LEX Online Manual Content

• Introduction to LEX
  • First steps
    • License Splashscreen
    • ReadOnly PopUp
    • First LDAP Connection
  • LEX GUI Elements
    • The Treeview Panel
      • Reloading the Tree Structure
      • Hiding the Tree Structure
      • The currently selected Container
    • The Object List Panel
      • Reloading the Object List
      • Object List Scope
      • Object List Filter
      • Object Names Display
      • Object Attribute Columns
      • Sorting the Object List
      • Object Icons
    • The Attribute List Panel
      • Showing and Hiding the Attribute List
      • Attribute List Position
      • Refreshing the Attribute List Contents
      • Attribute List Filter
    • The Address Bar
    • The Command Button Bar
    • The Status Bar
    • The Attribute Window
      • Attribute Window Hotkeys
      • Attribute Window Command Buttons
      • Refreshing the Attribute Window Contents
      • Attribute Window Filter
      • Text Output
  • Command Line Parameters
• Command Buttons
  • Treeview Buttons
    • Expand/Collapse Tree Panel
    • Reload Directory Info
    • Reload Entire Directory Tree
    • Search
  • Object List Buttons
    • Expand/Collapse Tree Panel
    • Expand/Collapse Attribute List
    • Reload Object List
    • Go Up one Level
    • Show Objects in all Subcontainers
    • Create New Object
    • Delete Object
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Set Object Filter
  • Attribute List Buttons
    • Toggle Attribute List Position
    • Reload Attribute Info
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
  • Attribute Window Buttons
    • Reload Attribute Info
    • Compare this Object with another
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
    • Show Attribute Names and Values
• Menu Help
  • Connection Menu
    • Connect
    • Save
    • New LEX
    • Disconnect
    • Connection Info
    • Attributes
    • RootDSE
    • Exit
  • Edit Menu
    • Copy Attribute Name
    • Copy Attribute Value
    • Paste Attribute
    • Search
    • Undelete
    • Set Password
    • Permissions
    • New Object
    • Delete Object
    • Move Object
    • Rename Object
    • Add New Attribute
    • Add Array Member
    • Remoe Attribute
    • Set empty Value
    • Quick Edit Value
    • Edit Attribute Value
  • View Menu
    • Set Attribute as List Column
    • Column Field Chooser
      • Object type
      • Date modified
      • Modifiers name
      • Date created
      • Creators Name
      • More
      • Load Column Set
      • Save Column Set
    • Filter Display for this Attribute
    • Jump to Object
    • Toolbars
      • Address Bar
      • Button Bar
      • Status Bar
    • Directory Tree
    • Attribute List
    • List Output Settings
      • Show Objects in all Subcontainers
      • Show Friendly Object Names
      • Show DNs in Novell Notation
      • Show Hex Output for Attributes with Hex Values
    • Attribute Output Settings
      • Show Hex Output for Attributes with Hex Values
      • Show only Attribute that have Values
      • Show Multivalued Attributes
    • Refresh
    • Reload Entire Tree
  • Favorites Menu
    • Add to Favorites
    • Organize Favorites
    • Sort by Name
  • Tools Menu
    • Use in Filter Factory
    • Select for Compare
    • Compare with...
    • Directory Export - Object List
    • Directory Export - Attribute List
    • Directory Import - LDIF
    • Filter Factory
    • TreeMap Factory
    • Observation Factory
    • Pipe Factory
    • Additional Infos/Tools
      • Resolve SID Attributes to Objects
      • Converter for numeric values
      • Converter for hex values
      • Converter for GUID values
      • Converter for SID values
    • Options
  • Help Menu
    • Index
    • Search
    • Online Support
    • Check for Updates
    • Activate existing License
    • About
• Application Options
  • General Tab
  • LDAP Settings Tab
  • Object Filter Tab
  • Attribute Filter Tab
  • Container Classes Tab
  • Attribute Syntaxes Tab
  • Linked Attributes Tab
  • Dialog Settings Tab
  • Colors Tab
• Application Hotkeys
• Connecting to LDAP Servers
  • The LDAP Connections Dialog
    • Server Tab
    • Advanced Tab
    • Attribute Filter Tab
    • Column Tabs
  • Connection Profiles
  • LDAPS / LDAP over SSL
• Working with LDAP Objects
  • Creating Directory Objects
  • Renaming Directory Objects
  • Moving Directory Objects
  • Deleting Directory Objects
  • Editing Multiple Objects
  • LDAP Object Classes
  • LDAP Attributes
    • Attribute Syntaxes
    • Attribute Editors
      • String Editor
      • Integer Editor
      • Boolean Editor
      • DN Editor
      • Generalized Timestring Editor
      • Binary / Hex Editor
      • Password Editor
      • Bitmap Editor
      • GUID Editor
      • Microsoft Security Descriptor Editor
      • Microsoft Access Control Entry Editor
      • Microsoft SID Editor
      • Microsoft Large Integer Editor
      • Microsoft Interval Editor
      • Microsoft Timestamp Editor
      • Microsoft DN with Binary Editor
      • Microsoft DN with String Editor
      • Novell Object ACL Editor
      • Novell Path Editor
      • Novell EMail Address Editor
      • Novell Timestamp Editor
      • Novell Backlink Editor
      • Novell Typed Name Editor
      • Flag Attribute Editor
    • Operational Attributes
    • Binary Attributes
    • Displaying Multivalued Attributes
    • Displaying Hex/Octetstring Attributes
    • Displaying DN Attributes
    • Displaying Unused Attributes
  • Undeleting Active Directory Objects
    • AD Tombstone Reanimation
    • AD Recycle Bin
  • Copy and Paste of Attribute Values
• Working with LDAP Directories
  • ReadOnly Mode
  • Directory Tree Caching
  • Container Class Evaluation
• Building LDAP Filters
  • LDAP Filter Syntax
  • The Filter Factory
  • The Filter Constructor
  • The Single Filter Editor
  • Famous Filters
• Searching The Directory
  • Search Results
  • Searching the Global Catalog in AD Environments
• Comparing Objects
  • Compare Window Hotkeys
  • Compare Window Command Buttons
• Exporting Directory Data
  • Exporting Object List Data
  • Exporting Attribute List Data
• Importing Directory Data
• Licensing Contract for Users

AD Recycle Bin Recovery

If you are in a Active Directory environment with Windows 2008 R2 (or newer) domain controllers, then you can recover deleted objects without the limitations of the older windows versions. This is a new feature which is called AD Recycle Bin. All attributes, group memberships and other references can be restored. If you use this feature, you can undelete entire OUs which was deleted before without the need to restore some AD data from a backup! You can read more about this new AD feature on the Microsoft Technet Article 'Step-by-Step Guide to the AD Recycle Bin'.

The important thing about the AD Recycle Bin: This feature has to be activated first! Even in pure Windows 2008 R2 DC environments, you have only the 'old' tombstone reanimation if you don't activate the AD Recycle Bin feature. See the explanations below ho to activate the AD Recycle Bin.

If the AD Recycle Bin is activated, the deleted objects in your domain are stored in the Deleted Objects container, which is a container in the root hierarchy of each domain. You cannot see this container with the normal AD admin tools because it's a special hidden container which is only visible in LDAP requests with the extended LDAP control 1.2.840.113556.1.4.417 (Show Deleted) - fortunately LEX can use this control in it's request to the regarding server.

 

Objects in the Deleted Objects container can have two different states:

1. First they are 'Deleted', which means that they can be restored with all their attribute properties. There is a directory parameter named msDS-deletedObjectLifetime which determines how long the objects remain in the 'Deleted' state.
   
   
2. After a while, the objects become 'Recycled' which means that they are only used internally for replication purpose. But these objects cannot be restored, reanimated or otherwise re-used by any tool. There is a directory parameter named tombstoneLifetime which determines how long the objects remain in the 'Recycled' state.
   

Both timespan parameters can be set globally in the configuration partition object

 CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

with the attributes

 msDS-deletedObjectLifetime     and      tombstoneLifetime

If there is no attribute, then the default values are in effect (180 days), you can add these attribute with you own setting if you want to change the settings. Please note that large lifetime values causes big AD databases on the file system on all domain controllers in the entire forest!

---

How to undelete Objects with LEX

If you want to reanimate the tombstone of a recently deleted object, you have to select the Deleted Objects container in the regarding domain. In the object list panel, you see all the deleted objects in this container on the same level (there are never subcontainer structures in the deleted objects container).

 

All deleted objects become a tombstone where the relative distinguished name (RDN) is the old object name, together with a line feed (strange but not illegal in a directory name) and the GUID string of this object. There are several interesting attributes for the tombstones:

• whenCanged: Normally the date and time when the object was deleted.
• lastknownParent: The parent container where the object originally was stored. Can be deleted also, you should find the appropriate tombstone then.
• isDeleted: Always true for all objects in the Deleted Objects container. For normal objects, this parameter doesn't exist.
• isRecycled: This is true for objects which were in the 'Deleted' state longer than the msDS-deletedObjectLifetime and therefore became 'Recycled'. You cannot recover such objects any more! Normally you would not even see them - you need to add the special extended LDAP control 1.2.840.113556.1.4.2064 (Show Recycled) to your LDAP requests - fortunately LEX can use this control in it's request to the regarding server.
  

Select all the objects you want to recover and use the menu option Edit - Undelete (also available in the context menu). The Object Undelete dialog appears:



In this dialog, you can choose if you want to restore the deleted objects in their original or another container. If you choose to restore the object in their original container, LEX can restore these containers to if this should be necessary. After the undelete operation you see the results in a separated window:



The option Copy to Clipboard enables you to get a semicolon-separated result summary into the clipboard so that you can use this for documentation of the recovery operation.

---

How to activate the AD Recycle Bin

You can check whether the AD Recycle Bin Feature was enabled in your Active Directory forest or not. Just browse into the Configuration Partition (this namespace is offered by any DC in your environment). There you have to go to this object

  CN=Partitions,CN=Configuration,DC=yourdomain,DC=com

There is an attribute named

  msDS-EnabledFeature

If the AD Recycle Bin is active, this attribute has this value

  CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,
     CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com

Unfortunately, you cannot simply set this attribute directly if you want to activate the Recycle Bin Feature. Instead, you have to enable the feature by writing to the RootDSE entry of the regarding server. You have to be enterprise admin for this.

So open the RootDSE entry with the LEX option Connection - RootDSE. After that, you see the attribute window for this entry. Now you have to add an additional attribute named EnableFeature. In fact, this is not a real attribute, but writing to 'EnabledFeature' can activate the Ad Recycle Bin on a domain controller. The value that has to be written is the GUID of the AD Recycle Bin Feature:

  CN=Partitions,CN=Configuration,DC=yourdomain,
     DC=com:766ddcd8-acd0-445e-f3b9-a7f9b6744f2a

 

You can read more about the special RootDSE attributes which changes the DC's behavior in the MSDN article about the RootDSE Modify Operations.