New Feature, Active directory recycle bin in Windows 2008 R2.

With the AD recycle bin, one would be able to recover any accidentally deleted objects just by running a command. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across the domains.

By default, Active Directory Recycle Bin is disabled. Further, to use this feature the forest functional level should be Windows 2008 R2.

This is certainly a great feature introduced in WIN2K8 R2, but definitely not very user friendly. I tried it in my lab and couldn’t appreciate friendliness of usage hence detailing all the steps with snapshot.

1. Enable Windows 2008 R2 Forest Functional Level.

You can select forest functional level Windows 2008 R2 during DCPROMO of your first DC. You can also raise forest functional level from Active Directory domain and trust.

clip_image002

2. Enable the Active Directory Recycle Bin feature.

You have to start Active Directory Powershell.

clip_image004

3. Delete Objects in Active Directory

We’ll delete a user called “test” and then restore it.

clip_image006

4. Verify the deleted objects are in the Active Directory Recycle Bin

Opposite to popular notion that test account will be listed in Recycle bin on the Desktop, it is listed only thru Active Directory Powershell cmdlets.

clip_image008

Nothing is listed in Recycle bin even after deleting the user account. Now we’ll use Active Directory PowerShell to list out deleted user account from AD’s Recycle Bin.

Command to run: Get-ADObject –SearchBase “CN=Deleted Objects,DC=W2K8MICROSOFT,DC=LOCAL” –ldapFilter “(objectClass=*)” -includeDeletedObjects

clip_image010

5. Recover Deleted Objects in Active Directory Recycle Bin

The GUID listed out with help of Get-ADObject is not complete (Refer the above snapshot), hence cannot be used. In order to get the complete object guid take help of LDP tool. View > Tree > Base DN “Cn=Deleted Objects, DC=w2k8microsoft,DC=local”

clip_image012

Once you have the GUID of the deleted object you can run the command: Restore-ADObject –Identity objectGUID. It’ll restore Test user account back in AD.

clip_image014

In special cases where you are restoring multiple objects you have to ensure that you first restore the parent object before trying to restore child object. E.g. An OU has to be restored first before restoring a user in that OU.