I had a requirement to track down Group Policy Objects (GPOs) that were deleted, whether it's for audit purposes, recovery needs, or simply understanding what changes occurred in your environment, having visibility into deleted GPOs is crucial.
The Challenge
When GPOs are deleted in Active Directory, they don't immediately disappear forever. Instead, they're moved to the AD Recycle Bin (if enabled), where they remain for the tombstone lifetime period (typically 180 days). However, finding these deleted objects isn't straightforward through the GUI, and that's where PowerShell becomes invaluable.
Prerequisites
Before diving into the solution, ensure you have:
- Active Directory Recycle Bin enabled (this feature must be explicitly enabled as it's off by default)
- The Active Directory PowerShell module installed
The Solution
After some trial and error with property names (tip: not all documented properties work in every environment!), I developed this PowerShell script that reliably retrieves deleted GPO information:
# Get deleted GPOs with correct property names
$deletedGPOs = Get-ADObject -Filter {objectClass -eq "groupPolicyContainer" -and IsDeleted -eq $true} `
-IncludeDeletedObjects `
-Properties displayName, gPCFileSysPath, whenCreated, whenChanged, lastKnownParent, msDS-LastKnownRDN
# Display the results
$deletedGPOs | Select-Object @{Name="GPO Name"; Expression={$_.displayName}},
@{Name="Distinguished Name"; Expression={$_.DistinguishedName}},
@{Name="File System Path"; Expression={$_.gPCFileSysPath}},
@{Name="Created"; Expression={$_.whenCreated}},
@{Name="Last Modified"; Expression={$_.whenChanged}},
@{Name="Last Known RDN"; Expression={$_."msDS-LastKnownRDN"}},
@{Name="Last Parent"; Expression={$_.lastKnownParent}} |
Format-Table -AutoSize
What This Script Does
The script performs two main tasks:
- Searches for deleted GPOs: It queries Active Directory for all objects with the class "groupPolicyContainer" that have been deleted
- Formats the output: It presents the information in a clean, readable table format showing:
- GPO Name
- Distinguished Name (needed for restoration)
- File System Path (SYSVOL location)
- Creation and modification dates
- Last known location in AD
GPO Name Distinguished Name File System Path Created Last Modified Last Known RDN
-------- ------------------ ---------------- ------- ------------- --------------
SEC-Workstation-BitLocker-Enforcement CN={A4B7C291-5432-4B89-A123-BC789DEF0123}\0ADEL:a12345,CN=Deleted Objects... \\bear.local\sysvol\bear.local\Policies\{A4B7C291-5432...} 10/15/2022 09:30:15 11/28/2024 14:22:31 CN={A4B7C291-5432-4B89-A123-BC789DEF0123}
APP-Office365-ProPlus-Deployment CN={B5C8D302-6543-4C90-B234-CD890EFG1234}\0ADEL:b23456,CN=Deleted Objects... \\bear.local\sysvol\bear.local\Policies\{B5C8D302-6543...} 03/22/2023 11:15:22 11/25/2024 09:45:12 CN={B5C8D302-6543-4C90-B234-CD890EFG1234}
NET-VPN-AlwaysOn-Configuration CN={C6D9E413-7654-4DA1-C345-DE901FGH2345}\0ADEL:c34567,CN=Deleted Objects... \\bear.local\sysvol\bear.local\Policies\{C6D9E413-7654...} 05/10/2023 08:45:30 11/20/2024 16:30:45 CN={C6D9E413-7654-4DA1-C345-DE901FGH2345}
USR-Executive-PowerUser-Settings CN={D7E0F524-8765-4EB2-D456-EF012GHI3456}\0ADEL:d45678,CN=Deleted Objects... \\bear.local\sysvol\bear.local\Policies\{D7E0F524-8765...} 07/18/2021 13:20:18 11/15/2024 10:15:20 CN={D7E0F524-8765-4EB2-D456-EF012GHI3456}
SEC-Server-CIS-Level2-Hardening CN={E8F1G635-9876-4FC3-E567-FG123HIJ4567}\0ADEL:e56789,CN=Deleted Objects... \\bear.local\sysvol\bear.local\Policies\{E8F1G635-9876...} 09/01/2023 07:00:00 11/10/2024 22:45:00 CN={E8F1G635-9876-4FC3-E567-FG123HIJ4567}
Insights
Through this process, I learned several important points:
- The
-IncludeDeletedObjectsparameter is essential for accessing the Recycle Bin - Not all property names work as expected (avoid "deletedTimeStamp" which throws errors)
- The Distinguished Name contains the GPO's GUID, which is crucial for restoration
- While AD objects can be restored, the actual GPO files in SYSVOL need separate backup/restore procedures