Hi Folks, this should be another very frequent issue when try to restore deleted user or computer object from Active directory recycle bin. Sometime the restoration of the deleted object fail with error “The Operation failed because UPN/SPN value provided for addition/modification is not unique forest-wide” when you try powershell or from Active directory administrative center.
Powershell error with
GUI when you try using Active Directory Administrative Center
This is happening due to duplicate User Principal Name (UPN) or Service Principal Name (SPN) of the object which we are trying to restore from recycle bin. Error clearly shows up if this because of UPN or SPN.
First need to find the last known name (msDS-LastKnownRDN), this can be done using command by running “Get-ADObject -Filter ‘samaccountname -eq “username”‘ -IncludeDeletedObjects”
Once you get your msDS-LastKnownRDN, using below command you can find the UPN or SPN of the object “Get-ADObject -LdapFilter “(msDS-LastKnownRDN= <lastknownname>)” -IncludeDeletedObjects -SearchBase “DC=domain,DC=com” -SearchScope Subtree -Properties userPricipalName “. Where <lastknownname> we found out from earlier command
Find all users or ad object with specific user principal name or service principle name, using ‘Get-ADObject -LdapFilter “(userPrincipalNamefirstname.lastname@example.org)” -IncludeDeletedObjects -SearchBase “DC=domain,DC=com” -SearchScope Subtree’
Use setspn for finding duplicate ServicePrincipalName using “setspn -q host/computername.domain.com”
Change the object attribute of duplicated AD objects and restore the ad object again using “Get-ADObject -Filter ‘samaccountname -eq “”‘ -IncludeDeletedObjects |Restore-ADObject”
Note: Windows 2012 also not default enabled with recycle bin like other older windows version. You can enable Recycle Bin using powershell command Enable-ADOptionalFeatures
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘DC01.domain.com’
or from Active Directory Administrative Center, when you select domain and click on task you can see “Enable Recycle bin” or just right click on Domain and select this option. (refer for more about enabling recycle bin http://windowsitpro.com/active-directory/windows-server-2012-active-directory-recycle-bin) for more details