A few more facts and thoughts about Recycle Bin in Windows 2012

One year ago we posted the article, explaining what Recovery Manager for AD and Windows 2008 R2 offer for AD object recovery separately and together.

Since Windows 2012 came out it's time to update. And few days ago Keri wrote the great blog post revealing which scenarios are covered by Recycle Bin renewed by UI and which are not. There are few things which I want to add to Keri's post.

 

As we know, Recycle Bin was introduced in 2008 R2 together with "Protect from accidental deletion feature", but at that time if you wanted to use Recycle Bin functionality, you had to be familiar with PowerShell scripting.

It looks like even chances of accidental deletion were sufficiently reduced by "Protect from accidental deletion" feature, Microsoft still received enough complains to continue their work on Recycle Bin. And in Windows 2012 Recycle Bin goes with UI as a part of the new Active Directory Administrative Center console. There is nothing new in recovery technology, comparing to 2008 R2, but just nice UI to simplify recovery process. You can find more information on Recycle Bin and evolution of recovery methods in this TechNet article: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-

 

If for some reason you don't use that protection feature, Recycle Bin is really neat tool to fight with those type of accidental deletion events, when someone fat-fingered several users or OU. It has a great arsenal: you can search by name, filter by attribute values, sort and filter by time of deletion, restore single and multiple objects to their original or other (in case parent was moved or deleted) location.

 

Before enabling Recycle Bin, you should consider the following fact: after enabling Recycle Bin all deleted objects become recycled and can't be restored!

 

Another important question is delegation.

There is the technet article, describing delegation for Recycle Bin https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx

Unfortunately there is no granular delegation for Viewing deleted objects and Recovering deleted objects tasks, so if you give your helpdesk rights, they can see all deleted objects and restore any object, and this can be a great security risk.

 

In my opinion, Recycle Bin is a great tool for companies with small AD and simplified users account lifecycle to minimize sores, inflicted by accidental deletions. Recycle Bin can't help you if someone ran erroneous script or automated synchronization tool, modified your AD in a way you never expected (that is more probable scenario at some level of automation in your environment than accidental deletion). Recycle Bin even doesn't recover all types of deleted objects. It can't be used to restore deleted AD Integrated DNS zones or Dynamic Access Control objects, for example.

About the Author