Restore-QADDeletedObject
From PowerGUI Wiki
Undelete objects in Active Directory by restoring tombstones back into normal objects. This cmdlet requires an Active Directory domain controller running Windows Server 2003 or later. If Active Directory Recycle Bin (a feature of Windows Server 2008 R2) is enabled, this cmdlet restores deleted objects from Recycle Bin.
This cmdlet is part of the Quest ActiveRoles Server product. Use Get-QARSProductInfo to view information about ActiveRoles Server.
Contents |
Syntax
Restore-QADDeletedObject -TargetObject <IGenericDirectoryObject> [-Connection <ArsConnection>] [-ConnectionAccount <string>] [-ConnectionPassword <SecureString>] [-Control <hashtable>] [-Credential <PSCredential>] [-Proxy] [-RestoreChildren] [-Service <string>] [-UseGlobalCatalog] [-Confirm] [-WhatIf] [<CommonParameters>]
Detailed Description
Use this cmdlet to recover deleted objects in Active Directory. Pipe a deleted object into this cmdlet in order to restore (undelete) that object. Deleted objects can be retrieved by using an appropriate Get-QAD* cmdlet with the Tombstone parameter.
When an object is deleted, it is not physically removed from the Active Directory database. Instead, Active Directory marks the object as deleted, clears most of the object's attributes, renames the object and moves it to a special container. The object becomes a tombstone. This cmdlet causes Active Directory to perform the necessary operations on the tombstone to reanimate the object, which effectively results in the object being undeleted.
The object's attributes that were cleared upon object deletion are not restored. However, certain attributes, the most important of which are identity-related attributes such as objectGUID and objectSid, are retained in the tombstone, and restored when the object is undeleted. Which attributes are retained in tombstones is determined by Active Directory. Thus, the attributes that have the 0x8 bit set in the searchFlags attribute of the attributeSchema definition are retained.
The cmdlet relies on the "restore deleted objects" feature of Active Directory. To enable this feature, at least one domain controller in the domain must be running on Windows Server 2003 or a later version of Microsoft Windows Server. Ensure that the cmdlet is connected to such a domain controller. Normally, only domain administrators are allowed to restore deleted objects. For information about access rights required to restore deleted objects and limitations that apply to restoring deleted objects, see topic "Restoring Deleted Objects" in MSDN Library at http://msdn.microsoft.com.
If Active Directory Recycle Bin (a feature of Windows Server 2008 R2) is enabled, the deletion of an object does not turn the object into a tombstone. The object is marked as deleted and moved to a special container, but the attributes of the object are not cleared. In this case, the cmdlet restores the deleted object with all attributes, including the link-valued attributes such as Member Of. As a result, the object is restored to the same state it was in immediately before deletion. For example, a restored user account regains all group memberships that it had at the time of deletion.
The cmdlet has optional parameters that determine the server and the security context for the operation. Normally, the connection parameters could be omitted since a connection to a server is established prior to using the cmdlet. In this case, the server and the security context are determined by the Connect-QADService cmdlet.
If you do not use Connect-QADService and have no connection established prior to using a cmdlet, then the connection settings, including the server and the security context, are determined by the connection parameters of the first cmdlet you use. Subsequent cmdlets will use those settings by default.
Parameters
| Name | Description | Required? | Pipeline Input | Default Value |
|---|---|---|---|---|
| Connection | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionAccount | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| ConnectionPassword | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Control | Use this parameter to pass request controls (in-controls) to ActiveRoles Server as part of an operation request. In ActiveRoles Server, request controls are used to send extra information along with an operation request, to control how ActiveRoles Server performs the request.
The parameter value is a hash table that defines the names and values of the request controls to be passed to ActiveRoles Server. The parameter syntax is as follows: -Control @{<name> = <value>; [<name> = <value>] ...}
In this syntax, each of the name-value pairs is the name and the value of a single control. For instructions on how to create and use hash tables, see topic "about_associative_array" or "about_hash_tables" in Windows PowerShell Help. For information about ActiveRoles Server request controls, refer to ActiveRoles Server SDK documentation. Note that this parameter only has an effect on the operations that are performed through ActiveRoles Server (connection established using the Proxy parameter); otherwise, this parameter causes an error condition in ActiveRoles Management Shell. | false | false | |
| Credential | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Proxy | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| RestoreChildren | This parameter causes the cmdlet to restore both the target object and all of its deleted descendants. Without this parameter, only the target object is restored. | false | false | |
| Service | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| TargetObject | Supply tombstone objects to restore. This parameter is normally used to receive the output of a Get-QAD cmdlet searching for deleted objects (see Tombstone parameter on Get-QAD* cmdlets). | true | true (ByValue) | |
| UseGlobalCatalog | For parameter description, see help on the Connect-QADService cmdlet. | false | false | |
| Confirm | Prompts you for confirmation before executing the command. | false | false | |
| WhatIf | Describes what would happen if you executed the command without actually executing the command. | false | false |
Examples
EXAMPLE 1
Get-QADUser -Tombstone -LastKnownParent '<DN of container>' -Name 'John Smith*' | Restore-QADDeletedObject
Description
Restore a user account that was deleted from a particular container and had the name (RDN) of John Smith.
EXAMPLE 2
Get-QADUser -Tombstone -LastKnownParent '<DN of container>' -LastChangedOn (get-date) | Restore-QADDeletedObject
Description
Restore all user accounts that were deleted from a particular container on the current date.
EXAMPLE 3
Get-QADUser -Tombstone -LastChangedOn (get-date -year 2008 -month 9 -day 1) | Restore-QADDeletedObject
Description
Restore all user accounts that were deleted on September 1, 2008.
EXAMPLE 4
Get-QADObject <DN of container> -Tombstone | Restore-QADDeletedObject -RestoreChildren
Description
Restore a deleted container and all objects that existed in that container when it was deleted.
