AD Recycle Bin in Windows Server 2012 - Part 2: Usage

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

Now that the Forest Functional Level is at least Windows Server 2008 R2 and we’ve enabled the Active Directory Recycle Bin, let’s delete some stuff to test it out! The AD Recycle Bin can be accessed in the Active Directory Administrative Center (ADAC) on the Start Screen of your Domain Controller.

Active Directory Administrative Center (ADAC)

In the ADAC, click on your Domain and then should see a Container called Deleted Objects. Most likely, the Deleted Objects will be empty. Let’s go create some test objects that we can delete. Again, all of my screenshots from this demo were made in a test environment. I highly suggest you do the same before trying this in a production environment. I’ve created several User objects and Security Groups. Now, I’m going to delete them.

Delete User objects in ADAC

In Deleted Objects several items will appear Deleted Objects.

 Deleted objects in ADAC

If I select the items I want to restore and click the Restore option, the objects will be restored back to their original OU as if they were never deleted.

AD Recycle Bin Windows Server 2012 - Restore objects

That’s really it. The GUI is rather basic, but a welcome addition to Windows Server 2012. Unfortunately, the items you’ll see in the AD Recycle Bin are limited to the object’s name, last known parent, and GUID. If you need to see more detailed information about a deleted item, you’ll need to restore the object to view its full details and then re-delete it if it isn’t the object you’re looking for.

Other things to consider ^

Deleted items have a lifetime of 180 days in the AD Recycle Bin. For most organization, that is very generous. Should you need to change it, there’s a TechNet article that addresses changing tombstone and deleted item lifetimes.

Enabling the AD Recycle Bin is not reversible. I highly recommend testing this new feature in a test AD environment that mirrors your production environment as much as possible. If your AD environment handles a large number of objects and/or handles a large number of object deletions, you could see your AD database grow significantly. Test these scenarios so you can see if enabling the AD Recycle Bin is going to require memory or storage upgrades for your DC’s.

In addition to using the ADAC, you can also restore AD objects via the Recycle Bin with PowerShell or ldp.exe. Microsoft has an article on TechNet detailing both methods.

The AD Recycle Bin is not a replacement for backups or a disaster recovery strategy! You’ll still want to make sure that you’re performing regular backups of your AD environment. The AD Recycle Bin is typically only going to be helpful in those instances where items are accidentally deleted and need to be recovered with minimal effort.