With Windows Server 2008 R2, Active Directory has now a recycle bin. With this feature you do not have to use for example Windows Server Backup to initiate an authoritative AD restore, instead you can quickly recover deleted Users, OUs, Groups and other objects through Active Directory Administrative Center (Windows Server 2012 an upwards) or PowerShell

Enabling AD Recycle Bin (PowerShell commands

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target ajni.lab

Type A (=Yes to All) to enable the feature

(Optional) Check Deleted Object’s Lifetime

Get-ADObject “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ajni,DC=lab” -Property msDS-DeletedObjectLifetime | fl

If you do not see the Property named “msDS-DeletedObjectLifetime”, it means that it has the default value of 60 days.

You can change is with this command – do not forget to replace DC=ajni, DC=lab with your domain name:

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=ajni,DC=lab” -Partition “CN=Configuration, DC=ajni,DC=lab” -Replace:@{“msDS-DeletedObjectLifetime” = 120}

Checking the property again, you‘ll see your new value:

You can also have a look at this property with ADSIedit:

Restoring an Object

In our example we deleted an OU called “ImportantOU”

Let’s list all Deleted Objects:

Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects

And then restore our important OU. Before Restoring we can check if the Filter finds our OU:

Get-ADObject -Filter ‘msDS-LastKnownRDN -eq “ImportantOU”‘ -IncludeDeletedObjects

Now restore:

Get-ADObject -Filter ‘msDS-LastKnownRDN -eq “ImportantOU”‘ -IncludeDeletedObjects | Restore-ADObject

Our important OU is back from the dead:

We can also restore from Active Directory Administrative Center (ADAC)

Note that while AD Recycle Bin gives you the flexibility of quickly restoring deleted AD Objects, you should also have a functional Windows Server Backup and VM Backup with solutions like HPE Data Protector or VEEAM. Just in case something goes horribly wrong!