In this post we will see Active Directory Recycle Bin Feature In Windows Server 2012 R2. If a system administrator working in Active Directory environment deletes any object in Active Directory by mistake, the effects of such mistakes can range from lost end-user productivity to broken network functionality.
In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted Active Directory objects through tombstone reanimation. However, reanimated objects’ link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes that were cleared were not recovered. Therefore administrators could not rely on tombstone reanimation as the ultimate solution to accidental deletion of objects.
What is Active Directory Recycle Bin Feature
In Windows Server 2008 R2 there was a feature introduced called the Active Directory Recycle Bin to provide administrators with a way of recovering directory objects that were accidentally deleted. However, using the AD Recycle Bin in Windows Server 2008 R2 environments proved difficult for some administrators because enabling and using this feature could be performed only from the command-line, either by using the Ldp.exe utility or with Windows PowerShell cmdlets.
Windows Server 2012 R2 simplifies this task and makes it more easier for the administrators to recover deleted objects. Now you can use the GUI-based Active Directory Administrative Center for both enabling the AD Recycle Bin and recovering deleted objects. Before we do that lets understand about Active Directory object states.
When the AD Recycle Bin feature is enabled in an Active Directory environment, directory objects can be in one of the following four states :-
1) Live Object – Suppose you create a user account for a user and the user is now logged in with this account. The user account is being used to log in to the computer or it is being used to access the resources from a network. This state of the object is known as Object Live state.
2) Deleted Object – When you delete an object from the Active Directory, it is moved to deleted objects container, but the object’s link-valued and non-link-valued attributes are still preserved. The object can be recovered by restoring it from the AD Recycle Bin (AD Recycle Bin feature should be enabled) if the lifetime of the deleted object has not yet expired. By default, the deleted object lifetime is configured as 180 days. If the object is in deleted state you can restore the object back to the Active Directory and the object goes to Live state.
3) Recycled Object– In this state the object remains in the Deleted Objects container, but most of its attributes are now stripped away. You cannot restore the object from the AD Recycle Bin or by taking other steps, such as reanimating Active Directory tombstone objects when the object is in recycled state.
4) Removed Object – Once the lifetime of a recycled object is expired, the AD garbage collection process starts by removing the remains of previously deleted objects from the database.
Enable Active Directory Recycle Bin Feature
The Active Directory Recycle Bin feature is disabled by default in Windows Server 2012 R2. To enable the Active Directory Recycle Bin feature the forest functional level should be Windows Server 2008 R2 or higher.
This means that all domain controllers in your forest must be running Windows Server 2008 R2 or higher. The process of enabling Active Directory Recycle Bin is irreversible, this means that once you enable the Active Directory Recycle Bin you cannot disable it.
To enable the Active Directory Bin Feature on Windows Server 2012 R2, log in with a user account that belongs to the Enterprise Admins or Schema Admins group. From the Server Manager, click on Tools and click Active Directory Administrative Center. Right click the target domain in the left navigation pane and click Raise the forest functional level.
In the below example the Active Directory Forest Functional level is already Windows Server 2012 R2. You have to perform this task only if your organization forest functional level is lower than Windows Server 2008 R2.
To check the current Forest functional level of your organization using powershell command, execute the below command in AD module for windows powershell.
Get-ADForest -Identity prajwal.local
If you are looking to raise the forest functional level using powershell command, then launch Active Directory Module for Windows Powershell and execute the below command.
Set-ADForestMode 6 -Identity PRAJWAL.LOCAL (6 – If you want to raise the forest functional level to Windows Server 2012 R2)
Set-ADForestMode 5 -Identity PRAJWAL.LOCAL (5 – If you want to raise the forest functional level to Windows Server 2012)
Set-ADForestMode 4 -Identity PRAJWAL.LOCAL (4 – If you want to raise the forest functional level to Windows Server 2008 R2)
Right click on the target domain and click Enable Recycle Bin. On the confirmation box click OK.
Click OK. On the top ribbon click on Refresh Icon.
Using PowerShell Enable AD Recycle Bin
To enable the Active Directory Recycle Bin feature using Powershell command execute the code shown below in AD module for Windows Powershell
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=prajwal,DC=local’ –Scope ForestOrConfigurationSet –Target ‘prajwal.local’
To verify if the Recycle Bin feature is enabled or not, execute the below command
Get-ADOptionalFeature -filter *
Now we see a new container called Deleted Objects under the target domain. When you delete any object from the Active Directory it moves to Deleted Objects container.
Let’s create a test user named TempUser in the Users OU. Right click the newly created user and click on delete. When asked for confirmation to delete the user click Yes.
To delete the user account from the Active Directory, use the powershell command given below
Remove-ADUser -Identity TempUser
First let us search for the object that has been deleted using powershell command.
Get-ADObject -SearchBase “CN=Deleted Objects,DC=prajwal,DC=local” -ldapFilter:”(msDs-lastKnownRDN=*)” – IncludeDeletedObjects –Properties lastKnownParent
Restore Deleted Objects
As said earlier in Windows Server 2012 R2, the Active Directory Recycle Bin feature has been enhanced with a new graphical user interface for users to manage and restore deleted objects. The deleted objects can now be seen in under Deleted Objects container. When you right click on the deleted object you see four options.
Restore – This option restores the deleted object to the location where it originally located before deletion.
Restore To – With this option you can restore the object to desired container.
Locate Parent – Shows the Container where the object was present before deletion. Use this option to know the original location of object before you use Restore or Restore To.
Properties – Displays the properties of the Object such as Name, Object Class, USN etc.
Right click the object present in the Deleted Objects container and click on Restore.
We see that the user account is restored back to the original location using the Restore Option.
To restore the deleted object back to the original location use the powershell command.
Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=*)” –IncludeDeletedObjects | Restore-ADObject