Shulou(Shulou.com)06/02 Report--

Preface

In the daily IT maintenance, it is inevitable that there will be "hand slippage". What if there is a misoperation in the AD domain environment and the user account is deleted by mistake?! It doesn't matter. Microsoft has introduced a new feature in Windws server 2008 R2, the AD Recycle Bin, which can help you retrieve your mistakenly deleted AD account.

Before we begin, let's introduce a tip to prevent hand slippage. In Windows Server 2008, you can also prevent erroneous deletion by modifying user properties. Right-click user properties. On the "objects" tab, you can see an option to "prevent objects from being accidentally deleted". If you tick it, you cannot delete the user. Let's try it.

Check the user account user02 with "prevent objects from being accidentally deleted", and make sure

Click the right button to delete the user02 account. There will be an error pop-up box and user02 cannot be deleted.

This little feature to prevent erroneous deletions was introduced in windows server 2008, so you don't have to experiment if you're running windows server 2003.

Introduction to the function of AD Recycle Bin

Here is an introduction to the AD Recycle Bin function.

The AD Recycle Bin is a new feature introduced from Windws Server 2008 R2. The AD Recycle Bin can be used to recover mistakenly deleted AD objects, including user accounts, computer accounts and OU. The AD Recycle Bin will increase the size of the AD database (NTDS.DIT) on each domain controller in the forest. Over time, the disk space used by the Recycle Bin will continue to increase because it retains the object and all its attribute data. Deleted objects by default will be retained for 180 days, and attributes such as the group to which the user belongs can be restored after recovery.

The AD Recycle Bin function is not enabled by default and needs to be turned on manually. But only if your AD forest function level is at least Windows Server 2008 R2. It should be noted that once the AD Recycle Bin feature is enabled, it can no longer be disabled. The following describes how to enable the AD Recycle Bin function in Windows server 2008R2 and how to restore mistakenly deleted AD accounts.

Feature enabled

First confirm the functional level of the forest and domain

Open the management tool "Active Directory Domain and Trust relationship", and right-select "improve Forest function level". You can see that the current forest function level is Windows Server 2003 mode. Choose to upgrade the feature level to WindowsServer 2008 R2 (Note: you cannot fall back after raising the feature level! ),

Use the powershell command to enable the AD Recycle Bin feature (Note: the AD Recycle Bin feature cannot be disabled when enabled! If there is no error in running the command, the recycle bin function is enabled normally

Import-ModuleActiveDirectory / Import AD module command

Enable-ADOptionalFeature-Identity 'CN=Recycle BinFeature,CN=Optional Features,CN=Directory Service,CN=WindowsNT,CN=Services,CN=Configuration, DC=HBYCRSJ,DC=com'-ScopeForestOrConfigurationSet-Target' hbycrsj.com'

To delete a user, first remove the "prevent objects from being deleted" option

Delete user02 users

Use the powershell command to find the user user02, and you can see that the Deleted attribute is: true

Get-ADObject-filter {displayname-eq "user02"}-IncludeDeletedObjects

Restore deleted account

Get-ADObject-filter {displayname-eq "displayname"}-IncludeDeletedObjects | Restore

-ADObject

You can see that the user02 user has recovered.

Run the powershell command again to view the user02 user property, and you can see that the Deleted property is empty

Graphical interface

Is this function very convenient? you don't have to worry about hand slippage anymore. However, many people will say that this function has to be completed by the command line, which is too troublesome. Don't worry, Microsoft has kindly opened a graphical interface for this feature in Windows Server2012 R2. Let's take a look at how to do it in a graphical interface (there are some third-party tools on the Internet that provide a graphical interface for the AD Recycle Bin, which is not described here), of course, provided that your domain control is running Windows Server2012 R2.

Again, first of all, you need to have a forest function level of at least Windows Server 008R2. In windows Server 2012, there is a new management tool called "Active Directory Management Center"

You can see that there is already a "enable Recycle Bin" function button in Active Directory Management Center, but now it is in a gray state, and there are only two cases: 1. The forest function level is lower than the required windows server 2008 R2, and the Recycle Bin function has been enabled.

Click "improve Forest functional level" and you can see that the current forest functional level is Windows Server 2008. Enabling the AD Recycle Bin requires at least Windows Server 2008 R2 forest functional level. Click OK to improve the forest functional level.

A warning will appear indicating that it cannot be restored after upgrading the forest function level. Click OK.

Successfully upgraded the forest function level. In ActiveDirectory Management Center, you can see the running powershell command history at the bottom of the panel.

Click the refresh button in the upper right corner, and you can see that the function key of "enable Recycle Bin" becomes optional.

Click "enable Recycle Bin". Prompted that the Recycle Bin cannot be disabled after it is enabled, click OK

Now that the AD Recycle Bin function is enabled, let's test it.

Delete the test account user01

Open the "Deleted Objects" container

You can see the deleted user account user01 and the time when the account was deleted.

In Active Directory Management Center, the restore operation is very simple. Just click "restore" or "restore to" in the taskbar on the right side of the panel. "restore" means to restore the account to its original location, and "restore to" means to restore the account to another account or location.

Select the deleted account and click "restore" to restore the account to its original location. There will be no hint during the operation, so you can restore it directly.

You can see the user01 account in Users's OU.

Select "restore to" to select the location to which you want to restore.

Select the location to restore. Here, take "Builtin" OU as an example, and click OK.

You can see that it is empty in "Deleted Objects", and you can see the user01 account in Builtin's OU.

This is the end of the introduction of the AD Recycle Bin function and account recovery.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.