Active Directory Recycle Bin

I was at first over joyed when I read for the first time that the Microsoft is going to incor­po­rate this Active Direc­tory Recy­cle bin in Win­dows 2008 R2..We all know how Win­dows recy­cle Bin have helped us in innu­mer­ous occa­sions. Wow.. a sim­i­lar thing with Active direc­tory, where we can restore the deleted object with ease… In this blog we can check how far first impres­sion that any IT admin have when he hears this term “AD Recy­cle bin” is correct.

As you guys are already aware, ear­lier IT admin­is­tra­tors can retrieve the deleted AD objects using Author­i­ta­tive restore, Non-Authoritative restore (sys­tem state restore) and Tomb­stone Rean­i­ma­tion. All these restora­tion meth­ods have com­mon draw back. I.e. it will not restore all the AD object attrib­utes back by default. You will need to do some sort of recov­ery mech­a­nism to get the attrib­utes back. In spite of this, all the above process are com­plex and time time-consuming task.
The fact that gives the restora­tion using AD recy­cle bin a cut­ting edge is that it can restore the AD objects with all the attrib­utes pre­served. Let’s check how Microsoft makes this pos­si­ble. This is actu­ally made pos­si­ble by 2 new AD object states.

1. Deleted AD object state (The default life­time is 180 days): It actu­ally replaces Tomb­stone AD state. The impor­tant dif­fer­ence of this state is that it leaves all the AD objects attrib­utes intact.
2. Recycle
AD object state: A new object state intro­duced with win­dows 2008. When the Deleted AD object state expires the object goes into Recy­cle AD object state. How­ever, the some of the AD objects attrib­utes will be stripped at this state.
Once the Recy­cle AD object state is expires the space occu­pied by the AD object is freed and will be recov­ered form AD DB dur­ing next online defrag­men­ta­tion of AD database.

Another inter­est­ing point to note is that AD recy­cle bin is not enabled by default. We need to enable it man­u­ally. Also you need to ensure that Domain and for­est func­tional level are at the Server 2008 R2 func­tional level.

Con­trary to the Win­dows Recy­cle bin, AD recy­cle bin is not rep­re­sented by a MMC. The deleted objects will not be acces­si­ble from AD man­age­ment tools. Most pre­ferred way for access­ing them will be by using Pow­er­Shell cmdlets

You can enable AD recy­cle bin fea­ture by using fol­low­ing cmdlet. Make sure that you replaces <your for­est root domain name> with your actual for­est root domain name.

PS: Process of enabling AD recy­cle bin is irreversible.

Enable-ADOptionalFeature –Iden­tity “CN=‘Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DN=<your for­est root domain name>” –Scope ForestOr­Con­fig­u­ra­tionSet –Tar­get “<your for­est root domain name>”

The below cmdlet can be used to get a list of all the deleted objects with its attributes.

Get-ADObject –fil­ter ‘isdeleted –eq $true –and name –ne “Deleted Objects“‘ –includ­eDelete­dOb­jects –prop­erty *
To restore an AD object, you need to know the objects dis­tin­guished name or GUID. Now, run the fol­low­ing cmdlet with the one of above para­me­ter as argu­ment.
Restore-ADObject –iden­tity
If you find this power shell com­mands hard to tame, there are cou­ple of third party tools avail­able. Over­all­so­lu­tions’ ADrecy­clebin and PowerGUI’s AD Recy­cle Bin.( I havent got a chance to test both of them !)

I hope this will help you guys to per­form a restore using AD recy­cle bin fea­ture incase needed


Blog by Harivishnu


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s