You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some environments where the Active Directory Recycle Bin is enabled, it is reported as disabled in the CSV and Excel reports when using the LDAP method from a Stand Alone workstation. There are two primary possible reasons why this occurs:
For the LDAP method from a standalone workstation, some AD environments have been observed returning the "msDS-EnabledFeatureBL" property in all lower case. While powershell is mostly case indifferent, it appears that this Active Directory property is case sensitive.
For environments where the property is returned in all lower case "msds-enabledfeaturebl" (see example below on a manual step through of the ADRecon script)
the check "$ADRecycleBin.Properties.'msDS-EnabledFeatureBL'.Count -gt 0" fails (even when Recycle Bin is enabled) and the report shows the Recycle Bin Feature as disabled. This is all despite the script enumerating the $ADRecycleBin variable correctly on a manual step through; the output of the variable shows the Recycle Bin Feature option is enabled and the proper applied scope when the affected property is called using all lower case, I am not certain that this property is always returned in lower case - but have found two different AD environments where it is.
The text was updated successfully, but these errors were encountered:
In some environments where the Active Directory Recycle Bin is enabled, it is reported as disabled in the CSV and Excel reports when using the LDAP method from a Stand Alone workstation. There are two primary possible reasons why this occurs:
AD Recycle Bin is available via Server 2008 R2 and later forest levels (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-). According to the scripts own FLAD variable, the forest functional level integer value for 2008R2 is 4, but in both the ADWS and LDAP Recycle Bin Feature Status Enumeration code, there is a check to see if Forest Mode is 6 or greater (Windows 2012R2 or later) before it will even enumerate the feature. This should be 4 to include Windows Server 2008R2 and later - correct?
For the LDAP method from a standalone workstation, some AD environments have been observed returning the "msDS-EnabledFeatureBL" property in all lower case. While powershell is mostly case indifferent, it appears that this Active Directory property is case sensitive.
For environments where the property is returned in all lower case "msds-enabledfeaturebl" (see example below on a manual step through of the ADRecon script)
the check "$ADRecycleBin.Properties.'msDS-EnabledFeatureBL'.Count -gt 0" fails (even when Recycle Bin is enabled) and the report shows the Recycle Bin Feature as disabled. This is all despite the script enumerating the $ADRecycleBin variable correctly on a manual step through; the output of the variable shows the Recycle Bin Feature option is enabled and the proper applied scope when the affected property is called using all lower case, I am not certain that this property is always returned in lower case - but have found two different AD environments where it is.
The text was updated successfully, but these errors were encountered: