Introducing the Active Directory Recycle Bin in Windows Server 2012
Setting up and using this tool just got a whole lot easier
July 18, 2013
The Recycle Bin has been a feature in Windows OSs for quite some time. If you accidentally delete a file, it gives you the ability to restore it. However, if you accidentally delete a user or computer account in Windows Server 2008 Active Directory (AD) or earlier, you have very little you can do other than restore AD, re-create the account, or use a third-party tool to recover it.
Related Articles:
Windows Server 2012 Active Directory Security Changes
Top 5 Roles for Deploying Windows Server 2012
Windows Server 2008 R2 introduced the first Active Directory Recycle Bin. With it, you can restore a user, computer, or organizational unit (OU) account that has been accidentally deleted. However, you must use Windows PowerShell to work with the Active Directory Recycle Bin. Using PowerShell commands to search for and restore a deleted object can be difficult, especially if you're not familiar with PowerShell. And when you want to search for an object, you're limited in what you can search on.
The PowerShell commands can also get a bit on the long side. For example, here's the command to enable the Active Directory Recycle Bin feature:
Enable-ADOptionalFeature "Recycle Bin Feature" -server `((Get-ADForest -Current LocalComputer).DomainNamingMaster) `-Scope ForestOrConfigurationSet `-Target (Get-ADForest -Current LocalComputer)
If you want to search through all the deleted objects in the Active Directory Recycle Bin, you need to run the command:
Get-ADObject -filter 'isDeleted -eq $true' `-and name -ne "Deleted Objects"' -includeDeletedObjects `-property * |ft msds-lastKnownRdn,lastKnownParent -auto -wrap
If you want to restore a user named JohnMarlin, your command would be:
Get-ADObject -Filter 'samaccountname -eq "JohnMarlin"' `-IncludeDeletedObjects | Restore-ADObject
As you can see, these aren't simple commands and the chances for typos are there. Don't get me wrong—I'm not saying the Active Directory Recycle Bin in Server 2008 R2 is a bad thing. It's just that the way to manipulate it tends to be challenging.
These challenges were presented to the appropriate Microsoft Product Groups. Based on this feedback, they made the Active Directory Recycle Bin part of the Active Directory Administrative Center in Windows Server 2012. As you'll see, setting up and using the Active Directory Recycle Bin just got a whole lot easier.
Setting Up the Active Directory Recycle Bin
Like its predecessor, the Active Directory Recycle Bin in Server2012 isn't enabled by default and requires a Server 2008 R2 or later Forest Functional Level. To enable the recycle bin in Server2012, you need to open the Active Directory Administrative Center, click your domain's name, and select Enable Recycle Bin from the Tasks menu. Alternatively, you can right-click your domain's name and select Enable Recycle Bin from the context menu. Figure 1 shows both methods.
Figure 1: Selecting the Option to Enable the Recycle Bin
After you select the Enable Recycle Bin option, you'll receive the Enable Recycle Bin Confirmation dialog box shown in Figure 2.
Figure 2: Confirming That You Want to Enable the Recycle Bin
As it notes, once you enable the recycle bin, it will always be enabled. You can't disable it at a later time.
Before you enable the recycle bin, you also need to be aware that the size of the AD database (Ntds.dit) will increase. The disk space used by the recycle bin will continue to increase over time as it preserves objects and their attribute data. So, you need to make sure that you won't run out of disk space, especially if you're in the habit of continually deleting objects from AD. Note that you must be a member of the Enterprise Administrators Group to access the recycle bin.
After you click OK in the Enable Recycle Bin Confirmation dialog box, you'll be reminded that the recycle bin won't be fully functional until the change is replicated to all remaining domain controllers (DCs). Once fully functional, when you delete an object, it's saved based on the information in the msDS-deletedObjectLifetime attribute. This attribute, which has existed since Server 2008 R2, describes how long a deleted object will be restorable. It's set in the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM container.
By default, the msDS-deletedObjectLifetime attribute is set to match the forest's tombstoneLifetime attribute. This attribute has existed since Windows 2000. Although its default had been 60 days, it was increased to 180 days in Windows Server 2003 SP1, where it continues to remain the default. The tombstoneLifetime attribute is set in the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM container.
There's an artificial limit to the number of items displayed in the recycle bin. By default, it's set at 20,000. You can change this number (up to 100,000) by clicking the Manage menu and selecting Management List Options, as shown in Figure 3.
Figure 3: Changing the Number of Items Displayed in the Recycle Bin
Using the Active Directory Recycle Bin
To access the Active Directory Recycle Bin in the Active Directory Administrative Center, you need to select the Deleted Objects option that appears under your domain name. By default, there will be five columns: Name, When Deleted, Last known parent, Type, and Description. You can add additional columns by right-clicking a column to get the additional options, as Figure 4 shows.
Figure 4: Adding Additional Columns
After the recycle bin has been running for a while, you'll likely have several thousand objects in it. Scrolling through the list will take quite a long time. Fortunately, you can search with filters to narrow down what you need to find. For example, suppose that a temporary user account that has John in the name was deleted by mistake and you need to restore it. You're not completely sure which user account you need to restore because you didn't delete it, but you have some information about this user:
He works in the Dallas, Texas, office.
He's part of the accounting department.
He hasn't logged on for 10 days.
When he last logged on, he had 2 days before his password expired.
If you type John in the Filter box, it'll show everything with the name John in it. But what if there are hundreds of accounts with John in the name? You can add criteria to narrow the search by clicking the Add criteria button. As Figure 5 shows, there are many criteria from which to choose.
Figure 5: Reviewing the Criteria Available to Narrow a Search
Based on what you know about the user, you add several criteria and enter the specific information, as shown in Figure 6. As you can see, John23 is the user account you need to restore.
Figure 6: Adding the Criteria Needed to Find John's User Account
To restore the John23 object, you can right-click it and select the Restore option (restores it to the original OU) or the Restore To option (restores it to another OU that you select). These two options are also available from the Tasks menu.
You can restore not only a single object but also multiple objects simultaneously. You can even restore an OU. For example, suppose you work for a company that sometimes uses temporary employees. There's a group of temporary employees whose contracts will end on Friday afternoon. As the head administrator, you're responsible for removing the OU (Temp-Employees) and all the user accounts in it when those contracts are done. On Thursday afternoon, you decide to take off Friday since you'll be on vacation the following week. To make sure that everything is taken care of, you write a script that will run late Friday night to delete those objects.
On Friday afternoon, upper management decides to keep the temporary employees on for another week to complete what they're doing. You were sent an email telling you to delay deleting the objects for a week, but you weren't there to receive it. On Friday night, your script runs and deletes the Temp-Employees OU as well as all the user accounts in it.
Monday morning comes and the temporary employees can't log on. One of the other administrators, Mike, goes to the recycle bin to restore the user accounts. However, he's unaware that the OU was deleted. He also doesn't know the names of the users.
After opening the recycle bin, Mike adds the criteria shown in Figure 7 and gets the list of user accounts.
Figure 7: Adding the Criteria Needed to Find the Temporary Employees' User Accounts
However, when he tries to restore the first user account, he gets the pop-up box that Figure 8 shows.
Figure 8: Receiving an Error Message
From the error message, Mike determines that the Temp-Employees OU has also been deleted. The recycle bin won't allow you to restore to an OU that doesn't exist, and it won't create one for you. So, Mike runs a new search to find the deleted OU and restores it. He then reruns the previous search to bring up the list of deleted user accounts, selects all of them, and restores them in one simple operation, as shown in Figure 9.
Figure 9: Restoring All the User Accounts at Once
Now all the temporary employees can log on again.
As you probably are aware, AD has multiple partitions. It's important to note that the recycle bin can manage only domain partitions. So, if objects are deleted from the Configuration, Domain DNS, or Forest DNS partitions, you can't restore them with this tool.
A Lifesaver
The Active Directory Recycle Bin can be a lifesaver for those times when simply re-creating a user won't do or when you have to restore the entire AD or large parts of it. If the need arises, I encourage you to take advantage of this easy-to-use tool.
About the Author
You May Also Like