Monday, 17 February 2014

Determine if the Active Directory recycle bin is installed

Be warned if you're trying to find out whether the Active Directory recycle bin feature is installed in the forest.

Many documents suggest that you read the msDS-EnabledFeature attribute of the following location of Active Directory

However if you are not an Enterprise Admin or Domain Admin in the forest root domain you'll see the setting displayed as <Not Set> even if the Recycle Bin is installed. This is misleading as <Not Set> is what is displayed if the Recycle Bin is not installed.

Running the following PowerShell command does work correctly
Get-ADOptionalFeature 'Recycle Bin Feature'

This is because the tool looks at the servers NTDS settings, where another msDS-EnabledFeature attribute can be found. This attribute is populated as each domain controller is informed that the optional feature has been installed in the forest.

A permissions friendly LDAP query is as follows. This will highlight the servers that have the recycle bin installed on them. Finding a server that does have the feature enabled indicates that it is installed in the forest.

(&(objectClass=nTDSDSA)(msDS-EnabledFeature=CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=somedomain,DC=int))

We are adding the ability to read Active Directory Recycle Bin settings in the next version of our Active Directory Audit Tool, XIA Configuration Server, please take a look!

No comments:

Post a Comment