I’ve done it, I know people who have done it, and I bet you have done it before as well. Right-click an object in Active Directory Users and Computers and instead of clicking the properties link you accidentally hit delete. Boom, gone and the only way to get it back is via a restore from backup. Restart the DC, boots into Directory Services Restore Mode (DSRM), restore the system state backup and apply either a authoritative or non-authoritative restore.
Guest author, Sean Kearney, covers this new feature in Windows Server 2008 R2.
-------------------------
One of the fantastic features provided in Server 2008 R2 is the new Recycle Bin for Active Directory.
I recognize that nobody here is going to intentionally mess up their own Active Directory. But problems can happen. A Junior technician misheard the phrase “Disable” with “Delete”, a malicious Administrator leaving the company, dumb luck. Any number of problems can occur and this feature will save the day.
There are a few caveats to using this
- You must have the Domain functional level in Server 2008 R2 mode.
- You must enable the feature by using LDP.EXE or Powershell.
- It is managed and used 100% by Powershell. There is no GUI version presently.
- Once enabled, you cannot disable it. This is a one way trip folks
- The enabled Recycle Bin has a 180 day retention policy.
That’s it. In Server 2008 R2, select the new Active Directory Powershell under Administrative Tools and type in the following command
GET-ADOPTIONALFEATURE –filter {name –like “*”}
You will be presented with a screen showing you
FeatureScope : {Forest}
Name : Recycle Bin Feature
RequiredForestMode : Windows2008R2Forest
IsDisableable : False
ObjectGUID : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e
ObjectClass : msDS-OptionalFeature
FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
EnabledScopes :
RequiredDomainMode :
DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com
Looking at the information above, there are no enabled scopes which confirms that the AD Recycle Bin is presently disabled. So to make all this useful, I guess we should turn it on. So in the same Powershell Window key in this command
ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –score forest –target ‘domainfqdn’
You will get a prompt warning you that it will make the change. Choose “Yes” if you wish to enable this feature or CTRL-C to abort. Once you’re done, it’s active. To confirm, run the following command again
GET-ADOPTIONALFEATURE –filter {name –like “*”}
And you’ll get a similar response but note
FeatureScope : {Forest}
Name : Recycle Bin Feature
RequiredForestMode : Windows2008R2Forest
IsDisableable : False
ObjectGUID : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e
ObjectClass : msDS-OptionalFeature
FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
EnabledScopes : {CN=Partitions,CN=Configuration,DC=energized,DC=energizedtech,DC=com}
RequiredDomainMode :
DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com
You’ll see the “Enabled Scopes” is now covering the domain.
For more information see:
Active Directory Recycle Bin Step-by-Step Guide
