Enabling and using the Active Directory Recycle Bin
Administrators of Active Directory environments sometimes make
mistakes—for example, deleting the user account for a user who still
needs access to the corporate network. The effects of such mistakes
can range from lost end-user productivity to broken network
functionality.
Windows Server 2008 R2 previously introduced a feature called
the Active Directory Recycle Bin to provide
administrators with a way of recovering directory objects that were
accidentally deleted. However, using the AD Recycle Bin in Windows
Server 2008 R2 environments proved difficult for some administrators
because enabling and using this feature could be performed only from
the command-line, either by using the Ldp.exe utility or with Windows
PowerShell cmdlets. Windows Server 2012 simplifies this task—now you
can use the GUI-based ADAC for both enabling the AD Recycle Bin and
recovering deleted objects.
Understanding the AD Recycle Bin
To understand the limitations of the AD Recycle Bin, you need
to know how it works. When the AD Recycle Bin feature is enabled in
an Active Directory environment, directory objects can be in one of
the following four states (which are illustrated Figure 1):
-
Live The object is
functioning in Active Directory and is located in its proper
container within the directory. As an example, a user account
object that is live is one that a user can utilize for logging
on to the network. -
Deleted The object has been
moved to the Deleted Objects container within Active Directory.
The object is no longer functioning in Active Directory, but the
object’s link-valued and non-link-valued attributes are
preserved, allowing the object to be recovered by restoring it
from the AD Recycle Bin if the lifetime of the deleted object
has not yet expired. (By default, when the AD Recycle Bin is
enabled, the deleted object lifetime is configured as 180 days.)
For example, a user account in the deleted state cannot be used
for logging on to the network, but if the user account is
restored to its live state, it can again be used for logon
purposes. -
Recycled The deleted object
lifetime has expired for the object. The object remains in the
Deleted Objects container, but most of its attributes are now
stripped away. The object can no longer be recovered by
restoring it from the AD Recycle Bin or by taking other steps,
such as reanimating Active Directory tombstone objects. -
Removed The recycled object
lifetime has expired for the object. The Active Directory
garbage collection process has physically removed the object
from the directory database.
Enabling the AD Recycle Bin
By default, the AD Recycle Bin feature is disabled until you
choose to enable it. Enabling the AD Recycle Bin in your environment
requires that the forest functional level be Windows Server 2008 R2
or higher. This means that all domain controllers in your forest
must be running Windows Server 2008 R2 or higher.
To enable the AD Recycle Bin using ADAC, perform the following
steps:
-
Log on using credentials of an account that belongs to the
Enterprise Admins or Schema Admins group. -
Right-click on the forest root domain in the navigation
pane, and select Raise The Forest Functional Level:
-
Ensure that the forest functional level for your
environment is Windows Server 2008 R2 or higher. -
Right-click again on the forest root domain, and select
Enable Recycle Bin. -
Review the warning, and click OK to proceed with enabling
the AD Recycle Bin. -
Refresh ADAC, and wait until all domain controllers in the
forest have replicated the configuration change before
attempting to use the AD Recycle Bin to restore deleted
objects.
Note
Using Windows PowerShell to enable the AD Recycle Bin
You can also use Windows PowerShell to perform all of the
actions required to enable the AD Recycle Bin for your
environment. For example, you can use the Set-ADForestMode cmdlet
to raise the forest functional level to Windows Server 2008 R2 or
higher. And you can use the Enable-ADOptionalFeature cmdlet to
enable the AD Recycle Bin feature. Use the Get-Help cmdlet to
display the syntax and examples for each of these cmdlets.
After the AD Recycle Bin is enabled, using it to restore
deleted directory objects is straightforward as long as the deleted
object lifetime of the objects has not expired. For example, Figure 2 shows how to
restore the user account for Marie Dubois after it was accidentally
deleted. The following menu options are available:
-
Restore Restore the deleted
object to its original location within Active Directory. -
Restore To Restore the
deleted object to a container you specify using Column
Explorer. -
Locate Parent Display the
container where the deleted object originally resided. -
Properties Display or
modify the properties of the deleted object.
Note
Restoring multiple deleted objects
You can restore multiple deleted objects in one action by
multiselecting them in the Deleted Objects container and choosing
the appropriate menu option.
Note
Using Windows PowerShell to restore deleted objects
After the AD Recycle Bin is enabled for your environment,
you can also use Windows PowerShell to restore directory objects
you accidentally deleted. You can do this using the
Restore-ADObject cmdlet. Use the Get-Help cmdlet to display the
syntax and examples for this cmdlet.
Quick check
Quick check answer
-
No. If an object is in the Recycled state, its deleted
object lifetime has expired. The object is still in the
Deleted Objects container, but because most of its attributes
have been stripped away, you can no longer recover it by
restoring it from the AD Recycle Bin.
|
