We use cookies on this page to better serve you. You can find more information about cookies here.

Active Directory Recycle Bin

Active Directory Recycle Bin
by
Active Directory Recycle Bin

If you accidentally delete something in Active Directory, it can be difficult to undo. Fortunately, you can enable a recycle bin for Active Directory, making life much easier if you need to restore something.

The Active Directory Recycle Bin (sometimes called ADRB) was first introduced in Windows Server 2008 R2. You need to enable it to take advantage of it. You can never turn it off once you enable the Active Directory Recycle Bin.

Once the Active Directory Recycle Bin is enabled, when you delete an object out of Active Directory, the object is not instantly deleted. It is placed in the Active Directory Recycle Bin for some time. After some time has passed, the object is actually permanently deleted. The default retention for the recycle bin is 180 days.

In this post, I will show you step-by-step how to check the Active Directory Recycle Bin status using the GUI or PowerShell, how to enable the Active Directory Recycle Bin with the GUI or PowerShell and how to check the Active Directory Recycle Bin retention using the GUI or PowerShell.

Prerequisites

  • Active Directory Forest Functional Level at Windows 2008 R2 or higher
  • Active Directory Domain Functional Level at Windows 2008 R2 or higher
  • Domain Admin account

Checking Active Directory Recycle Bin Status

Before enabling the Active Directory Recycle Bin, it’s a good idea to check if it’s already enabled.

GUI Way

  • Open the Active Directory Administrative Center (aka dsac)
  • In the top right, click on Manage > Add Navigation Nodes…
  • Select your domain, click on the arrows to add it, then click ok.
  • Click on the domain.

If the enable recycle bin option is selectable, then the recycle bin has yet to be enabled.

PowerShell Way

  • Open PowerShell
  • Run the following PowerShell command
Get-ADOptionalFeature "Recycle Bin Feature"Code language: PowerShell (powershell)

If the enabled scopes are blank, the recycle bin has not yet been enabled.

Enable Active Directory Recycle Bin

GUI Way

  • Open Active Directory Administrative Center (aka dsac)
  • In the top right, click on Manage > Add Navigation Nodes
  • Select your domain, click on the arrows to add it, then click ok.
  • Click on the domain.
  • Click on Enable Recycle Bin
  • Click OK to confirm that you are enabling the recycle bin and that the action cannot be undone.
  • Click OK to acknowledge that the Active Directory Recycle Bin is in the process of being enabled.

PowerShell Way

  • Open PowerShell
  • Run the following command
Enable-ADOptionalFeature "Recycle Bin Feature" -server ((Get-ADForest -Current LocalComputer).DomainNamingMaster) -Scope ForestOrConfigurationSet -Target (Get-ADForest -Current LocalComputer)Code language: PowerShell (powershell)
  • Confirm that you want to enable the Active Directory Recycle Bin

Active Directory Recycle Bin Retention

Once the Active Directory Recycle Bin has been enabled, when an object is deleted from Active Directory it is sent to the recycle bin. Once the retention period has passed for that object, it is then deleted. Here’s how to check the retention.

GUI Way

  • Open ADSI Edit.
  • Click on Action > Connect to…
  • In the Connection Point section, click on Select a well known Naming Context option and select Configuration.
  • Click OK
  • Click on the Configuration object.
  • Navigate to Configuration > Services > Windows NT > Directory Service
  • Right-click on CN=Directory Service and select Properties.
  • Find the attribute named msDS-DeletedObjectLifetime.

If the msDS-DeletedObjectLifetime attribute is not set, that’s fine, as it will follow the settings set in another attribute.

  • Find the attribute named tombstoneLifetime.

The value defined in msDS-DeletedObjectLifetime or tombstoneLifetime is the retention for how long items will live in the recycle bin before permanent deletion. If msDS-DeletedObjectLifetime is set, then the recycle bin will honor that setting.

PowerShell Way

  • Open PowerShell
  • Run the following PowerShell command
Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$((Get-ADRootDSE).configurationNamingContext)" -Properties * | select tombstoneLifetime, msDS-DeletedObjectLifetime, DistinguishedName | flCode language: PowerShell (powershell)

The value defined in msDS-DeletedObjectLifetime or tombstoneLifetime is the retention for how long items will live in the recycle bin before permanent deletion. If msDS-DeletedObjectLifetime is set, then the Active Directory Recycle Bin will honor that setting.

Summary

That’s all it takes to check if the Active Directory Recycle Bin is enabled when using the GUI or PowerShell, how to enable the Active Directory Recycle Bin using the GUI or PowerShell and how to check the Active Directory Recycle Bin retention settings using the GUI or PowerShell.

I think everyone should enable the Active Directory Recycle Bin. I wonder why it isn’t on by default. Either way, enabling it is straightforward.

If you want to read more about the Active Directory Recycle Bin, here is the Microsoft documentation.

Related posts:

Active Directory Schema Create Active Directory Central Store Deploying Windows LAPS Microsoft 365 Audit Logging
IT
Active DirectoryHow ToMicrosoftPowerShellWindows Server
Palo Alto Terminal Server Agent Upgrade
Previous post

Leave a comment

Your email address will not be published. Required fields are marked *

theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube