Enabling the Active Directory Recycle Bin Feature on Windows 2008 R2

Posted by on Apr 28, 2010 in Windows, Windows 2008 R2

Windows 2008 R2 has introduced a number of compelling features that would entice any Windows administrator to upgrade to, and the most welcomed feature in my own opinion would have to be the Active Directory Recycle Bin.  Previous to the R2 upgrade, system admins and the like would have had to rely on paid 3rd party software that would take care of accidental deletions of users or even worst organizational units.  Those who did not make the investment in 3rd party software would have had to rely on system state backups which is always a disruptive process in the event that you needed to perform an authoritative Active Directory restore.

Well, that’s not the case anymore and as noted above, Windows 2008 R2 introduces the Active Directory Recycle Bin Feature in addition to a number of other enhancements and features which I have listed in an earlier post, Introducing your first Windows 2008 R2 Domain Controller.

Before we begin, we need to ensure that we have met the minimum requirements allowing you to enable the Active Recycle Bin.  In summary, your Domain Forest Functional Level needs to be at least Windows 2008 R2.  More information can be found in the following TechNet article; http://technet.microsoft.com/tr-tr/library/dd379484(WS.10).aspx

Now that we have met those requirements, we need to run the following command on the AD Domain controller where the Schema Master Resides.  If you are not sure where the Schema Master role resides, follow the below TechNet article on How to view and transfer FSMO roles in Windows Server 2003.

On the Schema Master Domain Controller, run Start / Administrative Tools /  Active Directory Module for Windows PowerShell.

Type in the following command;

N.B replace yourdomain.com with your own Active Directory domain name

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=yourdomain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘yourdomain.com’

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=yourdomain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘yourdomain.com’

image thumb33 Enabling the Active Directory Recycle Bin Feature on Windows 2008 R2 windows 2008 r2 windows windows

You will get a warning which you will need to confirm stating that enabling the Recycle Bin Feature is irreversible.

That’s it!  The recycle bin will now begin capturing deletions of objects which will allow you to later restore them to their original or alternate location.  Now you might be asking, how do we actually perform a restore?  Well, I’m glad you asked, that’s the 2nd reason why you are reading this article right?!

Microsoft for some reason did not provide admins with a GUI in doing so, however there are FREE 3rd party tools that plug directly into the Recycle Bin feature that will provide you with an easy GUI for performing Active Directory object(s) restoration.  Now before delving into MY current tool of choice, the following article by Microsoft explains how it is done via the command line; Restore a Deleted Active Directory Object http://technet.microsoft.com/tr-tr/library/dd379509(WS.10).aspx

My tool of choice (there are several out there) providing me with a graphical interface is PowerGUI in combination with their Active Directory Recycle Bin for PowerPack.  You can download these from the links below;

Download the latest PowerGUI from http://powergui.org/downloads.jspa

Download the latest Active Directory Recycle Bin PowerPack from http://powergui.org/kbcategory.jspa?categoryID=46

Now that we have the relevant components, install PowerGUI and then import the AD Recycle Bin PowerPack via File / PowerPack Management / Import

image thumb34 Enabling the Active Directory Recycle Bin Feature on Windows 2008 R2 windows 2008 r2 windows windows

Now as a test I have created a Test User account in Active Directory and then deleted the account a few minutes later.  Lo and behold when I refreshed the Active Directory Recycle Bin node within the PowerGUI Navigation tree, my Test User was listed in the results pane.

image thumb35 Enabling the Active Directory Recycle Bin Feature on Windows 2008 R2 windows 2008 r2 windows windows

From the Actions menu, you can easily restore the user to either its original location or alternate location.  From the Actions menu you can also configure the recycle bin further via a GUI, and empty the recycle bin completely.

image thumb36 Enabling the Active Directory Recycle Bin Feature on Windows 2008 R2 windows 2008 r2 windows windows

As you can see from the above, the Active Recycle Bin is a long awaited feature introduced with Windows 2008 R2 and with a front end like PowerGUI you can now easily and very quickly restore accidentally deleted Active Directory objects.  Now I wonder if Microsoft will incorporate their own graphical interface in the near future.

Resources

Scenario Overview for Restoring Deleted Active Directory Objects http://technet.microsoft.com/tr-tr/library/dd379542%28WS.10%29.aspx

Enable Active Directory Recycle Bin http://technet.microsoft.com/en-us/library/dd379481(WS.10).aspx

Restore a Deleted Active Directory Object http://technet.microsoft.com/tr-tr/library/dd379509(WS.10).aspx

Additional Active Directory Recycle Bin Tasks http://technet.microsoft.com/tr-tr/library/dd392260(WS.10).aspx