Active Directory Recycle Bin

Accidental deletion of Active Directory Objects is common for users of AD DS and Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 R2 provides a new feature for restoration of deleted objects, This feature called Active Directory Recycle Bin. Specific just to Windows Server 2008, now enables administrators to restore deleted objects with full functionality through a Tombstone within 180 days lifetime period and without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. That was interesting for me, just like raising corpses from graves, but this is an Object of Active Directory which has deleted not a zombies😀

1. Enable Active Directory Recycle Bin Feature, disabled by default

– Raise Domain and Forest Function Level to Windows Server 2008 R2. Open Active Directory Domain and Trust with Administrator credentials.

– Click Raise DomainFunctionLevel to Windows Server 2008 R2.
– Do the same thing on Forest, Click Raise ForestFunctionLevel to Windows Server 2008 R2.

– Verify on the other domain controller already replicated if you have Active Directory Domain Controller Replication Services

– Open Active Directory Modules for Windows PowerShell with Administrator credentials.

Type the following commands, and type ‘Y’ to confirm:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target ''

Once you enable Active Directory Recycle Bin in your environment, you cannot disable it.

2. For testing purpose, Delete two Users Object from your Active Directory in OU. Right click Users on OU then delete it, for example I have deleted Allan Guinot and Allice Ciccu users from OU.

Verify that objects has been deleted on other domain controllers.

3. Restore deleted objects with Active Directory Recycle Bin. To perform object restoration you can use two options first with ldp.exe utility and the other way with Windows PowerShell.

3a. Object restoration with ldp.exe utility:

– Start ldp.exe utility with administrative credentials. Right click Run As Administrator or Ctrl+Shift+Enter from start menu.

– Click Options, and then click Controls. Enable the Return deleted objects option.

Connect and bind to your domain controllers then enable tree views for DC=yourdomain,DC=com

– Verify that deleted objects container has appeared

– Locate user in the deleted user in the Deleted objects container. modify its properties as follows:

–> Fill entry attribute with: isDeleted, choose Remove operation, with no value and then enter

–> Fill entry attribute with: distinguishedName, Value: CN=Allice Ciccu,OU=Employees,OU=User Accounts,DC=contoso,DC=com (Users location on OU), choose Replace operation, and check Extended

– Run

3b. Object restoration with Windows Active Directory Module for Power Shell

– Open Active Directory Module for Windows Power Shell on Administrative Tools with administrative credentials. Type the following commands:

Get-ADObject -Filter {displayName -eq "Guinot, Allan"} -IncludeDeletedObjects | Restore-ADObject

4. Verify object restoration, open Active Directory User and Computers console. Ensure that objects are present and verify that all attributes are retained.

2 thoughts on “Active Directory Recycle Bin

  1. Jerry November 28, 2012 at 3:41 AM Reply

    You left out one tiny step. Just before clicking “run,” **ENTER** must be clicked. Otherwise, a most excellent and helpful webpage!!

    • gembuls December 23, 2012 at 1:25 PM Reply

      hehe…thanks jerry.

