Although it may not be perfect for every organization, the Active Directory Recycle Bin is an interesting new feature. Let’s take a look how to get it up and running. We will need to use PowerShell for this. I’m already running on a Windows Server 2008 R2 computer and I’m going to need to import its Active Directory module. Typically only available on a Domain Controller, unless you have installed the Remote Server Administration tool someplace. You can also install that RSAT Toolset on a Windows 7 computer.
With that module loaded I will get access to the Enable-ADOptionalFeature command and the feature I want to add is called Recycle Bin Feature. The scope of this is ForestOrConfigurationSet. We are going to target my domain, which I’ve called company.pri, and we are going to have it run against that server. Fingers crossed. I’m getting a little bit of a warning here. It is an irreversible action, you cannot disable this once it’s done. So, I do need to make sure that this is something that I want to go forward with and keep in mind once you enable this and you delete a Security Principal in your Domain, most of their information is being copied into the so-called Recycle Bin. They are not useable as a Security Principal while they are in there, but you still could have personally identifiable information stored there beyond that deletion point. You are going to want to make sure that is okay with your environment. I’m just going to say Yes to let that happen. Now we have officially enabled the feature.
To make this interesting we should open up Active Directory Users and Computers. Make sure there is a user in there I can actually delete. Taking a look inside my Users container, there is no one in particular I want to delete. We will create a new user. Boom, new user created. Now, we’ll delete this user. We could do that from PowerShell, but it’s a little more exciting to it right there. At this point, the person should be in the Recycle Bin. You’ll notice here in Active Directory, there is no Recycle Bin. If I hit Refresh over here on the Domain, nothing changes. I’m still not seeing the Recycle Bin. If I come to View and say I want to to see Advanced Features, still not seeing the Recycle Bin here. That’s because the Recycle Bin does not actually create a Recycle Bin. It’s not as easy as just dragging something in and out, which is one reason why people chose to use a third party utility.
Now let’s go ahead and try retrieving that deleted user. Start using get-adobject. I don’t want to get every single thing on the Domain, so I am only going to ask it to return only those with a cn-like don and we get nothing because we also have to add IncludeDeletedObjects. There’s my object. Once I have that, I can pipe it to Restore-ADObject. Let’s switch back here to Active Directory Users and Computers, in the Users container, and there it is. Restored back to its original location. Unfortunately there is not a lot of bulk operations there. If that user had been in an OU and I had deleted that OU, I would have to do one operation to restore the OU, and then I could begin operations to restore users from that OU.
This is not as drag and drop easy as the term Recycle Bin implies. In fact there are some other capabilities that you might want to have available to you, beyond just simple recovery like that. You may want to be able restore an entire OU. Think about this, you may want to restore one or more individual attributes. So, if the entire object isn’t deleted, then this Recycle Bin is not helpful to you. If someone has gone in and changed attributes and just want to recover those, then you are still on your own. In this month’s blog article I am going to go over some of the ways you could go beyond this Recycle Bin offer and some of the capabilities in terms of external tools.