Enable Active Directory Recycle Bin

How to Enable Active Directory Recycle Bin?


The Active Directory Recycle Bin allows a domain administrator to recover any deleted Active Directory object (user, computer, AD security group, etc.). The Active Directory Recycle Bin was first introduced in Windows Server 2008 R2. In this version, you could only manage the Recycle Bin and restore AD objects through the PowerShell cli. Windows Server 2012 introduced the feature to manage the AD Recycle Bin and remote objects from the Active Directory Administrative Center GUI. In this article, we will show you how to enable the AD Recycle Bin on Windows Server 2016 and restore the deleted user object.

By default, the AD Recycle Bin in the domain is not enabled in all versions of Windows Server. You can check the status of the Recycle Bin using the cmdlet from the Active Directory for Windows PowerShell module.

Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopes

In our case, the EnabledScopes value is empty, which means that the AD Recycle Bin is not enabled.

enable active directory recycle bin

To enable AD Recycle Bin, all domain controllers must be running Windows Server 2008 R2 (or newer), and the forest functional level must be set Windows Server 2008 R2 or higher.

You can check the functional level of the AD forest using the command:

Get-ADForest | select-object ForestMode|fl

enable ad recycle bin

If the ForestMode level is lower than Windows2008R2Forest, you need to upgrade the forest functional level.

You can enable Active Directory Recycle Bin in Windows Server 2016 using the PowerShell command:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target theitbros.com

Note. Enabling the AD Recycle Bin is irreversible! You cannot disable it after turning it on.

You can also enable the AD Recycle Bin from the Active Directory Administrative Center snap-in.

Launch ADAC, right-click on the domain name and select the “Enable Recycle Bin” option.

active directory recycle bin

Confirm the enabling of the AD Recycle Bin in the alert window: ”Enable Recycle Bin Confirmation. Are you sure you want to perform this action? Once Recycle Bin has enabled, it cannot be disabled.”

enable ad recycle bin 2012 r2

After you enable the Active Directory Recycle Bin in the Active Directory Administrative Center, a new Deleted Objects container will appear. All deleted Active Directory objects will be automatically placed in this container.

active directory recycle bin 2012 r2

In this container, you will find all deleted AD objects; you can view their properties and restore them to their original OU destination or any other place.

Let’s delete the test user account and try to restore it.

turn on ad recycle bin

Important! All related and unrelated attributes of the AD object are saved in AD Recycle bin. This means that you can restore an object along with all attributes.

An AD object marked as logically removed is stored for the removed object lifetime. This value is defined in the msDS-DeletedObjectLifetime attribute located in CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=theitbros and by default is not defined. In this case the object stored according to the time specified in the tombstoneLifetime (180 days by default).

To restore this AD userobject, click on it and select Restore or Restore to. Also, from here you can view deleted user properties.

active directory recycle bin 2012

You can also find the deleted user and restore it from the AD Recycle Bin using PowerShell:

Get-ADObject -filter {displayname -eq "testuser1"} -Filter ‘isDeleted -eq $true’ –includedeletedobjects | Restore-ADObject

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment