blog.powershell.no

On Windows PowerShell and other admin-related topics

How to use the new Active Directory Recycle Bin feature

 

In Windows Server 2008 R2 there is a new feature called Active Directory Recycle Bin. This feature makes it possible to restore deleted objects in Active Directory without restore from backup.
Opposite to restoring tomb stoned objects, all object parameters are remained (group membership, sn, dn, and so on).

Active Directory Recycle Bin are disabled by default, even in new Windows Server 2008 R2 domains. As a prerequisite, the forest mode must be set to Windows Server 2008 R2.
When all domain controllers are running Windows Server 2008 R2, this can be accomplished by using the Active Directory module in PowerShell:
Set-ADForestMode –Identity domain.local -ForestMode Windows2008R2Forest

You may also use ldp.exe or the GUI tool “Active Directory Domains and Trusts”.

You can use the Get-ADOptionalFeature to check if the Recycle Bin Feature are enabled.

Before enabling the feature:

image

After enabling the feature:

image

 

When the prerequisites are met, the Active Directory Recycle Bin-feature can be enabled.
Either using the Active Directory module in PowerShell:

image

Or by using ldp.exe.

When the feature are enabled it`s a good idea to perform some testing. By default all deleted objects are placed in the Deleted Objects container.

In my test I first created a user named “Test User”, and then deleted the user object:

image

This will retrieve all deleted user objects:

image

This will restore all deleted user objects:

image

This will restore a specific user object:

image

For those of you that are more comfortable using a GUI rather than the PowerShell command-line, a GUI tool for using this new feature are already available. Check out Kirk Munro`s PowerGUI PowerPack for Active Directory Recycle Bin.

This blogpost are based on the official Microsoft documentation on Technet, provided in the Active Directory Recycle Bin Step-by-Step Guide.

Advertisements

September 13, 2009 - Posted by | Active Directory management, Windows PowerShell, Windows Server 2008 R2 | , ,

1 Comment »

  1. The AD recycle bin isn’t as convenient and effective as it sounds and here’s a quick rundown as to why: For starters, it won’t work unless all domain controllers have been upgraded to Windows Server 2008 R2, which means that getting the feature might wind up costing more than a 3rd party tool. Also, once it’s turned on, it cant be turned off, creating problems in instances where compliance regulations don’t permit preservation of personally identifiable info. Lastly, while deleted objects can be restored, previous modifications cant be restored. It other words, administrators trying to salvage Active Directory by reverting unwanted modifications will not be able to roll back because previous values of AD attributes were already overwritten. That being the case, I always recommend a third-party solution for roll back. Take a look at netwrix’s free ad object restore wizard or Quest’s object restore. Both options work well and provide much more capabilities than the native recycle bin.

    Comment by Darren | November 11, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: