The Active Directory Recycle Bin allows a domain administrator to restore any deleted object (user, computer, security group) in the AD domain. AD Recycle Bin is available in all versions of Active Directory starting with Windows Server 2008 R2. In this article, we will show how to enable the Active Directory Recycle Bin and restore a deleted user.
By default, the AD recycle bin is not enabled in a domain. You can use the PowerShell cmdlet to check the Recycle Bin status.
Get-ADOptionalFeature "Recycle Bin Feature" | select-object name, EnabledScopesIf the EnabledScopes value is empty, this means that the AD Recycle Bin is not enabled.
To enable the Active Directory Recycle Bin, all domain controllers and forest functional level should be Windows Server 2008 R2 or later.
Use the following command to check the functional level of the AD forest:
Get-ADForest | select-object ForestMode|fl
You must upgrade the forest functional level if the ForestMode is lower than Windows2008R2Forest.
You can use the PowerShell command to enable the Active Directory Recycle Bin on Windows Server 2022/2019/2016:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target poweradm.locYou can also enable the AD Recycle Bin from the Active Directory Administrative Center snap-in GUI. Open the ADAC (dsac.exe), right-click on the domain name and select ‘Enable Recycle Bin’.
Confirm the action:
Enable Recycle Bin Confirmation.
Are you sure you want to perform this action? Once Recycle Bin has enabled, it cannot be disabled.
A new Deleted Objects container appears in the Active Directory after enabling the Active Directory Recycle Bin. Any Active Directory objects that have been deleted are automatically moved to this container. You can view the properties of objects that have been deleted and restore them to the original OU or to a different OU.
Let’s try deleting the test AD account.
An AD object marked as logically deleted is retained for the lifetime of the deleted object. This period is set by the msDS-DeletedObjectLifetime attribute which is located in CN=Windows NT, CN=Services, CN=Configuration, DC=poweradm, DC=loc (it is not defined by default). The object is then marked as a tombstone object and stored for a lifetime specified by the tombstoneLifetime attribute (180 days by default).
Check that the user you deleted appears in the Deleted Objects container. To restore this user account object, click Restore or Restore to. This is also where you can view deleted user properties.
You can use PowerShell to find the deleted user and restore it from the AD recycle bin:
Get-ADObject -filter {displayname -eq "test_user"} -Filter ′isDeleted -eq $true’ –includedeletedobjects | Restore-ADObjectList all deleted objects in the AD Recycle Bin:
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects