or later

Active Directory Recycle Bin step-by-step

Raise the forest functional level

GUI way

Open server manager > Tools > Active Directory Administrative center

In the new window you can click > domain You can right in the middle " Raise the forest functional level..." or on the right side pane click " Raise the forest functional level..."

I'm currently on forest level Server 2016

Powershell command

Does the same as above

Set-ADForestMode -Identity "domain" -ForestMode Windows2016Forest

Can using the following commands for more information

To see the examples, type: "get-help Set-ADForestMode -examples" For more information, type: "get-help Set-ADForestMode -detailed" For technical information, type: "get-help Set-ADForestMode -full"

Enable Recycle Bin

GUI way

Open server manager > Tools > Active Directory Administrative center

You can right in the middle " Enable Recycle bin..." or on the right side pane click " Enable Recycle bin..."

Remember this change cannot be undone!

Afterwards you can refresh the window

Powershell version

If you encounter an error, you can try moving both the schema master and the domain naming master roles to the same domain controller in the root domain. Then run the cmdlet from that domain controller.

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target 'contoso.com'

Test

Create users, group and OU using GUI or powershell.

1..2 | ForEach-Object {New-ADUser -SamAccountName test$_ -Name "test$_" -Path "DC=fabrikam,DC=com" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssword1" -Force) -Enabled $true} New-ADGroup -Name "group1" -SamAccountName group1 -GroupCategory Security -GroupScope Global -DisplayName "group1" New-ADOrganizationalUnit -Name OU1 -Path "DC=fabrikam,DC=com"

Here we have the test ou, user and a group

Restoring objects

In dsac GUI select the domain and on the right you will see the deleted containers which holds what we removed

Here we can see information regarding the deleted objects

If we right click on an object we have the choice to restore to the previous location with Restore option we also have a locate parent to see where it came from

Before restore

after restore with a refresh (F5)

Let's restore 2 objects to a different location

Restored

Powershell option

Restore to original location

Get-ADObject -Filter 'Name -Like "*test*"' -IncludeDeletedObjects | Restore-ADObject

Restore to new location

Get-ADObject -Filter 'Name -Like "*test*"' -IncludeDeletedObjects | Restore-ADObject -TargetPath "OU=OU1,DC=contoso,DC=com"

Sources:

• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-
• https://petri.com/active-directory-recycle-bin/
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732211(v=ws.11)
• https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137800(v=msdn.10)
• https://4sysops.com/archives/how-to-save-additional-active-directory-attributes-and-the-password-in-tombstone-objects/
• https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adforestmode?view=windowsserver2022-ps
• https://www.dell.com/support/kbdoc/en-us/000213101/how-to-modify-the-tombstone-lifetime-of-an-active-directory-forest#:~:text=In%20the%20center%20pane%2C%20right,the%20tombstone%20lifetime%20in%20days.