Your network contains an Active Directory forest named contoso.com. The forest contains a
single domain. All domain controllers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as
shown in the following table.
Active Directory Recycle Bin is enabled.
You discover that a support technician accidentally removed 100 users from an Active
Directory group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?
A.
Recover the items by using Active Directory Recycle Bin.
B.
Modify the is Recycled attribute of Group1.
C.
Perform tombstone reanimation.
D.
Perform an authoritative restore.
Explanation:
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your
ability to preserve and restore accidentally deleted Active Directory objects without restoring
Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or
rebooting domain controllers.
When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes
of the deleted Active Directory objects are preserved and the objects are restored in their
entirety to the same consistent logical state that they were in immediately before deletion.
For example, restored user accounts automatically regain all group memberships and
corresponding access rights that they had immediately before deletion, within and across
domains.
I think the answer is wrong, there had been no delete, its change of group members, so I think the answer should be authoritative restore ‘D’.
Agree. Group membership changes do NOT end up in the AD Recycle Bin.
I’ve done some research..
It’s possible to do:
“Object Reanimation and Attribute Population through AD snapshot backups”
its still authoritative restore… u jst gat restore the AD back to its present state
it’s D. an object goes to the recycle bin only when it is deleted. Removing objects from a group only modifies the group, therefore the change is permanent unless you restore from backup.
aarch.
Good reading, sysadmin!
Thanks
I would also vote for D, because they didn’t delete a user or group (which could be restored using the AD bin) we have to perform an authoritative restore to get the group memberships back.
Answer is D.
Recycle bin is of no use in this situation.
“What would happen if someone accidently removed a significant number of members from an Active Directory security group? Could the Active Directory Recycle Bin be used to restore those members?
This question was recently asked in the Microsoft Technet Directory Services forum.
The answer is no.”(http://davidmtechblog.blogspot.co.uk/2014/03/windows-server-2012-active-directory.html)
answer is D
“You can use three methods to restore deleted user accounts, computer accounts, and security groups. These objects are known collectively as security principals. In all three methods, you authoritatively restore the deleted objects, and then you restore group membership information for the deleted security principals. When you restore a deleted object, you must restore the former values of the member and memberOf attributes in the affected security principal. The three methods are:
Method 1: Restore the deleted user accounts, and then add the restored users back to their groups by using the Ntdsutil.exe command-line tool (Microsoft Windows Server 2003 with Service Pack 1 [SP1] only)
Method 2: Restore the deleted user accounts, and then add the restored users back to their groups
Method 3: Authoritatively restore the deleted user accounts and the deleted users’ security groups two times”
http://support.microsoft.com/kb/840001
I agree, we should think this is an exam and on some cases the simplest answer is the right one, but not in general. Microsoft doesn’t cheat when they removed, and we need to understand this point very accurately.
Removed from a group is not equal to delete a user nor a group.
And the question itself talks about restoring group membership.
As far as I know ADRB is not able to do a restore of something that was not recycled (an object should have that property/attribute).
So I would go with Authoritative restore, because in the end it is the only answer.
from these answers probably D.
But it feels like B/C are incorrect answers (incorrectly copied from the exam).
You could mount an active directory snapshot, and quite easily read the groupmembership from that copy and add all members in the group again.
https://www.simple-talk.com/sysadmin/general/active-directory-snapshots-with-windows-server-2008/
I agree D because you want to restore the membership of group1
ll go with Ä”
https://technet.microsoft.com/en-us/library/cc816878(v=ws.10).aspx
However, depending on the functional level of the forest at the time that any groups to which the user belongs were created (or the forest functional level at the time that the user was added to the group, if they are different), the user’s group memberships might not be restored in the process.
No. How can it be A when the users were not deleted? They were just removed from the group.
If i remove myself from an AD group, my account will not appear in the recycle bin.
In Windows, when you move a picture from your Desktop into a folder, does it appear in your Recycle Bin? No. Why? BECAUSE IT WASNT DELETED. JUST MOVED.
A 1000% I have just tested in my lab. Here are the tests details:
Environment: A group called ALL_HR with 3 users HR1, HR2 and HR3 as members.
Test 1: delete all 3 HR users
– checking the ALL_HR group: members were gone
– restore from ADAC: bingo! all 3 deleted accounts came back and ALL_HR group showing 3 members
Test 2: delete the group ALL_HR
– checking the group was gone
– checking the member of in account — showing domain users ONLY
– restore the group from ADAC: bingo! everything is back to original
So. 100000% ==> A
read the question man
You discover that a support technician accidentally removed 100 users from an Active
Directory group named Group1 an hour ago.
Here is a hint: REMOVED
Still bingo?
No Hassan come to give you the answer!
I mean NOW!!
You’re an idiot bro. No one said anything about DELETING users. just REMOVING USERS.
REMOVE MEANS TO REMOVE FROM THE GROUP.
NO WHERE DOES IT SAY THE USERS WERE DELETED FROM ACTIVE DIRECTORY.
Note how all the attribute data has been preserved, including group memberships – SaraDavis was a member of the Sales VPs group. Ouch, deleting an executive is never good for a career.
https://blogs.technet.microsoft.com/askds/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting/
Know i doubt bettwen A or D
it says 100 users have been removed from a paticular group, and you need to RESTORE the group membership before the accounts were deleted. So why would restoring the 100 users from the recycle bin not restore the group membership ?
Seems like given answer is correct ?
Because, like so many of the comments above have said, you did NOT delete the accounts — you just REMOVED them FROM THE GROUP. You changed their group membership. Nothing was deleted, therefore nothing is in the recycle bin.
answer is D.
There is similar question which state that someone deletes a group containing 100 users and than the answer is using Active Directory Recycle Bin but this is not the case here…