How to Enable Active Directory Recycle Bin?

The Active Directory Recycle Bin allows a domain administrator to recover any deleted Active Directory object (user, computer, AD security group, etc.). The Active Directory Recycle Bin was first introduced in Windows Server 2008 R2. In this version, you could only manage the Recycle Bin and restore AD objects through the PowerShell cli. Windows Server 2012 introduced the feature to manage the AD Recycle Bin and remote objects from the Active Directory Administrative Center GUI. In this article, we will show you how to enable the AD Recycle Bin on Windows Server 2016 and restore the deleted user object.

By default, the AD Recycle Bin in the domain is not enabled in all versions of Windows Server. You can check the status of the Recycle Bin using the cmdlet from the Active Directory for Windows PowerShell module.

Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopes

In our case, the EnabledScopes value is empty, which means that the AD Recycle Bin is not enabled.

enable active directory recycle bin

To enable AD Recycle Bin, all domain controllers must be running Windows Server 2008 R2 (or newer), and the forest functional level must be set Windows Server 2008 R2 or higher.

You can check the functional level of the AD forest using the command:

Get-ADForest | select-object ForestMode|fl

enable ad recycle bin

If the ForestMode level is lower than Windows2008R2Forest, you need to upgrade the forest functional level.

You can enable Active Directory Recycle Bin in Windows Server 2016 using the PowerShell command:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target theitbros.com

Note. Enabling the AD Recycle Bin is irreversible! You cannot disable it after turning it on.

You can also enable the AD Recycle Bin from the Active Directory Administrative Center snap-in.

READ ALSO  How to Seize FSMO Roles From Dead Domain Controller?

Launch ADAC, right-click on the domain name and select the “Enable Recycle Bin” option.

active directory recycle bin

Confirm the enabling of the AD Recycle Bin in the alert window: ”Enable Recycle Bin Confirmation. Are you sure you want to perform this action? Once Recycle Bin has enabled, it cannot be disabled.”

enable ad recycle bin 2012 r2

After you enable the Active Directory Recycle Bin in the Active Directory Administrative Center, a new Deleted Objects container will appear. All deleted Active Directory objects will be automatically placed in this container.

active directory recycle bin 2012 r2

In this container, you will find all deleted AD objects; you can view their properties and restore them to their original OU destination or any other place.

Let’s delete the test user account and try to restore it.

turn on ad recycle bin

Important! All related and unrelated attributes of the AD object are saved in AD Recycle bin. This means that you can restore an object along with all attributes.

An AD object marked as logically removed is stored for the removed object lifetime. This value is defined in the msDS-DeletedObjectLifetime attribute located in CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=theitbros and by default is not defined. In this case the object stored according to the time specified in the tombstoneLifetime (180 days by default).

READ ALSO  Active Directory Migration to Windows Server 2016

To restore this AD userobject, click on it and select Restore or Restore to. Also, from here you can view deleted user properties.

active directory recycle bin 2012

You can also find the deleted user and restore it from the AD Recycle Bin using PowerShell:

Get-ADObject -filter {displayname -eq "testuser1"} -Filter ‘isDeleted -eq $true’ –includedeletedobjects | Restore-ADObject
Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.