Getting closer to the Active Directory Recycle Bin for free

Published by Bret Fisher on Nov 16, 2008 in Microsoft, Solution Writeups and Tech. 2 Comments Tags: , , , , , , , .

Active Directory

I just posted that in R2 Microsoft plans to provide a true Recycle Bin for AD objects that were deleted, but until then the best we’ve got is Windows Server 2008 Active Directory.

After hours of researching “how do AD snapshots in 2008 help me recover a deleted object(s), it’s attributes, and referring objects (i.e. groups pointing back to the deleted user)?” I was disappointed.

From what I can tell, the answer is: built in tools allow for no additional automation over 2003 AD, other than using cut and paste to restore attributes from the snapshot to live AD (after you’ve reanimated the object in live AD). 

You may be able to mount AD snapshots, and even view them with Users and Computers and other AD tools, but you really can’t DO ANYTHING with that data  So I went searching for how others were solving this. 

Here’s one of a few tools that tries to automate the process of finding the tombstoned object in your live AD, find it’s old info in a snapshot, and dumping that data back in to the reanimated object in AD:

Jorge from dirteam.com talks about it, basically describing my realization in greater detail

  • http://www.fishbrains.com Bret Fisher

    Also, Ulf has a great summary of what to do, and points to another tool I haven’t tried yet called Directory Service Comparison Tool.

  • http://lindstrom.nullsession.com Fredrik Lindström

    Hi Bret,
    thanks for mentioning my application. If you get the chance to give it a try I’d be more than happy to hear any feedback you might have.

    Regardig the recycle bin in R2 I’d just like to add that it’s a great (and long overdue) feature. Recovering deleted objects with all attribute values intact is now a lot simpler than before.

    A scenario the the recycle bin will not help with is the restoration of a few select attribute values on an existing object. For example, let’s say all group membership is accidentally removed from a user but neither the user nor the groups are deleted. This scenario still requires the use of some tool that can read a backup of some sort (AD snapshots for example) and selectively restore values.

    So rather than the recycle bin in R2 replacing various nifty tools I see it more as very potent complement to already existing solutions.

Who Am I?

Read a little about me.
Subscribe

Twitter Updates