The Windows Server 2012 Recycle Bin and Recovery Manager for Active Directory

Among the functionality planned for Windows Server 2012 are improvements to the Active Directory “Recycle Bin” feature. This capability enables organizations to store deleted AD objects, along with all of their attribute information, passwords and object group membership, in the Recycle Bin container so it can be restored later if necessary without having to do an authoritative restore. The Recycle Bin functionality has been around since Windows Server 2008 R2 without a user interface but now with Windows 2012 Microsoft added a much needed user interface.

 

When an object is deleted in Windows 2008 R2 and now in Windows Server 2012 it will be placed in the Windows Recycle Bin where all of the objects’ attributes are maintained for a configurable time period. If the object needs to be “undeleted” during this time period the object can be searched, filtered and completely “undeleted” using the Windows 2012 Recycle Bin user interface which is now referred to as the Active Directory Administrative Center (ADAC).

 

Sounds great, doesn’t it?

 

While on the surface it sounds like this feature addresses concerns that Microsoft customers have had since AD was first introduced, it will not be the solution to all the AD recovery concerns that most organizations have.

 

As far as the benefits of the Windows 2012 Recycle Bin, they are the same as the Windows 2008 R2 recycle bin with the exception of the new user interface which makes it more user-friendly. These additional benefits include:

 

• All deleted AD object information including attributes, passwords and group membership can be selected in mass then undeleted from the user interface instantly or via Powershell

• User-friendly and intuitive interface to filter on AD objects and a time period

• Can undelete containers with all child objects

 

Screenshot of the Windows 2012 Recycle Bin:


There are some pre-requisites and considerations that need to be addressed prior to enabling the Windows 2012 recycle bin.

• Requires 2008 R2 forest functional level or higher

• Once enabled, can’t be disabled

• Growth of AD database

• Configurable time period when objects can be undeleted after that expires they cannot be undeleted

• Need to know what objects were deleted so you can filter for them or a specific time period

• You could undelete all objects during a specific time period but if you have multiple location where admins are making changes to AD, an intentional change may have occurred which you may not be aware of at the time. It is possible that users were terminated during the same time as the accidental deletions so you want to be cautious to not accidently undelete a terminated employee for security reasons.

 

There are additional recovery scenarios not covered by the Windows Server 2008 R2 or Windows Servers 2012 recycle bin functionality. These scenarios are covered by Recovery Manager for Active Directory:

• Delegation

• Bulk modification of attribute scenarios - In this situation, you may have a errant script or 3rd party system that synchronizes with AD to update user information. In some situations accidental changes to many AD objects can happen and it is not possible to roll back these changes with the AD recycle bin.

• Restoration of Group Policy objects, DACs and DNS changes

• Domain, Domain Controller or Forest level recovery scenarios

Still have questions? Download the technical brief!

Anonymous