Proposal: Restore users and groups from Recycle Bin if possible

[nyanhp]

Hi!

I would like to add some functionality so that users and groups that have been removed are restored from the Active Directory recycle bin, if it is available. My customers have the case that it is possible that someone deletes users and groups accidentally, which DSC easily corrects - however, since new objects are created instead of deleted ones recovered, there are all kinds of issues.

Implementing that would add a lot of value, as the SID remains the same and no orphaned ACEs and other issues would occur.

If this makes sense and I am not the only one who wants this I would be happy to implement it.

[johlju]

Would this be a optional property on an existing resource(s) so that it first checks if the account to be created is present in the recycle bin, if it is, then it is restored from the recycle bin?

[nyanhp]

Sure, that might be a good idea. Sounds good! I'll get started then :)

[johlju]

Sound great, looking forward to the PR. Labeling this as in progress.

[nyanhp]

Hi @johlju , will take a bit more time I think. One conceptual question: When restoring, there is currently one error that can theoretically occur, while the other errors that could happen during a restore are already being checked.

The issue is that the parent container of an object could have been deleted as well. In this case the restore fails of course. Since we certainly don't want to simply restore the OU as well I am currently thinking of returning from the Set-TargetResource function entirely as we do not want to create the object even though it could be restored.

So in my opinion the options are:

• Restore the parent OU, if any
  • Do not like this approach, since it does more that the resource should do
• Instead of restoring, recreate the object
  • Do not like this approach either, as it will not address the issues that I am trying to fix by using the recycle bin
• Fail the Set-TargetResource method
  • Does this have further ramifications? I think not, apart from the system never reaching the desired state

My issue with all approaches is: I could not find a way of finding out what the error was apart from reading the exception message. The exception type is always the same generic ADException, only the text differs. I don't want to parse text that may or may not be translated to another language.
What do your think?

[johlju]

Since this functionality is added as a new optional property that determine if the account should always be tried to be restored from the recycle bin, I think it correct to throw the exception that is returned by the restore command, or another appropriate error message, so the user know what happened.
If the user has opt-in to restore the object from Recycle Bin if it exist there, before creating a new object, we should always throw when that fails.