Recycle Bin

The AD Recycle Bin is enabled in the WolfTech Active Directory Domain.

Microsoft Documentation:

AD Recycle Bin the GUI way:

AD Recycle Bin from the Powershell command line:

Pretend this OU and everything in it was deleted:
OU=Teaching Labs,OU=BAE,OU=CALS,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu

  1. Login to DC as Domain Admin.
  2. Run powershell from quick launch. Right click and RUN AS ADMIN or you’ll be wondering why you’re not getting results.
  3. Import-Module ActiveDirectory

Getting help:

  • Get-Command *ad* -CommandType cmdlet
  • Get-Help Get-ADObject -examples

Searching for an object named duck:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=wolftech,DC=ad,DC=ncsu,DC=edu" -LDAPFilter "(Name=*duck*)" -includedeletedobjects

Output (only last one listed for brevity):
Deleted : True
DistinguishedName : CN=Duckwall010\0ADEL:2f9e780e-837e-41ac-b7ab-012e37fc8386,CN=Deleted Objects,DC=wolftech,DC=ad,DC=ncsu,DC=edu
Name : Duckwall010
DEL:2f9e780e-837e-41ac-b7ab-012e37fc8386
ObjectClass : computer
ObjectGUID : 2f9e780e-837e-41ac-b7ab-012e37fc8386
Dan recommends that you add -Properties Created to the end of the cmd above so you can see when the object was created and differentiate it from others of the same name.

Find out what the parent ou of an object named duck was in:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=wolftech,DC=ad,DC=ncsu,DC=edu" -LDAPFilter "(Name=*Duckwall010*)" -includedeletedobjects -properties LastKnownParent

Output:
Deleted : True
DistinguishedName : CN=Duckwall010\0ADEL:2f9e780e-837e-41ac-b7ab-012e37fc8386,CN=Deleted Objects,DC=wolftech,DC=ad,DC=ncsu,DC=edu
LastKnownParent : OU=OU Admins,OU=Departmental Users,OU=CNR,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu
Name : Duckwall010
DEL:2f9e780e-837e-41ac-b7ab-012e37fc8386
ObjectClass : computer
ObjectGUID : 2f9e780e-837e-41ac-b7ab-012e37fc8386
Restoring Duckwall010$ (get-help Restore-ADObject -examples):
Restore-ADObject -Identity 2f9e780e-837e-41ac-b7ab-012e37fc8386

Search for everything in an existing OU that was deleted (run this after restoring the OU):
Get-ADObject -SearchBase "CN=Deleted Objects,DC=wolftech,DC=ad,DC=ncsu,DC=edu" -LDAPFilter "(LastKnownParent=OU=Teaching Labs,OU=BAE,OU=CALS,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu)"