Perhaps one of biggest small features included in Microsoft’s latest Server platform iteration; Windows Server 2012, is the GUI driven Active Directory Recycle Bin.
The AD Recycle Bin is by no means new. Originally introduced in Windows Server 2008 R2, this feature was only ever accessible using Powershell, a time consuming and by no means intuitive approach, especially if you are in a hurry!
At long last, Windows Server 2012 has implemented this feature in a GUI format, so as to make the retrieval of deleted AD objects as quick and painless as possible.
This feature is accessible from the Active Directory Administration Centre. Once again, this is a tool that was originally made available with Server 2008 R2.
To make use of the AD Recycle Bin Feature, first we need to enable it. In Windows Server 2012, this is achievable through the Active Directory Administration Centre. Simply select your AD Domain from the left hand pane, and choose “Enable Recycle Bin” from the tasks pane. As you can see, I have been imaginative and named my test domain “Domain”. The reason why the option is ghosted in the example below is because I have already enabled this feature. Note that once the recycle bin has been enabled, it cannot then be disabled. A Forest and Domain Functional Level of Windows Server 2008 R2 or higher is also required to take advantage of this feature. You must also have only Windows Server 2008 R2 or higher Domain Controllers in your infrastructure.
Using the Recycle Bin feature really is a piece of cake. Say for example your Junior Sys admin has just deleted an OU containing all of your Finance department users. What next? Well simply go ahead and open up the AD Administration Centre (ADAC) and choose Deleted Objects from the root list of containers in your domain.
You will see that the Container contains all the deleted objects, including the OU itself. After all, this is an AD object too! For this reason, we must begin with restoring the Finance OU first. Simply right clicking on the Finance OU reveals a Restore option. Alternatively, you can restore any deleted object to a different location by selecting Restore To…
After restoring the Finance OU itself, highlight all remaining objects and choose Restore to return them back to their relevant location.
Either using ADAC or AD User and Computers, check that the objects have been restored successfully.
It really is as easy as that. It must be noted however that deleted objects will not stay around forever and will be subject to a Deleted Object Lifetime. Unless configured otherwise, this is usually the same as the tombstone lifetime of 180 Days. Once a deleted object has exceeded this threshold, the object and all its attributes will be marked as unrecoverable and therefore subjected to normal object tombstoning, ultimately resulting in physical object removal from the Active Directory Database.
Matt Hibberd – Systems Engineer at Coretek