Windows 2008 R2 recycle bin - how to recover AD objects using Powershell

In my last post on this, I completed the LDP method, but was unable to get the Powershell recovery of a user object to work.

I was unable to use Get-ADObject to return any data for me.

I finally had some more time to work on this, and since then, I have found more people blogging on this and some are hitting similar issues.

Chad sent me this, some additional information and confusion on the Get-ADObject CMDlet and confusion with another third party extension using this as well.
http://iwasblogging.blogspot.com/2009/01/get-adobject-cmdlet-confusion-intro.html
http://iwasblogging.blogspot.com/2009/01/get-adobject-cmdlet-confusion-continued.html

So I began googling about Get-ADObject and found this article my Niraj Kumar:
http://blogs.technet.com/niraj_kumar/archive/2009/02/03/new-feature-active-directory-recycle-bin-in-windows-2008-r2.aspx - he had his Get-ADObject working, but this helped me find my missing link when I saw he used the ldapfilter!

He was using -ldapFilter "(objectClass=*)" and I hadn't tried that. As it turns out, if you do NOT use the -filter or the -ldapfilter, you will NOT get results. Examples:

So that being discovered, I can now go about restoring my user! I create a new user named "Another Test" and immediately deleted him. Then I ran one of the above commands, and found my user.

Now, obviously, in a production AD, you are NEVER going to filter for * and pipe it all to Restore-ADObject like this, you are going to want a single item in most cases. So by using the filters, and piping to fl using:

Get-Adobject -SearchBase "CN=Deleted Objects,DC=2008beta,DC=com" -IncludeDeletedObjects -ldapFilter "(objectClass=user)" fl

I am returned with:

Now, I can take my idea from Niraj's blog and use this single GUID to restore the object:

I can now F5 my ADUC and see my test user in all it's glory!