How to Enable Active Directory Recycle Bin on Windows Server

Prajwal Desai
Posted by Prajwal Desai
Enable AD Recycle Bin on Windows Server

In this tutorial, I will show you how to enable Active Directory Recycle Bin on Windows Server. I will cover two methods for enabling the AD recycle bin feature: PowerShell and the GUI.

Maintaining a healthy and secure Active Directory (AD) environment is crucial for any organization that consists of Windows workstations and servers. Accidental deletion of AD objects can affect end-user productivity and may lead to broken network functionality.

The Active Directory Recycle Bin is a server feature that allows you to recover accidentally deleted directory objects. Windows administrators who regularly work with Active Directory should be aware of this useful feature.

Starting in Windows Server 2008 R2, Active Directory now implements a true recycle bin. If you’re running Windows Server 2008 R2 and above, you can enable the recycle bin feature to efficiently retrieve all the deleted objects from AD.

Update: This guide has been rewritten to include the latest details about the Recycle Bin in Active Directory on Windows Server. The PowerShell cmdlets for recovering the deleted accounts have been tested and updated. I am hoping that this tutorial will make it simple to comprehend and activate the recycle bin feature in AD.

What is Active Directory Recycle Bin feature?

Active Directory Recycle Bin is a feature in Windows Server that helps administrators recover directory objects that were accidentally deleted. When you enable this feature, all link-valued and non-link-valued attributes of a deleted object are preserved, allowing you to restore the object to the same state it was in before it was deleted.

Additionally, you can restore anything from the AD recycle bin without needing to initiate an authoritative restore. This is very different from the previously known method that recovered deleted objects from the Deleted Objects container via an authoritative restoration.

An object might be recovered, but it was never returned to its initial state when it was deleted since the majority of its non-link-valued characteristics were cleaned and all of its link-valued attributes were eliminated.

Benefits of enabling Active Directory Recycle Bin

Listed below are some advantages to enabling the Active Directory Recycle Bin feature on Windows Server:

  1. Attributes of deleted objects are preserved: By enabling the recycle bin for AD, all link-valued and non-link-valued attributes of a deleted object are preserved, allowing you to restore the object to the same state it was in before it was deleted.
  2. Reduce dependency on AD backups: You don’t have to rely on Active Directory backups to restore accidentally deleted objects. Active Directory servers must be restored offline and should be done with proper business approval.
  3. Faster recovery of deleted objects: Compared to an AD backup, the AD recycle bin restores deleted objects more quickly. In addition, you can use PowerShell cmdlets to restore deleted accounts.
  4. Free to use: If your Windows servers are licensed, you don’t need to pay to use the AD recycle bin. In other words, there is no additional cost associated with using this feature.

Active Directory Object States

Before I show you the process to enable the AD recycle bin, let’s understand the object states for Active Directory. When the AD Recycle Bin feature is enabled in an Active Directory environment, directory objects can be in one of the following four states:

  1. Live Object State: Suppose you create a user account for a user, and the user is now logged in with this account. The user account is utilized to gain access to network resources or to log in to the computer. This state of the object is known as the Object Live state.
  2. Deleted Object State: When you delete an object from the Active Directory, it is moved to a container known as ‘deleted objects.’ At this point, the object’s link-valued and non-link-valued attributes are still preserved. The object can be recovered by restoring it from the AD recycle bin. There is an important prerequisite here for restoring a deleted object: the lifetime of the deleted object should not be expired. By default, the deleted object lifetime is configured as 180 days. If the object is in a deleted state, you can restore it to the Active Directory, and the object goes into a live state.
  3. Recycled Object State: In the recycled state, the object remains in the Deleted Objects container, but most of its attributes are now stripped away. When an object is in the recycled state, it cannot be restored from the AD Recycle Bin or through other methods, such as reanimating Active Directory tombstone objects.
  4. Removed Object State: Once the lifetime of a recycled object is expired, the AD garbage collection process starts by removing the remains of previously deleted objects from the database.
 AD Recycle Bin Active Directory Object States
AD Recycle Bin – Active Directory Object States

Requirements to enable AD Recycle Bin

If your forest functional level in your domain is not at least Windows Server 2008 R2 or greater, you will not be able to use the AD Recycle Bin. Hence, you must ensure the forest functional level is set to Windows Server 2008 R2. In addition, all the domain controllers must be running at least Windows Server 2008 R2 or later.

Enable Active Directory Recycle Bin on Windows Server

I will now walk you through the steps to enable the AD recycle bin feature on your Windows Server. This method uses the Server Manager to add and enable the recycle bin feature.

Step 1: Log in to the Windows Server with an account that belongs to the Enterprise Admins or Schema Admins group.

Step 2: Launch the Server Manager. Now go to Tools and select Active Directory Administrative Center.

Step 3: Right-click on the local domain and select “Enable Recycle Bin.”

The following message box appears: “Are you sure you want to perform this action? Once Recycle Bin has been enabled, it cannot be disabled.” In the confirmation box, click OK.

The process of enabling Active Directory Recycle Bin is irreversible, which means that once you enable Active Directory Recycle Bin, you cannot disable it.

Enable Active Directory Recycle Bin Feature
Enable Active Directory Recycle Bin on Windows Server

Step 4: Click OK. On the top ribbon, click on the Refresh Icon. That’s it; the AD recycle bin is now enabled.

Enable Active Directory Recycle Bin Feature
Enable Active Directory Recycle Bin on Windows Server

Enable AD Recycle Bin with PowerShell

Follow the below steps to enable the recycle bin on Windows Server with PowerShell.

Sign in with an administrator account on the domain controller. Run the following PowerShell command in AD module for Windows PowerShell to enable AD recycle bin.

Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=prajwal,DC=local' –Scope ForestOrConfigurationSet –Target 'prajwal.local'
Enable AD Recycle Bin using PowerShell
Enable AD Recycle Bin using PowerShell

Verify Active Directory Recycle Bin Enable

To verify if the AD Recycle Bin feature is enabled or not, execute the below command.

Get-ADOptionalFeature -filter *

In the output, the Name=Recycle Bin feature means the recycle bin feature is successfully enabled on Windows Server.

Enable AD Recycle Bin using PowerShell
Enable AD Recycle Bin using PowerShell

Delete an Object from Active Directory

Now we see a new container called Deleted Objects under the target domain. When you delete any object from the Active Directory, it moves to the Deleted Objects container. We will come back to this folder later.

Active Directory Deleted Objects
Active Directory Deleted Objects

Now we are going to test the recycle bin feature in AD. We will create and delete the object purposely. This is only done to test the recycle bin feature of Active Directory.

Let’s create a test user named TempUser in the Users OU. Right-click the newly created user and click on delete. When asked for confirmation to delete, the user click Yes.

Delete Object From Active Directory
Delete Object From Active Directory

Alternatively, to delete the user account from the Active Directory, you can use the PowerShell command given below.

Remove-ADUser -Identity TempUser
Delete Object From Active Directory using PowerShell
Delete Object From Active Directory using PowerShell

First, let us search for the AD object that has been deleted using PowerShell command.

Get-ADObject -SearchBase "CN=Deleted Objects,DC=prajwal,DC=local" -ldapFilter:"(msDs-lastKnownRDN=*)" – IncludeDeletedObjects –Properties lastKnownParent

In the command output, Deleted=True means the object is deleted successfully.

Check AD Object Deletion via PowerShell
Check AD Object Deletion via PowerShell

How to Restore Deleted Objects with AD Recycle Bin

The Active Directory Recycle Bin feature is enhanced with a new graphical user interface for users to manage and restore deleted objects.

The deleted objects can now be seen under Deleted Objects container. When you right-click on the deleted object, you see four options.

  • Restore – This option restores the deleted object to the location where it originally located before deletion. This is the recommended option in most cases for deleted objects recovery.
  • Restore To – With this option, you can restore the object to the desired container. You would choose this if you want to specifically restore the deleted object to a new OU or location.
  • Locate Parent – Displays the Container where the object was present before deletion. Select this option to know the original location of an object before you use Restore or Restore To.
  • Properties – Displays the properties of the object such as name, Object Class, USN etc.

Right-click the object present in the Deleted Objects container and click Restore.

Restore Deleted Objects from Recycle Bin
Restore Deleted Objects from Recycle Bin

We see that the user account is restored back to the original location using the Restore Option.

Restore Deleted Objects from Recycle Bin
Restore Deleted Objects from Recycle Bin

Restore Active Directory Deleted Objects using PowerShell

To restore the deleted object back to the original location, use the PowerShell command.

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" –IncludeDeletedObjects | Restore-ADObject
Restore Deleted Object using PowerShell
Restore Deleted Object using PowerShell

What is Active Directory Recycle Bin Feature?

The AD Recycle bin helps recover the directory objects that were accidentally deleted without the need to use your System State backups.

Can I disable AD Recycle Bin Feature?

No, once you enable AD Recycle Bin, you cannot disable it.

Find Who deleted objects using Recycle Bin?

The Recycle Bin will not tell you who deleted your users, groups, and computers.

How long does Active Directory keep deleted objects?

180 days.

Share This Article
Prajwal Desai
Posted by Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
5 Comments