True Story – Avoiding Risk
This past weekend, a medium-sized client contacted us concerning a serious problem concerning their Active Directory Recycling Bin.
Moments before the call, the admin had unfortunately and inadvertently deleted ALL, YES ALL, Active Directory user objects (excluding service accounts). If you couldn’t have guessed, this was a complete heart stopping experience! At that very moment, I personally was struck with a panic. Unless you’re clued into these technical ramifications, any way you shake it, it is a challenge to truly capture the gravity of this situation.
I’m not known to practice brevity, but in short, the downstream impact of such an event would/could cause significant and irrevocable impact on any organization, of any size.
Active Directory Recycling Bin – Saving Grace
Thankfully, 2 years prior, when upgrading their environment to Active Directory 2008 R2, DTS took the proper measures to enable their Active Directory Recycling Bin. This saving grace rescued all of our jobs, and maintained my sanity, allowing for a swift and seamless restoration of their deleted user objects.
As mentioned above; although preventative and proactive measures were taken to enable their Active Directory Recycling Bin, restoration and remediation wasn’t as easy as flipping on the light switch.
Where only a few of us were available for triage, a rapid assessment of the scene assisted greatly to determine our scope of exposure, and immediate action items. With Active Directory replication and Office 365 DirSync services (Azure AD Connect) poised to pull the whole bloody rug out from beneath thousands of unsuspecting end-users, the clock was certainly working against us.
The Active Directory Recycling Bin is only available in AD 2008 R2 (or above) forest functional level (FFL). The Active Directory Recycling Bin was available in prior versions of AD, however admins weren’t “per se” able to fully restore objects to their original & previous state – Yikes. Such restorations were inconsistent, fraught with holes and missing attribute values (e.g., back-links to group objects were completely lost). Regrettably businesses aren’t always able to augment their forest to 2008 or above.
However, if you are not already, we strongly recommend putting in motion the necessary discovery efforts to safely augment your forest to minimally 2008 R2 FFL. If you’re already at 2008 R2 (or greater) FFL, enable that handy-dandy Active Directory Recycling Bin – seriously, don’t wait!
Don’t mistakenly think enabling the Active Directory recycling bin is the first and last step. No sir! Combined with enabling your Active Directory Recycling Bin, ensure to create a proactive action plan to address different facets, dependencies and moving elements of such an occurrence:
Documented test controls which can quickly restore deleted object(s) – in some cases, single object restoration is all that’s needed.
Make A Plan – Active Directory Recycling Bin
- Test your restoration controls:
- Validate object functionality (in some cases, the restore object will be computer or service account)
- Within your controls document, identify potential external dependencies and services, (e.g. Remote AD sites, Office 365, Trusts, etc.). This will significantly help to minimize any outage exposure.
- During remediation, temporarily and immediately disable:
- Site to Site AD replication
- Temporarily disable any directory sync services (e.g. DirSync, Azure AD Connect, etc.) – consider enabling AAD Connect deletion thresholds
- Validate critical services are functioning properly
- Postmortem Review:
- Perform a Root Cause Analysis (RCA) to determine the specifics behind object restoration (really dig in to get the details). Don’t treat this matter as a common every-day operational affair.
- Regardless of whether this was an operation-mandated restore, or perhaps something completely unforeseen, be certain to take the appropriate preventive precautions to ensure:
- The person or process is corrected. (sometimes, identify management processes require remediation)
- Review and tighten up of your business’s Least Privileged Access model
- IMPORTANT: From a security standpoint, ensure only appropriate objects are restored. Restoration of privileged (sensitive) objects could result in a breach.
Ensure your Global Security Department is involved with any object restoration.
Anyway, the wrong thing to do is nothing. Be certain to enable your Active Directory Recycling Bin as soon as humanly possible. This is a simple effort which will help those involved in Active Directory sleep better at night.
Warmest Regards, SHAWN MAY DTS Inc. | Principal Architect | www.yourDTS.com
Powershell: Verify Recycle Bin State
function Test-ADRecycleBin {
$ADRecScopes = (Get-ADOptionalFeature `
-Filter 'name -like "Recycle Bin Feature"').EnabledScopes
if ($ADRecScopes)
{Write-Output -InputObject 'AD Recyling Bin Enabled'}
else
{Write-Output -InputObject 'AD Recyling Bin Disabled'}
}Powershell: Enable Active Directory Recycling Bin
Enable-ADOptionalFeature `
–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain’ `
–Scope ForestOrConfigurationSet –Target ‘ <yourdomainname> ’Powershell: Increase the lifetime of Recycle Bin Objects
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain” `
–Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“tombstoneLifetime” = 365}
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain” `
–Partition “CN=Configuration,DC=domain” –Replace:@{“msDS-DeletedObjectLifetime” = 365}CORE PRACTICES
- Implementing correct solutions
- Bringing the correct talent (professional-staff-augmentation or project team)
- Alignment to the business functional & functional direction
- Maintaining agility with communication and options
- Ensure to have a properly scoped project and accurate roadmap eliminating fluff
LATEST VIDEOS
Stay Well
Here are some incredibly-simple videos to watch & share with co-workers, family and friend on staying well: