Sep 06 2019 02:22 PM
Sep 06 2019 02:22 PM
Work for a consulting firm that focuses on small business. Many do not have AD Recycle Bin enabled. Team members spend too much time using LDP to recover deleted users. So I have recommended we implement AD Recycle Bin, as I typically do on all projects. My question is based on a observation, a very small sample pool.
1. Customer deleted a user from AD. Realized in error. Reached out for recovery same day.
2. We determined user did not have AD Recycle Bin enabled. I enabled Recycle Bin (not that I anticipated it would help in this situation, but to have it set for future).
3. We then went through the process of recovery using LPD (which historically no issue). In this case there were errors all over. Went so far as to reach out to MS.
4. As a test we created a new user, deleted and was able to recover with AD Recycle Bin no issue.
I am thinking by enabling Recycle Bin, it may have caused an unintended consequence to those objects deleted prior to implementation. Or it may have been one of those coincidences.
I am curious if anyone knows one way or the other, as we are implementing AD Recycle Bin, and I have noticed for some customers they have deleted objects now, and currently am holding off implementing in that case. Any clarity would be helpful.
ALSO - one tech related question. Appreciate that Forest / Domain Functional Level must be min 2008R2, but I am also seeing that Schema needs to be for 2008R2 min. My question - would not the Schema be min 2008R2 if one is able to raise Domain / Forest to 2008R2?
Sep 07 2019 03:36 PMSolution
I hadn't come across your particular issue previously, but I'm not sure I've had to restore any users from before AD Recycle Bin had been enabled so I've just run your scenario in my lab and replicated the problem; the objects I deleted before the Recyle Bin was recovered could not be restored via LDP.
I've done a bit more digging and found the following MS document on this:
One of the blue boxes shows that this any deleted objects before the Recycle bin is enabled cannot be restored via LTP because they are not deleted objects anymore, but rather Recycled Objects
It seems that an authoritative restore is the only way to get these objects back. I've always backed up AD before enabling Recycle Bin in a production environment anyway just in case things go south but hadn't realized before that enabling Recycle Bin would banjax anything already deleted.
Hope this helps,