Server 2008 R2 AD Recycle Bin

Windows Server 2008 R2’s Active Directory Recycle Bin lets you restore accidentally deleted Active Directory (AD) objects. To use the Recycle Bin, you must raise your forest functional level to that of Server 2008 R2 rather than just Server 2008, which means you can’t use the feature on your old domain controllers.

The Active Directory Recycle Bin is disabled by default. There’s currently no GUI console to enable it. For now, you must use PowerShell to enable the Recycle Bin. Enter

Import-Module ActiveDirectory

to import all the cmdlets to manage AD in PowerShell. Then, enter

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target itproconnections.local

where itproconnections.local is the name of your forest, to enable the Recycle Bin.

You’ll get a dialog box that asks if you’re sure about enabling the Recycle Bin; click Yes. Note that once you enable the Recycle Bin, you can’t disable it.

To test the Recycle Bin’s restore capability, let’s delete a user object that has the username user1 and the display name User 1, then try to restore it. After the user object is deleted, we need to undelete the user account. Start PowerShell and enter

Get-ADObject -Filter {displayName -eq "user 1”} -IncludeDeleted-Objects | Restore-ADObject

to undelete the account.

Running this command opens a new PowerShell prompt but doesn’t show whether the object was restored. You can use Active Directory Users and Computers to verify that the user account was restored.