The Active Directory Recycle Bin is a great new feature of Windows Server 2008 R2 that allows you to restore accidentally deleted Active Directory objects. If you want to have similar functionality for Windows Server 2008 with a free utility, then you should have a look at the Directory Service Comparison Tool (DSCT). But DSCT can do even more: It not only allows you to restore deleted objects, it also lets you undo attribute changes. The tool requires at least a Server 2008 domain controller, .NET 3.5, and (Microsoft Management Console) MMC 3.0.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
DSCT makes use of the new snapshot feature in Windows Server 2008. Unfortunately, creating Active Directory snapshots is a bit cumbersome and can only be done on the command prompt. If you want to work with DSCT in a productive environment, then it makes sense to create AD snapshots automatically. Of course, you can also use the tool whenever you have to perform major Active Directory modifications. If you create an AD snapshot before you run your new PowerShell script to modify some hundred objects, then you can use DSCT to clean up the mess of your automation efforts afterwards.
Before you start using DSCT, you should enable Active Directory auditing. You can do this in Group Policy (Windows Settings\Security Settings\Local Policies\Audit Policy\). After you have installed DSCT, you have to add its snap-in to the MMC. The DSCT installer doesn't add icons to the Windows Start Menu.
Once you have created a snapshot, you can change Active Directory objects. The snapshot has to be mounted and you have to expose the snapshot as LDAP server, as I outlined in a former post. You then have to tell DSCT in the Datasource settings where it can find the LDAP server, including the port you configured (see screenshot). DSCT will then display the difference between the snapshot and the current Active Directory state. DSCT enables you to select changed or deleted objects and to restore them to their previous state.
In my test, I renamed the givenname attribute of a user object. In the upper pane, DSCT displays the object, and in the lower pane, the changed attribute. Restoring the attribute to its original state worked flawlessly. I tried DSCT 1.3.3.X on a Windows Server 2008 R2 domain controller. As noted above, the tool also works on Windows Server 2008.
