EN 
07.02.2025 Veronika WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Active Directory Recycle Bin

Active Directory Recycle Bin

| Petr Bouška - Samuraj |
New to the domain (forest) in the Windows Server 2008 R2 functional level is the Recycle Bin. I think it's a useful feature, although I've only used it once in the year it's been enabled. It certainly doesn't hurt anything. He's doing what everyone suspects. A deleted object in Active Directory Domain Services (AD DS) is moved to the Recycle Bin and can be restored to its original state.
displayed: 20 106x (19 901 CZ, 205 EN) | Comments [1]

Without the Recycle Bin function, when an object is deleted, it is not completely removed, but becomes a tombstone, and for the tombstone lifetime (default 180 days from Windows Server 2003 SP1), it can be restored using the tombstone reanimation method. The problem is that we lose some attributes, such as group memberships.

The Active Directory Recycle Bin function is disabled by default, but if we enable it, the deleted object is moved to the Deleted Objects container, and from there it can be restored to the same state as before deletion, for the deleted object lifetime (standard 180 days). After the expiration of this time, the deleted object becomes a recycled object (equivalent to a tombstone), and for a further period (also standard 180 days) it can be restored without some attributes. Then it is finally physically deleted.

Enabling the AD Recycle Bin

The prerequisite is to have a forest functional level of Windows Server 2008 R2. Once this feature is enabled, it cannot be disabled. Enabling must be done under an account with Enterprise Admins rights. The easiest way to enable this feature is using a cmdlet from the PowerShell ActiveDirectory module. First, the command format, and then an example of use for the company.local domain.

Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>
Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=company,DC=local" –Scope ForestOrConfigurationSet –Target "company.local"

Setting the Time Period for Object Restoration

If we want to change the default value of msDS-deletedObjectLifetime, we can again use PowerShell (in the example, the company.local domain and a period of 60 days).

Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=company,DC=local" –Partition "CN=Configuration,DC=company,DC=local" –Replace:@{"msDS-DeletedObjectLifetime" = 60}

Restoring a Deleted Object

Restoring a deleted object is not entirely simple, but it's certainly not difficult, and we have several options. We can use the ldp.exe tool or we can use a cmdlet from PowerShell (ActiveDirectory module), or we can use a simple graphical application ADRecycleBin from Overall Solutions, which is provided for free.

Restoring Using PowerShell

The operations must be performed under an account with Domain Admins rights. First, we need to find the deleted object, which we can do using the Get-ADObject command. For example, to display a list of all deleted users:

Get-ADObject -Filter {(deleted -eq $true) -and (ObjectClass -eq "user")} -Properties sAMAccountName -IncludeDeletedObjects | FT Name, sAMAccountName, Deleted -AutoSize

We can select a specific user, for example, by user name:

Get-ADObject -Filter {sAMAccountName -eq "novak"} –IncludeDeletedObjects

And for restoration, we use the Restore-ADObject cmdlet:

Get-ADObject -Filter {sAMAccountName -eq "novak"} -IncludeDeletedObjects | Restore-ADObject

Similarly, we can restore a computer account:

Get-ADObject -Filter {sAMAccountName -eq "pcname$"} -IncludeDeletedObjects | Restore-ADObject

Restoring Using ADRecycleBin

The application can be downloaded from ADRecycleBin, where its description is also available. Its use is really simple and functional. We must run it under a domain admin account. We select what objects we want to display and click on Load Deleted Objects, now we see a list of objects. We check the ones we want to restore and click on Restore Checked Objects. In AD, we will see our objects again.

Finally, just a link to a detailed description from MS in the article Active Directory Recycle Bin Step-by-Step Guide.

Author:

Related articles:

Active Directory and the LDAP protocol

Managing a corporate computer network using Microsoft OS usually means managing Active Directory Domain Services (AD DS). It is a very extensive group of technologies, protocols and services. The basis is directory services, authentication and the LDAP communication protocol.

PowerShell

Articles related to Microsoft's PowerShell scripting language, which is used in all new versions of MS OS and applications.

If you want write something about this article use comments.

Comments
  1. [1] OP

    diky za uzitecne info.

    Wednesday, 01.02.2012 14:37 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)