The Active Directory Recycle Bin is a feature that allows you to recover files accidentally deleted from your computer. This means, if you delete anything on Windows 10 and later systems, it will be saved in the recycle bin until the end of time. The good news is there’s no limit as to how much data can go into this container! There are many ways to use this feature including backing up important documents before they get trashed.
The “active directory recycle bin 2012 r2” is a feature of Active Directory that allows users to save their deleted files. This article will show you how to use this feature.
Did you know that you may recover an Active Directory user, machine, or OU that you unintentionally deleted? The Active Directory recycle bin, if enabled, may assist you in recovering that AD item.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!
In this article, you’ll discover how to use the Active Directory recycling bin to quickly enable and restore items.
If you need a fully-featured service to easily backup and restore Active Directory objects and a whole lot more, check out Veeam Backup & Replication.
How Does Active Directory’s Recycle Bin Work?
When you activate the recycle bin, AD is told not to delete items from the AD database right away. When you delete an AD item, it goes through two steps.
Objects that have been logically deleted
When you remove an AD item, the object is considered “logically” removed. When an item is “logically” destroyed, it is not erased from the Active Directory database. Instead, it’s hidden and relocated to the CN=Deleted Objects container, with the object’s isDeleted property set to TRUE.
The msDS-deletedObjectLifetime property determines how long a logically deleted item may be retrieved. The default value is the same as the Tombstone Lifetime, which is 180 days by default.
Recycling Tombstones
The item is deemed tombstoned after it has exceeded the deleted object lifespan set by the msDS-deletedObjectLifetime property. The item is no longer recoverable at this point.
The isRecycled property is set to TRUE when the msDS-deletedObjectLifetime timer has expired, but the isDeleted attribute remains TRUE. The tombstone lifespan is set at 180 days by default.
When the AD object’s tombstone lifespan expires, trash collection is used to physically destroy the item from the database.
Using ADAC to enable the Recycle Bin
The AD recycling bin is disabled by default. You must manually activate this useful function in order to utilize it. Don’t wait until it’s too late to remember!
To enable the recycling bin, follow these steps:
- On a domain-joined workstation or a domain controller, go to the Active Directory Administrative Center (ADAC).
- On the left-hand side, click the domain, and on the right-hand side, look for the Tasks menu.
- To activate the recycling bin, choose the Enable Recycle Bin option as shown below.
The Active Directory Recycle Bin is enabled.
ADAC will then ask for approval before turning on the recycling bin.
The recycling bin requires confirmation.
The adjustments may take some time to propagate depending on the size of your domain.
The process of enabling the recycling bin has commenced, according to confirmation.
Following a refresh, the Enable Recycle Bin option should now be grayed out.
Check that the recycling bin has been turned on.
Using PowerShell to enable the Active Directory Recycle Bin
If you need to automate the process of activating the recycling bin, you may use PowerShell and the Enable-ADOptionalFeature cmdlet.
You may use the code snippet below to activate the recycling bin in PowerShell. For the ad.lc-test.local forest, the example below enables the recycling bin at the forest level.
“Identity” = ‘Recycle Bin Feature’ “Scope” = ‘ForestOrConfigurationSet’ “Target” = ‘ad.lc-test.local’ $Params = @ @Params Enable-ADOptionalFeature
Using the Active Directory Recycle Bin to Recover Objects (ADAC)
After you’ve activated the recycling bin, you may start using it! Let’s get started with ADAC.
Before the tombstone’s lifespan ends, but after you’ve deleted an object:
- In ADAC, go to the Deleted Objects container. All deleted Active Directory objects are stored in this container.
The new Deleted Objects OU is shown.
2. Next, find the item you want to restore. We’re searching for the TestUser2 object in this example. There are four choices in the right-hand Tasks menu.
- Return the item to its original organizational unit (OU).
- Restore To… — Instead of returning the item to its original place, restore it to a different organizational unit.
- Locate Parent – This option will bring you to the organizational unit where the item was stored.
- Modified, Created, Object Class, Canonical Name, and Update Sequence Numbers are just a few of the attributes available (USN).
The TestUser2 is in the Deleted Objects OU, as shown.
We’ll return the item to its original organizational unit in the Users containers in this example.
3. After clicking the Restore button, the item has been restored to the Users OU, as seen below.
Demonstrating the restoration of TestUser2.
Using the Active Directory Recycle Bin to Recover Objects (PowerShell)
As valuable as that method is, using PowerShell to do the same things as the GUI is frequently simpler and more scriptable. Using PowerShell, you may restore an AD object:
- Open PowerShell on a domain-joined PC or a domain controller and look for a deleted item. Make sure the ActiveDirectory module is enabled.
How to Install the Active Directory Module is a related topic.
2. Use the Get-ADObject command to find the items you want to remove.
Get-ADObject: Using PowerShell to Report on Active Directory
You can locate the object in a number different methods, but the IncludeDeletedObjects option should always be used. This option is required for all items in the Deleted Objects container to be found.
You’ll get a lot of useless results if you run Get-ADObject by itself with a wide filter like -Filter *. You may filter down the items in this way to only see the results that belong in the recycling bin.
Learning PowerShell Filters for Active Directory and LDAP
Make a filter to identify all items with the isDeleted property set to true and an account name that includes the text *DEL:*. Only deleted items should be returned by this filter.
Get-ADObject -Filter ‘isDeleted -eq $true -and Name -like “*DEL:*”‘ Get-ADObject -Filter ‘isDeleted -eq $tru –IncludeDeletedObjects
Using PowerShell to look for deleted things.
You may now feed the objects to the Restore-ADObject command once you’ve located them using Get-ADObject.
Get-ADObject -Filter ‘isDeleted -eq $true -and Name -like “*DEL:*”‘ Get-ADObject -Filter ‘isDeleted -eq $tru –IncludeDeletedObjects | Restore-ADObject
After the restore has (hopefully) completed, you should check to see whether the item has returned. To do so, execute the Get-ADObject command again and make that the item is no longer returned. Otherwise, you’re fine to go!
You may also execute Get-ADUser or Get-ADComputer if you want to make sure the item appears.
Get-ADObject -Filter ‘isDeleted -eq $true -and Name -like “*DEL:*”‘ Get-ADObject -Filter ‘isDeleted -eq $tru –IncludeDeletedObjects Get-ADUser -Identity ‘TestUser5’
Ensure that TestUser5 has been reinstated.
Emptying the Recycle Bin in Active Directory
You may use PowerShell to delete all of the recycled AD items. As previously, locate all removed objects and pass them to the Remove-ADObject command, as shown below.
The Confirm argument is set to false in the example below. This argument will destroy each item without asking for confirmation!
Get-ADObject -Filter ‘isDeleted -eq $true -and Name -like “*DEL:*”‘ Get-ADObject -Filter ‘isDeleted -eq $tru Remove-ADObject -Confirm:$false -IncludeDeletedObjects
Changing Tombstone’s Life Expectancy
The Active Directory recycling bin’s tombstone lifespan is set to 180 days by default. But maybe you’d prefer to alter it. You may do that using PowerShell once again.
- Using the code excerpt below, locate the existing lifetime to check it is not already set as necessary. The tombstoneLifetime AD property stores the value.
(Get-ADRootDSE).configurationNamingContext $ADNamingContext “Identity” = “CN=Directory Service,CN=Windows NT,CN=Services,$ADNamingContext” “Partition” = $ADNamingContext “Properties” = ‘*’ $Params = @ “Identity” = “CN=Directory Service,CN=Windows NT,CN=Services,$ADNam Select-Object -Property tombstoneLifetime | Get-ADObject @Params
Do you want to verify your Active Directory for password leaks quickly? Specops provides a free program that performs this and also creates a good report.
Change the tombstone lifespan to anything different next. Let’s imagine you want to increase the lifespan to a year or 365 days. You may achieve this by using the Set-ADObject cmdlet with all of the options shown below.
(Get-ADRootDSE).configurationNamingContext $ADNamingContext $Params = @ “Identity” = “CN=Directory Service,CN=Windows NT,CN=Services,$ADNamingContext” “Partition” = $ADNamingContext @Params Set-ADObject
This update will take effect instantly, with no need to restart any services.
The “active directory recycle bin requirements” is a tool that can be used to restore deleted objects from the AD recycle bin. The tool is available in Windows Server 2008 and higher, and it will not work on other versions of Windows.
Related Tags
- restore from active directory recycle bin
- active directory recycle bin enable
- active directory recycle bin tombstone lifetime
- how to enable recycle bin in active directory 2016
- what is active directory recycle bin
