Posted on March 5, 2014 · Posted in Active Directory

Active Directory Recycle Bin in Windows Server 2012

Before Windows Server 2008 R2 release there were only ways to recover the object which had been accidentally deleted from Active Directory. It was possible to perform authoritative restore with a help of  Ntdsutil utility or to use  LDP.exe for recovery of individual deleted objects in Active Directory. Both these methods have significant disadvantages.

Active Directory Recycle Bin Enabling

Active Directory Recycle Bin can be used only for the recovery of those objects which were deleted after enabling of the recycle bin. The object deleted before this moment can be recovered only via authoritative restore or LDP. For recycle bin enabling in PowerShell first  ensure that all domain controllers in domain are under Windows Server 2008 R2 or Windows Server 2012 control. Besides, forest functional level should be Windows Server 2008 R2 or more. Get-ADForest can be used for forest functional level check.

Get-ADForest | fl ForestMode

In case when higher forest level is needed Set-ADForestMode can be used.

Set-ADForestMode -Identity ForestName -ForestMode Windows2008R2Forest

As soon as you will have the appropriate environment, you can enable the recycle bin. The bin enabling is irreversible.

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -scope ForestOrConfigurationSet -target woshub.local

Open Active Directory Administrative Center for recycle bin enabling via GUI in Windows Server 2012. adac enable active directory recycle bin

Recovery of deleted objects from Active Directory Administrative Center

After the bin enabling the new Deleted Objects container will appear. Deleted objects will appear in this container. deleted objects: new ou in active directory

To restore the object in its parent container use (Restore), in any other container use (Restore To) restore deleted object in active directory. Active Directory Recycle Bin

Recover deleted AD objects via PowerShell

An example of remote user woshub_admin recovery via PowerShell.

Get-ADObject -Filter {DisplayName -eq "woshub_admin"} -IncludeDeletedObjects | Restore-ADObject

Deleted Object Lifetime

By default you have 180 days for any object recovery after its deletion. To change the attribute value use Set-ADObject. To set the deleted objects lifetime for 300 days period for example perform the following command:

Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=woshub,DC=local" –Partition "CN=Configuration,DC=woshub,DC=local" –Replace:@{"msDS-DeletedObjectLifetime" = 300}

Related Articles