Error while restoring deleted AD object from RecycleBin :: Duplicate UPN or SPN


Hi Folks, this should be another very frequent issue when try to restore deleted user or computer object from Active directory recycle bin. Sometime the restoration of the deleted object fail with error “The Operation failed because UPN/SPN value provided for addition/modification is not unique forest-wide” when you try powershell or from Active directory administrative center.

Powershell error withrestore-user-err-ps

GUI when you try using Active Directory Administrative Centererr_giu_upn

This is happening due to duplicate User Principal Name (UPN) or Service Principal Name (SPN) of the object which we are trying to restore from recycle bin. Error clearly shows up if this because of UPN or SPN.

First need to find the last known name (msDS-LastKnownRDN), this can be done using command by running “Get-ADObject -Filter ‘samaccountname -eq “username”‘ -IncludeDeletedObjects”

find-lastknownname-ps

Once you get your msDS-LastKnownRDN, using below command you can find the UPN or SPN of the object “Get-ADObject -LdapFilter “(msDS-LastKnownRDN=  <lastknownname>)” -IncludeDeletedObjects -SearchBase “DC=domain,DC=com” -SearchScope Subtree -Properties userPricipalName “. Where <lastknownname> we found out from earlier command 

find-upn-ps

Find all users or ad object with specific user principal name or service principle name, using ‘Get-ADObject -LdapFilter “(userPrincipalName=@domain.com)” -IncludeDeletedObjects -SearchBase “DC=domain,DC=com” -SearchScope Subtree’

Use setspn for finding duplicate ServicePrincipalName using “setspn -q host/computername.domain.com”

find-dup-upn-ps

Change the object attribute of duplicated AD objects and restore the ad object again using “Get-ADObject -Filter ‘samaccountname -eq “”‘ -IncludeDeletedObjects |Restore-ADObject”

restore-user-succ-ps

Note: Windows 2012 also not default enabled with recycle bin like other older windows version. You can enable Recycle Bin using powershell command Enable-ADOptionalFeatures

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘DC01.domain.com’

or from Active Directory Administrative Center, when you select domain and click on task you can see “Enable Recycle bin” or just right click on Domain and select this option. (refer for more about enabling recycle bin http://windowsitpro.com/active-directory/windows-server-2012-active-directory-recycle-bin) for more details

ad_recycle

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s