Active DirectoryMicrosoft Technologies

How to Enable Active Directory Recycle Bin? (PowerShell Guide)

Most common active directory related disasters are due to accidently deleted objects. Once object is deleted from active directory, it is not permanently deleteing from the active directory same time. As soon as an object deleted, it will set the isDeleted object value to True and move the object under CN=Deleted Object.

re1

Then the it is stay there till system reaches the tombstone lifetime value. By default, it is 180 days and this can be change if required. As soon as object passes the tombstone lifetime, it is available for permanent deletion. When I explain about the active directory database in previous section I mentioned about “online defragmentation”. It is uses garbage collector service to remove the deleted objects from the active directory database and release that space to database. This service runs in every 12 hours’ time. Once deleted object exceeded the tombstone lifetime value, it will be permanently removed in next garbage collector service cycle. the problem with this one is, during the tombstone process most of the object values are striped off. So even you were able to recover, these objects values will need to re-enter. 

With windows server 2008 R2, Microsoft introduced Active Directory Recycle Bin feature. When this feature is enabled, once object is deleted, it’s still set isDeleted object value to True and move the object under CN=Deleted Object. but instead of tombstone lifetime, now its control by Deleted Object Lifetime (DOL). Object attributes will remain same in this stage and it is recoverable easily. By default, the DOL value is equal to tombstone lifetime. This value can change by modifying msDS-deletedObjectLifetime object value. Once its exceeded the DOL, it is moved in to Recycled state and isRecycled object value set to True. By this state, it will not be able to recovered and it will be in that state till tombstone lifetime value exceed. After it reach the value it will be permanently delete from the AD. 

Active Directory Recycle Bin feature required minimum of windows server 2008 R2 domain and forest functional level. Once this feature is enabled it cannot be disabled. 

This feature can be enable using,

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com

In above -Target can be change with your domain name. 

re2

Once it is enabled, we can revive the objects which is deleted using,

Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects

It will search for the objects where isdeleted attributes set to true. 

Now we know the deleted object and it can be restore using, 

Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject

The above will restore user object dfrancis

re3

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *