Thursday, April 23, 2009

Using the Active Directory Recycle Bin in Windows 2008 R2: Part 2


To view the Deleted Objects container you will need to use ldp.exe

1. In the Options menu click Controls

2. In the Load predefined menu select Return deleted objects and click OK

3. Under Connections choose Connect and then Bind

4. Under View choose Tree and enter your domain

5. You should now find the container in the displayed tree.


You can use ldp to restore items but I find it easier to use PowerShell

Basically, to restore the user “Dave” use the following command:

Get-ADObject -Filter {displayName -eq "Dave"} -IncludeDeletedObjects | restore-ADObject


….wait a short while and the user should pop up again.


For more details see here

Wednesday, April 22, 2009

Using the Active Directory Recycle Bin in Windows 2008 R2: Part 1

The new recycle bin option in Windows 2008 R2 is a godsend for any admin who might accidentally delete an AD object by mistake. For some strange reason it’s not turned on by default and there are a number of steps needed to get it going.

Technet details most of it quite well but I thought I would create a quick and dirty guide for those of you just want to skip to the “good parts” ;)

1. Start a PowerShell console and type “import-module ActiveDirectory”

2. Raise the forest functional level to W2008R2 using PowerShell:

Set-ADForestMode –Identity -ForestMode Windows2008R2Forest

3. Enable the Recycling Bin using:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=domain,DC=com’ –Scope Forest –Target ‘’

….that was the easy part.

In Part 2 I will explain how to actually view the deleted objects and restore them.

Wednesday, April 1, 2009

Forefront “Exceedingly compressed size” error

When uploading a compressed file to SharePoint or sending it via email (Exchange), users were getting the error “Exceedingly compressed size”.

It seems that Forefront will block any compressed file that has a file larger than 20MB. Unfortunately, this setting can only be changed in the registry. I found the following newsgroup entry on the subject:

The Exceedingly compressed size can be controlled by a registry key called MaxCompressedArchivedFileSize.
If any one object within the zip file has a COMPRESSED size of over the MaxCompressedArchivedFileSize (which is a default of approx
20MB) then Forefront will delete this file. The reason this was done was to prevent a denial of service attack where Antigen would be scanning an infinitely large file. The incident that you will see for this would be an "Exceedingly compressed size virus”.
If this is the reason why a message is getting caught you can do the following:

  • In the registry go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint or (Exchange) Server
  • Add a DWORD Key of:  MaxCompressedArchivedFileSize (equaling 40,000,000)
  • Restart FSCController service

This is about 40 MB. This will allow the zip file itself to be about 40 MB before Forefront will take action on it.