1 00:00:01,040 --> 00:00:03,840 Active Directory Recycle Bin. 2 00:00:03,840 --> 00:00:07,630 The AD Recycle Bin is super useful to help you recover 3 00:00:07,630 --> 00:00:10,300 deleted AD user and group accounts. 4 00:00:10,300 --> 00:00:10,810 Why? 5 00:00:10,810 --> 00:00:11,910 Well, let's face it, 6 00:00:11,910 --> 00:00:15,290 an employee may leave your company and one of your colleagues 7 00:00:15,290 --> 00:00:18,060 may think they're doing a great thing by deleting that user 8 00:00:18,060 --> 00:00:20,140 account from Active Directory. 9 00:00:20,140 --> 00:00:23,430 Maybe they don't know that you have a compliance requirement to keep 10 00:00:23,430 --> 00:00:26,320 those deleted accounts, just you should disable them, 11 00:00:26,320 --> 00:00:26,960 let's say. 12 00:00:26,960 --> 00:00:28,570 Well, how can you recover them? 13 00:00:28,570 --> 00:00:28,760 Well, 14 00:00:28,760 --> 00:00:31,640 it used to be back in the earlier days of Active Directory 15 00:00:31,640 --> 00:00:34,720 that you'd need to reboot a domain controller into 16 00:00:34,720 --> 00:00:36,840 Directory Services Restore Mode, 17 00:00:36,840 --> 00:00:40,290 perform what's called an authoritative restore of the deleted object, 18 00:00:40,290 --> 00:00:44,420 and then force replication to ensure that all domain controllers get a 19 00:00:44,420 --> 00:00:48,920 copy of it. Yeah, it's a lot easier nowadays with the Recycle Bin. The 20 00:00:48,920 --> 00:00:52,900 retention attributes in the Active Directory schema are important for 21 00:00:52,900 --> 00:00:56,340 you to know for the exam. The formal attributes is 22 00:00:56,340 --> 00:01:02,430 msDS‑deletedObjectLifetime, and you set that, it uses as its default the 23 00:01:02,430 --> 00:01:04,200 value of another attribute, 24 00:01:04,200 --> 00:01:08,720 tombstoneLifetime. Now from Windows Server 2003 forward, that 25 00:01:08,720 --> 00:01:12,430 default is 180 days. You can raise it if you want to. 26 00:01:12,430 --> 00:01:16,640 And that's basically the retention period that if you delete a user or group, 27 00:01:16,640 --> 00:01:21,400 it's not going to be until day 181 that the Active Directory garbage 28 00:01:21,400 --> 00:01:24,510 collection process permanently purges that account. 29 00:01:24,510 --> 00:01:26,620 So that's a pretty good length of time. 30 00:01:26,620 --> 00:01:29,920 Now, the Recycle Bin is disabled by default. 31 00:01:29,920 --> 00:01:34,090 It's a one‑way operation because it involves a modification of the Active 32 00:01:34,090 --> 00:01:38,640 Directory schema. And if you're cognizant or aware of how the schema works 33 00:01:38,640 --> 00:01:44,080 historically from the very beginning in Windows 2000 Server, the schema allows 34 00:01:44,080 --> 00:01:49,240 you to extend it, and then if you don't need an extension, you can disable it or 35 00:01:49,240 --> 00:01:51,510 deactivate it, but you cannot remove it. 36 00:01:51,510 --> 00:01:53,640 It's a one‑way operation. 37 00:01:53,640 --> 00:01:57,880 We managed the AD Recycle Bin using the Active Directory 38 00:01:57,880 --> 00:02:01,300 Administrative Center if you want a GUI tool. Actually, the 39 00:02:01,300 --> 00:02:04,910 ADSI Edit MMC console is another GUI tool. 40 00:02:04,910 --> 00:02:08,110 Less user‑friendly for sure than ADAC. 41 00:02:08,110 --> 00:02:12,350 And then, of course, there's Windows PowerShell. In the demo, 42 00:02:12,350 --> 00:02:16,370 I will use Administrative Center, but I want to go over the PowerShell here, 43 00:02:16,370 --> 00:02:21,530 just for completeness and just with that theme on AZ‑800 and 44 00:02:21,530 --> 00:02:23,970 801 relying on Windows PowerShell a lot. 45 00:02:23,970 --> 00:02:28,140 You really can't have enough PowerShell, in my humble opinion. 46 00:02:28,140 --> 00:02:32,630 First bit of code here is showing us how to enable the AD Recycle Bin. 47 00:02:32,630 --> 00:02:36,240 We're using Enable‑ADOptionalFeature on one of our domain 48 00:02:36,240 --> 00:02:39,870 controllers, and you're specifying your scope with your domain 49 00:02:39,870 --> 00:02:43,730 name, all right? To restore a deleted user, this example is 50 00:02:43,730 --> 00:02:46,350 capitalizing on the PowerShell pipeline. 51 00:02:46,350 --> 00:02:51,740 We're doing a Get‑ADObject, running a Filter script to grab Marc Brown, and 52 00:02:51,740 --> 00:02:57,170 then once that IncludeDeletedObjects is critical because that's the way that we 53 00:02:57,170 --> 00:03:02,790 can surface Marc, as long as, A, the account is in the Recycle Bin, and B, the 54 00:03:02,790 --> 00:03:06,240 tombstone lifetime hasn't yet elapsed. 55 00:03:06,240 --> 00:03:10,850 And then the pipe character allows us to take that resolved object and then 56 00:03:10,850 --> 00:03:15,400 restore it. Simple as that. And then to set a new default tombstone 57 00:03:15,400 --> 00:03:19,140 lifetime using PowerShell in this example, again, 58 00:03:19,140 --> 00:03:22,000 there's always multiple ways to accomplish any of these 59 00:03:22,000 --> 00:03:24,690 goals, the Enable‑ADOptionalFeature, 60 00:03:24,690 --> 00:03:29,340 that's pretty much it as far as enabling AD Recycle Bin. And it's true 61 00:03:29,340 --> 00:03:34,890 that to query the Recycle Bin, you'll use Get‑ADObject, but you can go 62 00:03:34,890 --> 00:03:37,330 a number of different specific ways. 63 00:03:37,330 --> 00:03:39,070 Longer, shorter ways around. 64 00:03:39,070 --> 00:03:44,640 In this example, we're creating a reference to the domain forest route, and 65 00:03:44,640 --> 00:03:49,720 then we need the distinguished LDAP syntax to that domain, and we're storing 66 00:03:49,720 --> 00:03:55,540 those as variables, and then we're doing Set‑ADObject, just patching in 67 00:03:55,540 --> 00:03:58,850 using Replace, a new key‑value pair, 68 00:03:58,850 --> 00:04:06,000 tombstoneLifetime is the name of the attribute. In this example, we're extending it to 360 days