Active Directory Recycle Bin: How to Enable and Restore Delete Objects / Windows / Windows Server / Active Directory Recycle Bin: How to Enable and Restore Delete Objects

The Active Directory Recycle Bin allows a domain administrator to restore any deleted object (user, computer, security group) in the AD domain. AD Recycle Bin is available in all versions of Active Directory starting with Windows Server 2008 R2. In this article, we will show how to enable the Active Directory Recycle Bin and restore a deleted user.

By default, the AD recycle bin is not enabled in a domain. You can use the PowerShell cmdlet to check the Recycle Bin status.

Get-ADOptionalFeature "Recycle Bin Feature" | select-object name, EnabledScopes

If the EnabledScopes value is empty, this means that the AD Recycle Bin is not enabled.

Get-ADOptionalFeature - check if AD recycle bin is enabled

To enable the Active Directory Recycle Bin, all domain controllers and forest functional level should be Windows Server 2008 R2 or later.

Use the following command to check the functional level of the AD forest:

Get-ADForest | select-object ForestMode|fl

Get-ADForest - check functional level

You must upgrade the forest functional level if the ForestMode is lower than Windows2008R2Forest.

You can use the PowerShell command to enable the Active Directory Recycle Bin on Windows Server 2022/2019/2016:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target poweradm.loc

You can also enable the AD Recycle Bin from the Active Directory Administrative Center snap-in GUI. Open the ADAC (dsac.exe), right-click on the domain name and select ‘Enable Recycle Bin’.

Enable Recycle Bin in Active Directory

Confirm the action:
Enable Recycle Bin Confirmation.
Are you sure you want to perform this action? Once Recycle Bin has enabled, it cannot be disabled.

Once AD Recycle Bin has enabled, it cannot be disabled

A new Deleted Objects container appears in the Active Directory after enabling the Active Directory Recycle Bin. Any Active Directory objects that have been deleted are automatically moved to this container. You can view the properties of objects that have been deleted and restore them to the original OU or to a different OU.

Deleted Objects container in AD

Let’s try deleting the test AD account.

delete AD user account

All linked and unlinked attributes of the AD object are retained. This means that you will be able to restore the object along with all of its attributes.

An AD object marked as logically deleted is retained for the lifetime of the deleted object. This period is set by the msDS-DeletedObjectLifetime attribute which is located in CN=Windows NT, CN=Services, CN=Configuration, DC=poweradm, DC=loc (it is not defined by default). The object is then marked as a tombstone object and stored for a lifetime specified by the tombstoneLifetime attribute (180 days by default).

Check that the user you deleted appears in the Deleted Objects container. To restore this user account object, click Restore or Restore to. This is also where you can view deleted user properties.

Restore AD user from recycle bin

You can use PowerShell to find the deleted user and restore it from the AD recycle bin:

Get-ADObject -filter {displayname -eq "test_user"} -Filter ′isDeleted -eq $true’ –includedeletedobjects | Restore-ADObject

List all deleted objects in the AD Recycle Bin:

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
Leave a Reply

Your email address will not be published. Required fields are marked *