Active Directory recycle bin

I was under the impression I blogged about this years ago (while working on an Exchange 2010 –> 2016 migration) but I couldn’t find my own blog, so here it goes (again).

The Active Directory Recycle Bin saved my life a couple of times, not only my life but also my customer’s life. With the Active Directory Recycle Bin you can restore deleted object from Active Directory, and when using Azure AD Connect also automatically restore object in Azure Active Directory (assuming the deleted object was synchronized before the actual deletion of course).

 Too bad that’s it disabled by default, but enabling the Active Directory Recycle Bin to just a matter of start the Active Directory Administrative Center, select and right-click your root domain and select ‘Enable Recycle Bin…” as shown in the following screenshot:

Of course, it is also possible to enable this using PowerShell, just execute the following commands:

PS C:\> Import-Module ActiveDirectory
PS C:\> Enable-ADOptionalFeature "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target ""
WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=ProExchangeAdmin,DC=com' is an irreversible action! You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=ProExchangeAdmin,DC=com' if you proceed.
Are you sure you want to perform this action?
Performing the operation "Enable" on target "Recycle Bin Feature".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
PS C:\>

Wait until all Domain Controllers have replicated this change and you are all set.

But how does this work under the hood? Deleted object don’t stay in the recycle bin forever. By default, a deleted object continues to exist in Active Directory for 180 days, which is set on the msDS-deletedObjectLifetime attribute of the Directory Service object. On the object that is deleted, the isDeleted and isRecycled property come into play.

When a user object is deleted, the isDeleted property on the user is set to True. At this point it is logically deleted, but physically still available in Active Directory (in the Deleted Items container) and it can be restored. When the deleted object lifetime has passed, the isRecycled property is set to True and the Active Directory garbage collector knows it can remove this object from Active Directory (physically removed from the database).

This is graphically shown in the following figure.

It is possible to increase the deleted object lifetime by stamping a higher value on the msDS-DeletedObjectLifetime property. For example, to increase the default lifetime of 180 days to 2 years (=730 days) you can use the following PowerShell command:

PS C:\> Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ProExchangeAdmin,DC=COM" -Partition "CN=Configuration,DC=ProExchangeAdmin,DC=COM" -Replace:@{"msDS-DeletedObjectLifetime" = 730}

Restoring a deleted object from the recycle bin is easy. Open Active Directory Administrative Center, navigate to your domain and select deleted objects. Select and right-click the object and select Restore as shown in the following figure:

It is also possible to use PowerShell to restore a deleted object. For example, to find the user in the previous example we can use the following Powershell command:

PS C:\> Get-ADObject -Filter 'samaccountname -eq "Johns"' -IncludeDeletedObjects

Deleted           : True
DistinguishedName : CN=Labs | John Smith\0ADEL:7ee41efd-0034-46d7-9313-62360fff43fb,CN=Deleted Objects,DC=labs,DC=local
Name              : Labs | John Smith
ObjectClass       : user
ObjectGUID        : 7ee41efd-0034-46d7-9313-62360fff43fb

PS C:\>

Pipe this output to the Restore-ADObject command and the deleted user will be restored.
Very simple and very useful, I always recommend enabling this.

One thought on “Active Directory recycle bin”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s