Partilhar via


Active Directory Accidental Deletion - Prevention & Cure

                       Accidental deletions in active directory can cause havoc and unfortunately in the past I was in the middle of one such catastrophic event. It resulted in 4000 odd servers and client machines part of an OU to be deleted and the cause was found to be some housekeeping software. Such accidental deletions can be most destructive in critical industries like banking, financial and public sector organizations. This may have been avoided and secondly could have been fixed in less than 10 % of the actual time spent if the environment was using one of the latest features that we included in Windows 2008 R2 ( Active Directory Recycle Bin ). Most critical situations arise due to accidental human /tool interference or configuration and it is important to be able to come out of such situations within minimal down time, Accidental Deletion in Active Directory is one such situation. Below are preventions and recovery methods caused due to accidental deletions in Active Directory. Some of the preventive measures are listed below and also links to recovery from such catastrophe with minimal downtime.

 

Prevention 

Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

https://blogs.technet.com/b/abizerh/archive/2009/06/09/preventing-unwanted-accidental-deletions-and-restore-deleted-objects-in-active-directory.aspx

Windows Server 2008 Protection from Accidental Deletion

https://blogs.technet.com/b/industry_insiders/archive/2007/10/31/windows-server-2008-protection-from-accidental-deletion.aspx

 

Recovery with minimal downtime 

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

https://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx 

Windows Server 2008 R2 Quick Look - Active Directory Recycle Bin ~ video

https://technet.microsoft.com/en-us/windowsserver/ee895053 

[View:https://www.youtube.com/watch?v=TSIXOojhn9k&feature=youtu.be]

AD Recycle Bin – Step By Step Guide

https://technet.microsoft.com/en-us/library/dd392261(v=ws.10)

  This is definitely a feature that can save you from nightmares. 

P.S: IT Environments who are already on Windows 2008 R2 Forest Functional Level require the most minimal configuration changes to enable AD Recycle Bin. Once done you can use the Active Directory recycle bin UI in windows 8 /2012 by installing the RSAT tools on a domain joined windows 8 or windows 2012 server.

 

 

Its about time you had this feature enabled !

Comments

  • Anonymous
    September 02, 2015
    Accidental deletion of AD object as well as other unwanted operations should never get to a position when they need to be recovered (in an ideal world). A good way to prevent a maximum amount of those is implementing approval-based workflow, so critical operations won't be executed unless approved by a responsible authority. Adaxes is a great example for thishttp://www.adaxes.com/info_demos.htm?scene=approvals

    Approval-based workflow allows to delegate more tasks but retain control over any potentially unwanted operations.