Tuesday, July 17, 2012

Active Directory: Restore User from AD Recycle Bin

Ever deleted accidently deleted a user from active directory only to find that they need their account restored?  You can recreate the account manually but the SID (security identifier) will be different the second time around causing you to have to reestablish group membership, folder permissions, remount Exchange mailbox, etc. 

If you are running a Windows 2008 R2 domain environment with your domain and forest functional level at 2008 R2, there's a handy new feature call the Active Directory recycly bin.  This is only accessible through powershell which is kind of a bite, but in the script below, I've integrated a simple .net form with the cmdlet required to perform the object restore.  You will have to enable this feature first to use it and there's no going back if you do (why would you want to?).

To enable this feature, run powershell as administrator and run the following cmdlet and replace all instances of "yourdomain.com" with your AD domain info.

 Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘yourdomain.com’

As I mentioned above, I am using a simple .net form to create somewhat of a nice GUI for running this cmdlet.  I got the form from here:  http://technet.microsoft.com/en-us/library/ff730941 .  Check out this page if you'd like to learn more about it.

When you run the script below, you will see the following window pop up:

Simply type in the account name of the user that was deleted and click ok.  Like magic, the user with their SID is restored.  Their exchange mailbox is automatically reconnected (if it still exists and isn't connected to another account), and they should have access to any folder they did before.  It's like they were never deleted.  Here's the script, save it as Restore_AD_Account.ps1


 ######################################################################################  
#           Restore Active Directory Account  
# This script utilizes the Windows 2008 R2 AD ability to undelete an account  
# Your forest and domain functional level must be 2008 R2  
#  
# Source: ps1scripting.blogspot.com  
#  
#
#####################################################################################
  
  
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")   
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") 
  
   
#The objform.txt names the form window  
$objForm = New-Object System.Windows.Forms.Form   
$objForm.Text = "Restore Active Directory User"  
$objForm.Size = New-Object System.Drawing.Size(300,200)   
$objForm.StartPosition = "CenterScreen"
  
 
  
$objForm.KeyPreview = $True  
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Enter") 
  {$x=$objTextBox.Text;$objForm.Close()}})
$objForm.Add_KeyDown({if ($_.KeyCode -eq "Escape") 
     {$objForm.Close()}})
  
 
  
#This labels the OK button
$OKButton = New-Object System.Windows.Forms.Button  
$OKButton.Location = New-Object System.Drawing.Size(75,120)  
$OKButton.Size = New-Object System.Drawing.Size(75,23)  
$OKButton.Text = "OK"  
$OKButton.Add_Click({$x=$objTextBox.Text;$objForm.Close()}) 
$objForm.Controls.Add($OKButton)
  
   
#This labels the cancel button
$CancelButton = New-Object System.Windows.Forms.Button 
$CancelButton.Location = New-Object System.Drawing.Size(150,120)
$CancelButton.Size = New-Object System.Drawing.Size(75,23)  
$CancelButton.Text = "Cancel" 
$CancelButton.Add_Click({$objForm.Close()})  
$objForm.Controls.Add($CancelButton) 
  
#This gives a description in the window  
$objLabel = New-Object System.Windows.Forms.Label  
$objLabel.Location = New-Object System.Drawing.Size(10,20)   
$objLabel.Size = New-Object System.Drawing.Size(280,20) 
  
$objLabel.Text = "Please enter the username you'd like to restore below:"  
$objForm.Controls.Add($objLabel) 
  
  
$objTextBox = New-Object System.Windows.Forms.TextBox 
$objTextBox.Location = New-Object System.Drawing.Size(10,40)   
$objTextBox.Size = New-Object System.Drawing.Size(260,20)   
$objForm.Controls.Add($objTextBox) 
  
 
  
$objForm.Topmost = $True
  
   
$objForm.Add_Shown({$objForm.Activate()})  
[void] $objForm.ShowDialog()
  
 
#$x variable is passed to powershell cmdlets below
$x
  
#imports active directory module to run AD cmdlets
Import-Module activedirectory
  
#searches AD for object stored in variable by samaccount name and restores it 
get-adobject -filter {samaccountname -eq $x } -includedeletedobjects | restore-adobject


This is really a very simple script.  95% of it is just the code required to construct the form.  Let me know if you have any questions.


Disclaimer: All scripts and other powershell references on this blog are offered "as is" with no warranty.  While these scripts are tested and working in my environment, it is recommended that you test these scripts in a test environment before using in your production environment.


Posted by at
Labels: , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)