Before we get too deep in to configuring our nice domain service, we will enable a useful feature. The Recycle Bin. This allows us to quickly and easily restore an object we accidentally delete. Enabling the recycle bin just requires a forest functional of 2008 R2 or higher. We provisioned full 2016 so lets enable it.
It’s enabled using the following PowerShell command
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<<domain>>,DC=<<suffix>>’ –Scope ForestOrConfigurationSet –Target ‘<<forest name>>’
After being prompted and pressing Y you can validate it’s enabled by using
Get-ADOptionalFeature -Filter *
This will return a list of the features that are enabled on your forest. You should see the Recycle Bin listed here.
Group Managed Service Accounts
As we go through provisioning additional services we will be making use of Group Managed Service accounts. They offer great security advantages as they use a managed password and only computers within a specific security group can use the passwords. More information can be found on Group Managed Service Accounts here. To make our domain ready for using these accounts we will use the following PowerShell command:
Add-KDSRootKey –EffectiveImmediately
This will take up to 10 hours to be available to use. If you don’t want to wait, you can do the following variation to make it effective immediately
Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))
That’s it, our domain now has the recycle bin enabled so we can quickly and easily restore objects if we are accidentally fat fingered, and we can start using Group Managed Service Accounts for ensuring services are running as securely as possible.
2 thoughts on “Enable Recycle Bin & Get ready for GMSA”