Active Directory Recycle Bin: Restore Deleted Objects or Wipe Off your Bin ?

Active Directory Recycle Bin is available from Server 2008R2 but it is disabled by default and it is one of the most useful feature for system admins in that he can restore any directory objects (user/computer or system accounts) that he mistakenly deleted.
You need Active Directory Administrative Center Console and forest functional level 2008R2 as a minimum to use this.
For the restore process, you can use GUI or powershell. For permanent deletion, powershell is the way to go. Also, there is tombstone lifetime and deleted object lifetime depending on how long you want to keep the deleted objects. In microsoft article, it’s stated that:
“Depending on your system environment and business practices, you can increase or decrease the deleted object lifetime and the tombstone lifetime. If you want your deleted objects to be recoverable for longer than the default 180 days, you can increase the deleted object lifetime. If you want your recycled objects to be recoverable (through authoritative restore) for longer than the default 180 days, you can also increase the tombstone lifetime.
The tombstone lifetime is determined by the value of the tombstoneLifetime attribute. The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. By default, tombstoneLifetime is set to null. When tombstoneLifetime is set to null, the tombstone lifetime defaults to 60 days (hard-coded in the system). By default, msDS-deletedObjectLifetime is also set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the tombstone lifetime.”


You can see about modifying the tombstone life time of deleted objects from this link
https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx
OK, For now, let’s start with creating new recycle bin 🙂

1) Check your forest functional level. Need to Raise up?
In my test environment, my forest functional level is 2012R2, I don’t need to raise the forest function level anymore (See Fig-1). In case you need to raise the forest functional level, go to Active Directory Domain and Trusts. Right-click your domain name and “Raise Forest Functional Level…”

Raise your forest functional level

Fig-1: Raise your forest functional level



2) Install Active Directory Administrative Center
If you has not installed Active Directory Administrative Center Feauture, you can install it from Servers Manager Console. I don’t go into details of step-by-step GUI method. But I included powershell method to install this feature. See Fig-2 with explanations.
To install the Active Directory Administrative Center
Install-WindowsFeature RSAT-ADDS*

Install Active Directory Administrative Center via powershell

Fig-2: Install Active Directory Administrative Center via powershell


3) Enable Recycle Bin Feature
You can enable the AD Recycle Bin feature from the Active Directory Administrator Center. You can search from Start Menu or type dsac from the Run box.
From the ADDS console, you can enable the recycle bin as shown in fig-3. You need to refresh (or press F5) the console to see the changed status.

Enable AD Recycle Bin

Fig-3: Enable AD Recycle Bin

4) Test Delete and Restore User Accounts
I created user11 and user22 and deleted via Active Directory Administrative Center Console. See Fig-4. The deleted objects are stored in Deleted Objects OU. You can see them in ADDS console or by the following powershell command. See Fig-5 for both methods.
Get-ADObject -filter {Deleted -eq $True -AND Name -ne “Deleted Objects”} | IncludeDeletedObjects | ft

Delete 2 user accounts

Fig-4: Delete 2 user accounts


Finding deleted objects

Fig-5: Finding deleted objects

You can restore the deleted users from recycle bin as well in ADDS console. You can do the same thing in powershell. See Fig-6 for both methods.

Restore deleted objects

Fig-6: Restore deleted objects

5) Delete Permanently Accounts or Wipe Off your Bin ?
This can only be done in powershell method. Once you done, the deleted object cannot be recoverd (if you don’t already have backups). Here is the command to delete each accounts with user confirmation. See Fig-7
Get-ADObject -filter {Deleted -eq $True -AND Name -ne “Deleted Objects”} -IncludeDeletedObjects | Remove-ADObject

Permanently delete each object 

Fig-7: Permanently delete each object

You can purge recycle bin with this single command. See Fig-8.
Get-ADObject -filter {Deleted -eq $True -AND Name -ne “Deleted Objects”} -IncludeDeletedObjects | Remove-ADObject -Confirm:$false

Permanently delete all objects

Fig-8: Permanently delete all objects

This entry was posted in Active Directory, Powershell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *