Recovery of Active Directory objects became much easier with the introduction of AD recycle bin feature in Windows Server 2008 R2. Simply use the restore-adobject PowerShell cmdlet and you’re done. But what if you are using BitLocker with its keys stored in AD? You can still restore the computer object once it got deleted. But the attached msFVE-RecoveryInformation objects will not get restored automatically.
This small PowerShell cmdlet will do the work for you:
The script will first search for any existing computer objects with the same name. If there are none, it will try to restore a deleted object. Be careful if you have multiple deleted objects with the same name, you may need to change some parts of the script for this scenario.
After that it searches for BitLocker recovery information and tries to restore this as well – no matter how many objects the computer object contained.
Thanks for the script! Exactly what I needed.
Hi,
Wheni try this script, i am getting the below error message
PS D:\AD> .\computerobjectrestore.ps1
You must provide a value expression on the right-hand side of the ‘-and’ operator.
At D:\AD\computerobjectrestore.ps1:25 char:39
+ $restoredobject.DistinguishedName -and <<<< Deleted -eq $True -and objectClass -eq 'msFVE-RecoveryInformation'}
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ExpectedValueExpression
Could you please replace “Deleted” with “IsDeleted” and try again?
Nice script, was going to write script, but your logic is organized and nice.
im redirecting people from http://ammarhasayen.com/2013/10/29/recover-bitlocker-keys-from-recycle-bin/ to this page if you do not mind
Sure… feel free to do so :)
This is aweseome. I have a unique problem though and very very limited pwershell writing skills. All of my Bitlocker Child objects seem to have be disassociated with there parent. What needs to be modified in order to go through AD and reassociate the child objects with the computer objects?
A thing of Beauty! Thank You!
At the top of the script, why do you use samaccountname? Seems like extra work to deal with the trailing $ in the name, when it seems you could use the name or cn attributes. Is there a reason I’m missing?
Pretty nifty as long as the object is still deleted. Any command to look up the ‘msFVE-RecoveryInformation’ for objects that were recovered (and missing ‘msFVE-RecoveryInformation’ in AD)?
Hi
using this above script, able to restore the object but recovery key is not restored
below error showing . Do you have any idea about this
Computer object successfully restored. Trying to find recovery information¦
Get-ADObject : This operation returned because the timeout period expired
At E:\Scripts\AD_User&Computer\Bitlockerrecover.ps1:27 char:26
+ … veryinfos = Get-ADObject -IncludeDeletedObjects -Filter {lastKnownPar …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ADObject], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1460,Microsoft.ActiveDirectory.Management.Commands.GetADObject
Restore of computer object succeeded.