How to use the new Active Directory Recycle Bin feature

 

In Windows Server 2008 R2 there is a new feature called Active Directory Recycle Bin. This feature makes it possible to restore deleted objects in Active Directory without restore from backup.
Opposite to restoring tomb stoned objects, all object parameters are remained (group membership, sn, dn, and so on).

Active Directory Recycle Bin are disabled by default, even in new Windows Server 2008 R2 domains. As a prerequisite, the forest mode must be set to Windows Server 2008 R2.
When all domain controllers are running Windows Server 2008 R2, this can be accomplished by using the Active Directory module in PowerShell:
Set-ADForestMode –Identity domain.local -ForestMode Windows2008R2Forest

You may also use ldp.exe or the GUI tool “Active Directory Domains and Trusts”.

You can use the Get-ADOptionalFeature to check if the Recycle Bin Feature are enabled.

Before enabling the feature:

image

After enabling the feature:

image

 

When the prerequisites are met, the Active Directory Recycle Bin-feature can be enabled.
Either using the Active Directory module in PowerShell:

image

Or by using ldp.exe.

When the feature are enabled its a good idea to perform some testing. By default all deleted objects are placed in the Deleted Objects container.

In my test I first created a user named “Test User”, and then deleted the user object:

image

This will retrieve all deleted user objects:

image

This will restore all deleted user objects:

image

This will restore a specific user object:

image

For those of you that are more comfortable using a GUI rather than the PowerShell command-line, a GUI tool for using this new feature are already available. Check out Kirk Munros PowerGUI PowerPack for Active Directory Recycle Bin.

This blogpost are based on the official Microsoft documentation on Technet, provided in the Active Directory Recycle Bin Step-by-Step Guide.

One thought on “How to use the new Active Directory Recycle Bin feature

  1. The AD recycle bin isn’t as convenient and effective as it sounds and here’s a quick rundown as to why: For starters, it won’t work unless all domain controllers have been upgraded to Windows Server 2008 R2, which means that getting the feature might wind up costing more than a 3rd party tool. Also, once it’s turned on, it cant be turned off, creating problems in instances where compliance regulations don’t permit preservation of personally identifiable info. Lastly, while deleted objects can be restored, previous modifications cant be restored. It other words, administrators trying to salvage Active Directory by reverting unwanted modifications will not be able to roll back because previous values of AD attributes were already overwritten. That being the case, I always recommend a third-party solution for roll back. Take a look at netwrix’s free ad object restore wizard or Quest’s object restore. Both options work well and provide much more capabilities than the native recycle bin.