AD Recycle Bin in Windows Server 2012 - Part 2: Usage

In part 2 of my article about the Active Directory Recycle Bin in Windows Server 2012, I’ll cover how to use the new GUI.
Contents of this article

Now that the Forest Functional Level is at least Windows Server 2008 R2 and we’ve enabled the Active Directory Recycle Bin, let’s delete some stuff to test it out! The AD Recycle Bin can be accessed in the Active Directory Administrative Center (ADAC) on the Start Screen of your Domain Controller.

AD Recycle Bin in Windows Server 2012 - Active Directory Administrative Center

Active Directory Administrative Center (ADAC)

In the ADAC, click on your Domain and then should see a Container called Deleted Objects. Most likely, the Deleted Objects will be empty. Let’s go create some test objects that we can delete. Again, all of my screenshots from this demo were made in a test environment. I highly suggest you do the same before trying this in a production environment. I’ve created several User objects and Security Groups. Now, I’m going to delete them.

AD Recycle Bin Windows Server 2012 - Delete User objects in ADAC

Delete User objects in ADAC

In Deleted Objects several items will appear Deleted Objects.

Windows Server 2012 Active Directory Recycle Bin - Deleted objects in ADAC

 Deleted objects in ADAC

If I select the items I want to restore and click the Restore option, the objects will be restored back to their original OU as if they were never deleted.

AD Recycle Bin Windows Server 2012 - Restore objects

AD Recycle Bin Windows Server 2012 - Restore objects

That’s really it. The GUI is rather basic, but a welcome addition to Windows Server 2012. Unfortunately, the items you’ll see in the AD Recycle Bin are limited to the object’s name, last known parent, and GUID. If you need to see more detailed information about a deleted item, you’ll need to restore the object to view its full details and then re-delete it if it isn’t the object you’re looking for.

Other things to consider ^

Deleted items have a lifetime of 180 days in the AD Recycle Bin. For most organization, that is very generous. Should you need to change it, there’s a TechNet article that addresses changing tombstone and deleted item lifetimes.

Enabling the AD Recycle Bin is not reversible. I highly recommend testing this new feature in a test AD environment that mirrors your production environment as much as possible. If your AD environment handles a large number of objects and/or handles a large number of object deletions, you could see your AD database grow significantly. Test these scenarios so you can see if enabling the AD Recycle Bin is going to require memory or storage upgrades for your DC’s.

In addition to using the ADAC, you can also restore AD objects via the Recycle Bin with PowerShell or ldp.exe. Microsoft has an article on TechNet detailing both methods.

The AD Recycle Bin is not a replacement for backups or a disaster recovery strategy! You’ll still want to make sure that you’re performing regular backups of your AD environment. The AD Recycle Bin is typically only going to be helpful in those instances where items are accidentally deleted and need to be recovered with minimal effort.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

0
Share
1 Comment
  1. Lynne Reeves 2 months ago

    How do I delete an object out of the AD recycle bin to get rid of it completely?

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account