With Windows Server 2008 R2, Active Directory has now a recycle bin. With this feature you do not have to use for example Windows Server Backup to initiate an authoritative AD restore, instead you can quickly recover deleted Users, OUs, Groups and other objects through Active Directory Administrative Center (Windows Server 2012 an upwards) or PowerShell
Enabling AD Recycle Bin (PowerShell commands
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target ajni.lab
Type A (=Yes to All) to enable the feature
(Optional) Check Deleted Object’s Lifetime
Get-ADObject “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ajni,DC=lab” -Property msDS-DeletedObjectLifetime | fl
If you do not see the Property named “msDS-DeletedObjectLifetime”, it means that it has the default value of 60 days.
You can change is with this command – do not forget to replace DC=ajni, DC=lab with your domain name:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=ajni,DC=lab” -Partition “CN=Configuration, DC=ajni,DC=lab” -Replace:@{“msDS-DeletedObjectLifetime” = 120}
Checking the property again, you‘ll see your new value:
You can also have a look at this property with ADSIedit:
Restoring an Object
In our example we deleted an OU called “ImportantOU”
Let’s list all Deleted Objects:
Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects
And then restore our important OU. Before Restoring we can check if the Filter finds our OU:
Get-ADObject -Filter ‘msDS-LastKnownRDN -eq “ImportantOU”‘ -IncludeDeletedObjects
Now restore:
Get-ADObject -Filter ‘msDS-LastKnownRDN -eq “ImportantOU”‘ -IncludeDeletedObjects | Restore-ADObject
Our important OU is back from the dead:
We can also restore from Active Directory Administrative Center (ADAC)
Note that while AD Recycle Bin gives you the flexibility of quickly restoring deleted AD Objects, you should also have a functional Windows Server Backup and VM Backup with solutions like HPE Data Protector or VEEAM. Just in case something goes horribly wrong!