Prevent accidental deletion of AD objects--enable Adrecyclebin

First of all, a small case: the customer told me that he accidentally deleted an Exchange account, this operation will also delete the account in the ad, the user has created a new account with the same name to connect the disconnected mailbox, and then logged into the OWA interface when prompted to disable the user, after my test environment, Found that the phenomenon is the same, quickly after work to restart the Exchange Information Store services, the next day users can log on, the reason is that the ad service and Exchange Information Store service is delayed, the next day when the information is synchronized, so you can normally log on

Spare such a big circle, can also ignore the previous story, I just want to say that if your operating system is server R2, big can not be so troublesome, only need to turn on the Adrecyclebin (ad Recycle Bin) function can avoid mistakenly delete users cause trouble

If the user is enabled for the ad Recycle Bin feature, the user who is mistakenly deleted will be restored and then the disconnected mailbox can continue to be used

= = Adrecyclebin Prerequisites

First requires server R2 operating system, version is not limited

Second, the forest functional level must be 2008r2, or the feature will fail when enabled, Get-adforest view forest features

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/87/05/wKioL1fRogjhqu_wAAA5KiIyy8g324.png "title=" Qq20160908215324.png "style=" Float:none; "alt=" Wkiol1frogjhqu_waaa5kiiyy8g324.png "/>

If it's not 2008r2, use the following command to upgrade the forest function.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/07/wKiom1fRogmBwqZvAAAZE3zYv4k813.png "title=" Qq20160908215351.png "style=" Float:none; "alt=" Wkiom1frogmbwqzvaaaze3zyv4k813.png "/>

= = Adrecyclebin feature enabled

1) Enable features must use PowerShell with AD module, and most importantly, domain Administrator privileges

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/87/07/wKiom1fRoNWgsPt1AAB_PEvraoY802.png "style=" float: none; "title=" Qq20160908213714.png "alt=" Wkiom1fronwgspt1aab_pevraoy802.png "/>

2) This command to see whether the ad Recycle Bin feature is enabled in the domain, meaning that the range is enabled in the Red box, and no value description is not enabled

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/87/07/wKiom1fRoNWiQiK4AAA8PZ58cbY942.png "style=" float: none; "title=" Qq20160908214512.png "alt=" Wkiom1fronwiqik4aaa8pz58cby942.png "/>

3) Enter the following command to enable the ad Recycle Bin, prompting that this action is irreversible and cannot be disabled after enabling

Enable-adoptionalfeature–identity ' cn=recycle Bin feature,cn=optional features,cn=directory Service,CN=Windows NT,CN =services,cn=configuration, dc=a,dc=com' –scope forestorconfigurationset–target 'a.com'

Red marked place modified for its own domain name

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/87/05/wKioL1fRoNbyqecXAABFdkAOJkU867.png "style=" float: none; "title=" Qq20160908214913.png "alt=" Wkiol1fronbyqecxaabfdkaojku867.png "/>

4) Now look at what features are enabled in the domain, enable scope for the whole domain, which means you can restore all the objects of the whole domain

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/87/05/wKioL1fRoc-w1k6oAABCd8vu-HY539.png "title=" Qq20160908215149.png "alt=" Wkiol1froc-w1k6oaabcd8vu-hy539.png "/>

= = User Account Recovery

1) Delete U1 account

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/07/wKiom1fRoo2w9V0UAABpY8NV3LU311.png "style=" float: none; "title=" Qq20160908215513.png "alt=" Wkiom1froo2w9v0uaabpy8nv3lu311.png "/>

2) If you are not viewing the deleted user, there will be no value after deleted

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/05/wKioL1fRoo3yTMoTAAAlgrMMhoQ309.png "style=" float: none; "title=" Qq20160908215929.png "alt=" Wkiol1froo3ytmotaaalgrmmhoq309.png "/>

3) U1 is the account we just deleted, the value after deleted is true and the meaning has been deleted

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/05/wKioL1fRoo3wHTTeAAAroIK4Db4052.png "style=" float: none; "title=" Qq20160908215949.png "alt=" Wkiol1froo3whtteaaaroik4db4052.png "/>

4) Restore account is required after command add "| Restore-adobject "

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/87/07/wKiom1fRoo6TkrN8AAAcWyeaMYE319.png "style=" float: none; "title=" Qq20160908220008.png "alt=" Wkiom1froo6tkrn8aaacwyeamye319.png "/>

5) After the account is restored, all user attributes and the user's storage location are retained, and the properties are

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/87/05/wKioL1fRo2_wwZpzAAAlihF8R_w847.png "title=" Qq20160908220100.png "alt=" Wkiol1fro2_wwzpzaaalihf8r_w847.png "/>

= = Adrecyclebin Tool is used

This tool also does not work if the ad Recycle Bin feature is not enabled in the domain .

When enabled, the user state is disabled, then the password needs to be reset, and most importantly, all properties are lost after recovery

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/87/05/wKioL1fRo47y3XjGAACHT6-f4co406.png "title=" Qq20160908221018.png "style=" Float:none; "alt=" Wkiol1fro47y3xjgaacht6-f4co406.png "/>

If the ad Recycle Bin feature is enabled for the domain, his effect is the same as the command recovery, and more convenient to manage!

1) Click Load Deleted object to display all deleted objects

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/87/05/wKioL1fRo4yxzgRiAAB-FxXAFcs799.png "style=" float: none; "title=" Qq20160908220249.png "alt=" Wkiol1fro4yxzgriaab-fxxafcs799.png "/>

2) Select User Click Restore Checked objects Recover object

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/87/07/wKiom1fRo43xuLmNAAB0Kdtj3rU478.png "style=" float: none; "title=" Qq20160908220300.png "alt=" Wkiom1fro43xulmnaab0kdtj3ru478.png "/>

3) Prompt for recovery success

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/87/07/wKiom1fRo42wNYN6AAAaZR5OLek527.png "style=" float: none; "title=" Qq20160908220308.png "alt=" Wkiom1fro42wnyn6aaaazr5olek527.png "/>

4) I have deleted the test in this OU and OU, and the tool can see the information of the deleted object.

When selected, click Restore Checked Objects Recovery Object

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/05/wKioL1fRo4_xSGmPAACahtZB9qI788.png "style=" float: none; "title=" Qq20160908223646.png "alt=" Wkiol1fro4_xsgmpaacahtzb9qi788.png "/>

5) Restore all properties and previous is the same

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/87/07/wKiom1fRo4_QKSnoAABvD2GUGRU802.png "style=" float: none; "title=" Qq20160908223729.png "alt=" Wkiom1fro4_qksnoaabvd2gugru802.png "/>

Finally, after the domain must have the Adrecyclebin feature enabled, the tool can recover all properties

Attachment upload after download prompt file corruption, has been uploaded Baidu Cloud disk

Link: http://pan.baidu.com/s/1mhMOrw8 Password: wg8d

This article from "Sameold" blog, declined reprint!

Prevent accidental deletion of AD objects--enable Adrecyclebin