• Contact Us

    We will get back to you as soon as possible.

  • We do not collect personal information except to the extent you provide that information to use through email, your web browser or through our contact forms. We will not share, sell or otherwise provide non-public information to others without your consent.

SIGN UP FOR OUR NEWSLETTER

  • We do not collect personal information except to the extent you provide that information to use through email, your web browser or through our contact forms. We will not share, sell or otherwise provide non-public information to others without your consent.

Active Directory Recycling Bin
Published on October 4, 2016
Active Directory Recycling Bin

True Story – Avoiding Risk

This past weekend, a medium-sized client contacted us concerning a serious problem concerning their Active Directory Recycling Bin.

Moments before the call, the admin had unfortunately and inadvertently deleted ALL, YES ALL, Active Directory user objects (excluding service accounts).  If you couldn’t have guessed, this was a complete heart stopping experience!  At that very moment, I personally was struck with a panic. Unless you’re clued into these technical ramifications, any way you shake it, it is a challenge to truly capture the gravity of this situation.

I’m not known to practice brevity, but in short, the downstream impact of such an event would/could cause significant and irrevocable impact on any organization, of any size.

Active Directory Recycling Bin – Saving Grace

Thankfully, 2 years prior, when upgrading their environment to Active Directory 2008 R2, DTS took the proper measures to enable their Active Directory Recycling Bin. This saving grace rescued all of our jobs, and maintained my sanity, allowing for a swift and seamless restoration of their deleted user objects.

As mentioned above; although preventative and proactive measures were taken to enable their Active Directory Recycling Bin, restoration and remediation wasn’t as easy as flipping on the light switch.

Where only a few of us were available for triage, a rapid assessment of the scene assisted greatly to determine our scope of exposure, and immediate action items. With Active Directory replication and Office 365 DirSync services (Azure AD Connect) poised to pull the whole bloody rug out from beneath thousands of unsuspecting end-users, the clock was certainly working against us.

The Active Directory Recycling Bin is only available in AD 2008 R2 (or above) forest functional level (FFL).  The Active Directory Recycling Bin was available in prior versions of AD, however admins weren’t “per se” able to fully restore objects to their original & previous state – Yikes. Such restorations were inconsistent, fraught with holes and missing attribute values (e.g., back-links to group objects were completely lost). Regrettably businesses aren’t always able to augment their forest to 2008 or above.

However, if you are not already, we strongly recommend putting in motion the necessary discovery efforts to safely augment your forest to minimally 2008 R2 FFL.  If you’re already at 2008 R2 (or greater) FFL, enable that handy-dandy Active Directory Recycling Bin – seriously, don’t wait!

Don’t mistakenly think enabling the Active Directory recycling bin is the first and last step.  No sir! Combined with enabling your Active Directory Recycling Bin, ensure to create a proactive action plan to address different facets, dependencies and moving elements of such an occurrence:

Documented test controls which can quickly restore deleted object(s) – in some cases, single object restoration is all that’s needed.

Make A Plan – Active Directory Recycling Bin

  • Test your restoration controls:
    • Validate object functionality (in some cases, the restore object will be computer or service account)
    • Within your controls document, identify potential external dependencies and services, (e.g. Remote AD sites, Office 365, Trusts, etc.).  This will significantly help to minimize any outage exposure.
  • During remediation, temporarily and immediately disable:
  • Postmortem Review:
    • Perform a Root Cause Analysis (RCA) to determine the specifics behind object restoration (really dig in to get the details).  Don’t treat this matter as a common every-day operational affair.
    • Regardless of whether this was an operation-mandated restore, or perhaps something completely unforeseen, be certain to take the appropriate preventive precautions to ensure:
      • The person or process is corrected. (sometimes, identify management processes require remediation)
      • Review and tighten up of your business’s Least Privileged Access model
  • IMPORTANT: From a security standpoint, ensure only appropriate objects are restored. Restoration of privileged (sensitive) objects could result in a breach.

Ensure your Global Security Department is involved with any object restoration.

Anyway, the wrong thing to do is nothing. Be certain to enable your Active Directory Recycling Bin as soon as humanly possible. This is a simple effort which will help those involved in Active Directory sleep better at night.

Warmest Regards, SHAWN MAY DTS Inc. | Principal Architect | www.yourDTS.com

Powershell: Verify Recycle Bin State

function Test-ADRecycleBin {

$ADRecScopes = (Get-ADOptionalFeature `
	-Filter 'name -like "Recycle Bin Feature"').EnabledScopes

if ($ADRecScopes)
	{Write-Output -InputObject 'AD Recyling Bin Enabled'}
else
	{Write-Output -InputObject 'AD Recyling Bin Disabled'}
}

Powershell: Enable Active Directory Recycling Bin

Enable-ADOptionalFeature `
	–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain’ `
	–Scope ForestOrConfigurationSet –Target ‘ <yourdomainname> ’

Powershell: Increase the lifetime of Recycle Bin Objects

Set-ADObject -Identity “CN=Directory Service,CN=Windows  NT,CN=Services,CN=Configuration,DC=domain” `
	–Partition  “CN=Configuration,DC=contoso,DC=com” –Replace:@{“tombstoneLifetime” =  365} 
Set-ADObject -Identity “CN=Directory Service,CN=Windows  NT,CN=Services,CN=Configuration,DC=domain” `
	–Partition  “CN=Configuration,DC=domain”  –Replace:@{“msDS-DeletedObjectLifetime” = 365}

CORE PRACTICES

  • Implementing correct solutions
  • Bringing the correct talent (professional-staff-augmentation or project team)
  • Alignment to the business functional & functional direction
  • Maintaining agility with communication and options
  • Ensure to have a properly scoped project and accurate roadmap eliminating fluff

LATEST VIDEOS

Stay Well

Here are some incredibly-simple videos to watch & share with co-workers, family and friend on staying well:

Testimonials

 

Dynamic Technical Solutions is one of the best in the business. I had the pleasure of working and learning a great deal from their team members in the past four years. DTS’ work ethic is unlike any I have ever seen. I have always known them to follow through until the job is completed correctly.

 

R.T., Senior IT Infrastructure & Ops Manager, E-470 Public Highway Authority

Testimonials

 

I had a pleasure working with Dynamic Technical Solutions very closely on a very complex, critical project with a lot of moving parts and unknowns. Not only did DTS quickly grasped all the complexities of the project, they helped bring clarity and order to it. Their dedication and professionalism are tremendous. They are team members whom you can always count on to be there and deliver what’s required and then some. Their technical abilities have allowed us to develop and implement great solutions. DTS’ understanding of IT security helped us not only come up with a robust technical solution, but also a very secure one. I’ll gladly work with them any time again.

 

I.S., VP Technology at Barclays Capital

Testimonials

 

I have had the pleasure of working with Dynamic Technical Solutions over the last year servicing the same customer. DTS demonstrates an exceptional technical aptitude, attention to detail and work ethic that makes their service delivery extraordinary. Anyone requiring solid directory services architectural or technical guidance will benefit from what DTS brings to the table. I recommend their work.

 

N.K., Microsoft - Senior Technical Account Manager

Testimonials

 

I had the pleasure of working with Dynamic Technical Solutions at The Children's Hospital and found them to be an extremely knowledgeable in respect to Microsoft Windows Engineering. Their precision, dedication, thoroughness and understanding in Microsoft Active Directory design and support are impeccable. They take pride in continuously learning, adapting and implementing all of the knowledge they possess and have shown such aptitude in technical writings of Kerberos, DNS and Microsoft products as a whole. I would welcome the opportunity of working with DTS again and hope to do so in the future.

 

M.D., The Children's Hospital

Testimonials

 

We contracted with DTS to perform an upgrade/migration of our existing Active Directory and Exchange environments onto new equipment. The entire process was extremely painless and we were very happy with the results. I can honestly say that our DTS consultants exceeded our expectations. It took less time than we had anticipated, and some of the issues we were afraid of running into did occur, but our DTS consultants were very quick at finding a working solution.

DTS is technically competent, their work is very thorough, and their attention to detail is the best I have seen. I would not hesitate in recommending Dynamic Technical Solutions to anyone looking for Microsoft professionals.

 

R.B. Information Technology Director, Colorado City Government – Town of Vail

Testimonials

 

CH2M Hill is a $5B IT and engineering firm based in Denver, Colorado. CH2M Hill has utilized DTS for complex IT management and support projects. During the time that DTS supported our efforts for one of our customers (a Fortune 500 company), their consultant exhibited significant technical competencies. Furthermore, our DTS consultant is a professional, receiving high marks from the customer for program management as well as communication skills.

 

Director of Business Development, CH2M Hill