Windows Server 2016: Active Directory Recycle Bin

KB ID 0001389

Problem

To be honest we have had the capability to recover deleted active directory objects for ages. It’s just in Windows 2016 things look a bit neater.

Enable Active Directory Recycle Bin

From Server Manager > Tools > Active Directory Administrative Center ,> {Domain-Name} > Enable Recycle Bin.

OK

Note: You may need to restart ADAC before you will be able to see the option greyed out.

Enable Active Directory Recycle Bin with PowerShell

From an administrative PowerShell window;

[box]

Enable-ADOptionalFeature ñIdentity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domainx,DC=net' ñScope ForestOrConfigurationSet ñTarget 'domainx.net'

[/box]

Restore an AD Object From the Recycle Bin

I’ve deleted a user , and I want to restore him. From Server Manager > Tools > Active Directory Administrative Center > {Domain-Name} > Deleted Objects.

Locate the deleted object > Restore.

Restore an AD Object From the Recycle Bin with PowerShell

First let’s make sure the item is there to restore!

[box]

Get-ADObject -filter {displayname -eq "Pete Long"} -includedeletedobjects

[/box]

Now we’ve found our deleted user, to restore them, use the same command but ‘pipe’ it to a Restore-ADObject commandlet.

[box]

Get-ADObject -filter {displayname -eq "Pete Long"} -includedeletedobjects | Restore-ADObject

[/box]

 

Related Articles, References, Credits, or External Links

NA

Windows Server – Fine Grained Password Policies

KB ID 0000765 

Problem

Before server 2008 if you wanted more than one password policy, you had to create a sub domain just to do that! with Server 2008 we were given fine grained password policies, which were fine (if a little clunky), and involved you creating ‘Password Settings Objects’.

They were a pain if you were not used to them e.g. five minutes is entered as 00:00:05:00. But now Microsoft have made things a LOT EASIER (though they made a good job of hiding it!).

Solution

1. From Server Manager (ServerManager.exe) > Local Server > Tools > Active Directory Administrative Center.

2. System container.

3. Password Settings Container.

4. New > Password Settings > Configure as required > Add > Locate the Security group you want to apply the policy to > OK > OK.

Note: The Precedence dictates which policy will apply if the same user has multiple policies applied to them.

5. You can then create other policies to apply to different groups.

To See What Policies are Applying to a User

6. Locate the user (while still in Active Directory Administrative Center) Right click > View resultant password settings > If a policy is in place it will open.

7. If there is no policy in place you will see, “User does not have resultant fine grained password settings. Please check the user’s domain password settings”.

 

Related Articles, References, Credits, or External Links

NA