It's happened to your domain before. You walk back in after a long lunch or notice something peculiar as you're packing up for a long weekend. Users are calling in to complain that they can't access their resources. They're seeing errors all across the board when attempting to accomplish anything on their desktops. It's like someone has…deleted…their accounts. Or, even worse, someone has deleted an entire Organizational Unit (OU) full of them. At this point, you find yourself setting down your leftovers or your coat, realizing that you're about to be at work quite a bit later than you expected this evening.
For a platform as powerful and pervasive as Active Directory (AD), it's a wonder how easy it remains to accidentally destroy huge sections of it. Whether you're a low‐level Help desk administrator or an all‐powerful Domain Admin, most IT professionals have enough rights to create this kind of havoc. Deleting a user account or an OU full of them is a particularly big problem. A problem that even today doesn't have a good resolution using native Windows tools alone.
If this has happened to you, here's a glimpse of the process you're forced to undertake:
This process appears relatively trivial until you realize one piece of missing information. To properly restore a deleted object in Step 4, you must know the DN of that object. Thus, in order to know its DN, you must first know which objects were deleted. If an entire OU of objects was deleted, you'll need to know each of the objects to individually restore. For a large swath of deleted objects, this process can be complex to the point of absurdity.
At first blush, Windows Server 2008 R2's new Recycle Bin feature might seem like a good solution. The new AD Recycle Bin provides a mechanism to bring back objects that have been deleted from your AD. However, it's important to know that AD's Recycle Bin isn't like the one you see on your desktop. Enabling its functionality requires upgrading your entire AD forest to the Windows Server 2008 R2 forest functional level. This means that each and every Domain Controller must also be at Windows Server 2008 R2, a process that can take a long time to complete. Even more challenging, actually using the AD Recycle Bin requires the use of scripting to restore an object. So, the less‐experienced admins who are more likely to cause a deletion problem are less likely to be able to fix it.
Organizations that base their computing infrastructure on AD cannot afford the lengthy and error‐ridden process of manually restoring objects after an accidental mouse click. Yet this manual process is the only way to solve the problem with Windows' native tools. With the right third‐party tools in place, finding and restoring deleted AD objects can be as easy as the few mouse clicks that deleted them in the first place. These tools take and catalog regular snapshots of AD structure and objects, allowing administrators to look backwards in time. They provide a way to compare previous with current snapshots to quickly find and automatically restore lost objects.
Yet the problem doesn't stop there. Best‐in‐class third‐party tools provide much‐needed further protections. They enable the additional capability to quickly restore your entire AD domain or forest in the case of corruption or malicious activity. Having this emergency restore capability in your back pocket is critical because every deleted object is equal to a worker's lost productivity, and every downed domain means an entire business going down. As such, implementing the right tools for comprehensive deletion protection is critical to turning major problems into minor restores.