Active Directory Recycle Bin
A new feature ‘Recycle Bin’ introduced by Microsoft provides support for restoring deleted users, groups with all their attributes and group memberships. SailPoint Active Directory Connector support this feature. Using this feature, any deleted objects (Accounts and Groups) can be restored.
Prerequisites
Note
Recycle Bin feature must be enabled on Active Directory.
-
IQService can be installed on Windows system with one of the following Operating System:
-
Microsoft Windows Server 2019
-
Microsoft Windows Server 2016
-
Microsoft Windows Server 2012 R2
-
Microsoft Windows Server 2012
For more information on installing and registering IQService, refer to IQService.
-
-
Install Active Directory module for Windows PowerShell on the computer where IQService is installed.
Note
By default, this module is installed on all DCs.For non-DC but server class Operating System computer, open Windows PowerShell Console and execute the following commands:
-
Import-module servermanager
-
Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
-
-
Run the following PowerShell command on all domain controllers (DCs) in the forest which must be managed:
Enable-PSRemoting
Note
If multiple servers are managed, run the above command on all the servers present under the "domainSettings".
Configuring Recycle Bin
-
Open the Console and
IIQ\HOME\WEB-INF\config\configManageDeletedObjects.xmlfile. TheconfigManageDeletedObjects.xmlfile creates the Manage Recycle Bin quick link on the dashboard and adds the Restore Deleted Objects workflow. -
Modify
manageRecycleBinattribute in the Active Directory application with the value set to true.Copy<entry key="manageRecycleBin">
<value>
<Boolean>true</Boolean>
</value>
</entry> -
After account and account-group aggregation, the deleted object would be visible under the Manage Recycle Bin quick link. Accounts/Groups can be restored individually or all together.
-
The DirSync delta aggregator also supports detecting deleted objects.