Friday, March 30, 2018

Active Directory recovery - 3rd party tools - Recovery Manger Plus - 2

After installing and configuring Recovery Manager Plus (RMP), and restoring a simple user object in my previous blog post, I wanted to evaluate some other recovery scenarios: group membership of a deleted user, members of a deleted group and content of an organizational unit (OU). That's what I'll do in the following paragraphs, with no further ado.


Restore group membership of a deleted user?

If I delete a user object, will the groups of which it is a member also be restored in the members property?

John Thompson is a member of the Domain Users and Accounting groups:

I delete John Thompson:

I go to RMP and recycle him:

Note: I have to check "John Thompson" and then click on "Recycle" (not shown in the screenshot).

I confirm the operation:

And John Thompson is no longer in the recycle bin:

On the other hand, he does reappear in Active Directory - with his former group membership:


I discovered two things when attempting to recover the account.

First, the deleted object does not appear in the RMP recycle bin immediately, I have to perform a manual backup for RMP to compare what has changed:

If we schedule backups often enough, we may not need to perform a manual backup to see what object was deleted. Otherwise, if we are shocked to discover that an object was accidently deleted AND does not appear in the RMP recyle bin, we should perform a manual backup before concluding the object is lost forever.

Second, we use the recycle option rather than the restore option. If I attempt to restore John Thompson, I procede as follows and encounter a strange message:

Note: although the screenshot does not show each and every step, I check "John Thompson" and then click on the restore button - a green button just under the list of users and that I seem to have managed to omit in my screenshots.

This looks good...

But then I see this (and John Thompson is not restored in Active Directory either):

This puzzles me because I was able to use the restore option in my first blog post for Anne Schubert. On the other hand, in a demonstration on YouTube, Derek Melber does use the recycle option (and does have to perform a manual backup for the object to appear in the recycle bin):

ManageEngine ADSolution - Recovering Deleted Active Directory Objects and All Properties

Note: the video was available at the time I composed this blog post - which may or may not be the case when you read it.

Restore members of a deleted group?

Now I'll delete a group and see if I cannot only restore (or recycle...) the group itself but also the members. I will use the group "HR" which includes the members shown below:  

I delete the group...

And then recycle the group:

The group is restored but the members are not:

This is strange. Is another action required to complete the restore (?). In any case, for the time being, I want to test my last scenario: deletion of an organizational unit (OU) with all its content.

Restore OU and child objects

I have a regional OU called "Nice" with several objects inside (two users and a group):

I attempt to delete the OU...

But the attempt fails:

If we want to delete (or move) a OU, we have to uncheck the protection from accidental deletion first (under the object tab - Advanced View) and then try again - and confirm our intentions:

Note: I could have left this part out but thought it could serve as a reminder to protect key objects in Active Directory against accidental deletion. Some (like organizational units) are by default.

So I delete the OU and there is no longer anything between "My V Security Groups" and "Program Data":

As before, I go to the recycle bin, select the OU "Nice" and click on Recycle (not shown in the screenshot but very evident in the actual interface):

The OU is restored with the objects shown above and even a third user that I had deleted before:


So far, the tool has proved to be much more efficient than a native Active Directory authoritative restore which would require rebooting a domain controller (into recovery mode), restoring the entire Active Directory database, and then marking the object (or objects) to be restored as "authoritative".

There does seem to be a distinction between "restore" and "recyle" (the latter was possible, the former was not) and probably "rollback" for that matter.

We may have to perform a manual backup for changes - and deleted objects in particular - to appear in the RMP recycle bin.

The only "miss" was the failure to restore/recycle the members of our HR group. At this point, I do not master the product well enough to determine if that is a shortcoming or if such a restore requires additional steps.

No comments:

Post a Comment